An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!
Information
Category Name: MrRobot
Files : c69-Grrcon2015.zip 1.1 GB
target1/Target1-1dd8701f.vmss – 1GB
target1/Target1.vmsd 392 b
target2/target2-6186fe9f.vmss 1GB
target2/target2.vmsd 392 b
pos01/POS-01-c4e8f786.vmss 1 GB
pos01/POS-01.vmsd 396b
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c69-Grrcon2015.zip
SHA1: b8dab80336c37688f276bfbfac0ac1681398a30d
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/MrRobot && cd Documents/CyberDefenders/MrRobot
Volatility is all you need to solve this category:
vol.py -h
If this doesn’t work, then install it following these instructions.
Walkthrough
First, we must find the correct volatility profile for the images:
vol.py -f target1/Target1-1dd8701f.vmss imageinfo
Usually, the first one works:
1. What email address tricked the front desk employee into installing a security update?
Machine: Target1
We can first use the filescan plugin to see if there are ost/pst file present in the memory dump:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 filescan > target1-filescan.txt
cat target1-filescan.txt | grep -F '.ost'
Next, we dump the files and extract their contents:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003ecec2b0,0x000000003fc61be0
mv 'file.None.0x84eed400.Frontdesk@allsafecybersec.com - outlook2.ost.dat' Frontdesk.ost
pffexport -m all -f all Frontdesk.ost
grep -r -i update Frontdesk.ost.export/
Message00001 contains references to an update that must be Downloaded. Annotated in yellow is the downloaded link. It is not a secure http connection, so we can assume it’s malware. To find the sender of the email we can do:
cat 'Frontdesk.ost.export/Root - Mailbox/IPM_SUBTREE/Inbox/Message00001/OutlookHeaders.txt'
Answer: th3wh1t3r0s3@gmail.com
2. What is the filename that was delivered in the email?
Machine: Target1
From the previous question, we saw that the filename is named AnyConnectInstaller.exe.
Answer: AnyConnectInstaller.exe
3. What is the name of the rat's family used by the attacker?
Machine: Target1
AnyConnectInstaller is not a process in itself. To dump it, we can check the output of the filescan plugin:
cat target1-filescan.txt | grep -i AnyConnect
mkdir AnyConn
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -D AnyConn -n -u -Q 0x000000003df12dd0,0x000000003df1cf00,0x000000003e0bc5e0,0x000000003e2559b0,0x000000003e2ae8e0,0x000000003ed57968
md5sum AnyConn/*
The first hash is flagged by 61 vendors in VirusTotal. Microsoft flags it as Worm:Win32/Xtrat.B!D:
Xtrat is short for Xtreme Rat.
Answer: XTREMERAT
4. The malware appears to be leveraging process injection. What is the PID of the process that is injected?
Machine: Target1
In VirusTotal, we can see a list of contacted IP addresses:
We can check if these values match Established connections in the memory dump, using the netscan plugin:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 netscan | grep ESTABLISHED
iexplorer.exe is the only process that has a match:
Answer: 2996
5. What is the unique value the malware is using to maintain persistence after reboot?
Machine: Target1
Evidence of persistence can be found in the registry. First, we need to find the virtual offset of the Software hive:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 hivelist
Next, we use the printkey plugin to show the contents of the Run key:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 printkey -o 0x8b79d008 -K "Microsoft\Windows\CurrentVersion\Run"
Here, the Run key for AnyConnectInstaller.exe is saved as MrRobot. The presence of this key means the malware is run every time a user logs on.
Answer: Mr.Robot
6. ...What is the unique name the malware is using?
Malware often uses a unique value or name to ensure that only one copy runs on the system…
Machine: Target1
Let’s check the handles open for pid 2996:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 handles --pid 2996
The mutant handle ‘fsociety0.dat’ matches the challenges’ theme.
Answer: fsociety0.dat
7. It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.
Machine: Target1
There is not much evidence in the cmdline/consoles/cmdscan plugins. One way to find potential attackers is to filter for User directories:
cat target1-filescan.txt | grep -o 'Users\\[A-Za-z]*' | sort | uniq
Zerocool is the name of af a character in the movie Hackers.
Answer: Hackers
8. What is the NTLM password hash for the administrator account?
Machine: Target1
Using the hashdump plugin:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 hashdump
Answer: 79402b7671c317877b8b954b3311fa82
9. The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?
Machine: Target1
A tool must mean anything ‘executable’ so to speak. In the consoles plugin’s output, there was an instance of Windows\Temp being listed:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 consoles
There’s four ‘tools’ in this directory: getlsasrvaddr.exe, nbtscan.exe, wce.exe and Rar.exe.
Because there are also two directories in the Temp folder, I am really not convinced by the answer. Instead, we can check the filescan output for LNK files and Jumplists, stored as AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS.
cat target1-filescan.txt | egrep '\.lnk|Destinations' | grep frontdesk
All the files returned 😭
I literally dumped ALL of them, instead of wasting time copy-pasting the offsets I used this one liner to format them into a comma separated line which would then be passed to the Q option of dumpfiles:
cat target1-filescan.txt | egrep '\.lnk|Destinations' | grep frontdesk | sed 's/ .*//g' | tr '\n' ','
mkdir links
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -D links -u -n -Q [paste offsets from command above]
grep -F '\Temp' links/
Of the four files matching, only w.lnk and 918e0ecb43d17e23.automaticDestinations-ms.dat directly reference a file in the Windows\Temp directory.
Strings – 918e0ecb43d17e23.automaticDestinations-ms.dat
So the lnk/JumpLists do not contain values of interest…
Eventually, I searched for the executable names in Google:
getlsasrvaddr.exe is a tool that finds the addresses for Windows Credentials Editor to find credentials in memory.
nbtscan.exe is a NetBios scanning tool.
Rar.exe is WinRAR.
wce.exe is Windows Credentials Editor.
This is where paying attention to the question is important! The question asked for the number of TOOLS moved. Even though I checked the Github Repo of Windows Credentials Editor, and it was right under my eyes, I didn’t really put together that wce.exe and getlsasrvaddr.exe belong to the same tool! So in total, three tools were moved
Answer: 3
10. What is the password for the front desk local administrator account?
Machine: Target1
In the output of the consoles plugin, we can see that Windows Credential Editor ( wce.exe) was executed. On WCE’s github page, the option -w means ‘Dump cleartext passwords stored by the digest authentication package ‘.
Annotated in pink is the cleartext password for the front-desk Admin account:
Answer: flagadmin@1234
11. What is the std create data timestamp for the nbtscan.exe tool?
Machine: Target1
The most precise way to find filesystem metadata is by analyzing the $MFT. With volatility, we can use the mftparser plugin. Then, we just need to grep for the filename:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 mftparser > mft.txt
cat mft.txt | head -n 10 #to get the column names
cat mft.txt | grep -F 'nbtscan.exe'
The Standard Creation timestamp is 2015-10-09 10:45:12 UTC+0000.
Answer: 2015-10-09 10:45:12 UTC
12. ...What is the IP address of the first machine in that file?
The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt….
Machine: Target1
Since we have saved the output of the filescan plugin to a file, we can just grep for ‘nbs.txt’ to find its offset and dump the file:
cat target1-filescan.txt | grep -F 'nbs.txt'
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003fdb7808
cat file.None.0x83eda598.nbs.txt.dat
The first machine is ALLSAFECYBERSEC\AD01 with IP address 10.1.1.2.
Answer: 10.1.1.2
13. What is the full IP address and the port was the attacker's malware using?
Machine: Target1
In Question 4, the malware’s md5 hash was submitted to Virus Total. It showed a list of contacted IPs by the malware. This list was compared with established connections from the netscan plugin.
The only matching IP was 180.76.254.120, on port 22:
The same IP address hosted the initial malware, ‘AnyConnectInstaller.exe’ which the user was tricked into downloading.
Answer: 180.76.254.120:22
14. What is the name of the running process?
It appears the attacker also installed legit remote administration software….
Machine: Target1
If we use the uninstallinfo plugin, no remote administration software is returned. However, there is evidence of TeamViewer being executed in the cmdline plugin:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 cmdline
The use of –action hooks and –IPCport is suspicious. We can check the log file for more information:
cat target1-filescan.txt | grep -F 'TeamViewer10_Logfile.log'
mkdir tvlog
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 -D tvlog dumpfiles -n -u -Q 0x000000003fa2e2d8,0x000000003fa564e0,0x000000003fc9b038,0x000000003fd5bbb8
cat tvlog/*
We can see a connection to the Attacker’s IP address!
On top of that, TeamViewer.exe is returned by the malfind plugin:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 malfind | grep Pid
Answer: TeamViewer.exe
15. ...What IP address did they connect to?
It appears the attackers also used a built-in remote access method….
Machine: Target1
The last result from cmdline, after the TeamViewer commands is for mstsc.exe, which is a built-in remote access method:
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 cmdline
If we look at the netscan plugin for Established connections, the attackers connected to 10.1.1.21:
If we would want to find more information about these connections, then we could dump the Security evtx log, and look for event ID 4624:
#Example
cat target1-filescan.txt | grep -F 'Security.evtx'
vol.py -f target1/Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -n -D SecEvents -u -Q 0x000000003e3924e8
python3 events2db.py SecEvents events.db
Filtering the table for this IP Address, there are 30 Connection records: 
Answer: 10.1.1.21
16. ..What is Gideon's password?
It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords….
Machine: Target2
Using the cmdscan plugin:
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 cmdscan
The attacker used Windows Credential Editor with the -w flag again, but piped the output to file ‘w.tmp’. We can retrieve it by using the filescan and dumpfiles plugin:
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 filescan > target2-filescan.txt
cat target2-filescan.txt | grep -F 'w.tmp'
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 dumpfiles -n -u -D . -Q 0x000000003fcf2798
cat file.None.0x85a35da0.w.tmp.dat
Answer: t76fRJhS
17. ...What password did they use?
Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful.…
Machine: Target2
Previously, we found that the attackers stored the output of nbtscan.exe into a file named nbs.txt. This revealed that the IP Address of the Domain Controller is 10.1.1.2.
In the output of Target2’s console, we can see that the attackers logged into the DC (annotated in yellow) and compressed all text files into a rar archive named ‘crownjewlez.rar’:
The command used was rar a -hp123qwe!@# crownjewlez.rar *.txt.
The switch -hp is used to encrypt both file data and headers. Therefore the password used was 123qwe!@# .
Answer: 123qwe!@#
18. What was the name of the RAR file created by the attackers?
Machine: Target2
As we saw above, the rar file was named crownjewlez.rar.
Answer: crownjewlez.rar
19. How many files did the attacker add to the RAR archive?
Machine: Target2
Since the files were stolen from the DC server, they are not accessible in the MFT or the filescan plugin. Instead, we can dump pid 3048 (which is the PID associated with the creation of the rar archive).
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 memdump --pid 3048 -D .
strings -a -td 3048.dmp > 3048.txt
strings -a -td -el 3048.dmp >> 3048.txt
cat 3048.txt | grep -F 'crownjewlez.rar' -B 5 -A 5
From offset 35357324, we can see some text files that would have been added to the archive. To find all of them, we just need to grep more lines from this offset:
cat 3048.txt | grep "^35357324 " -B 10 -A 20
Only three files occur following this offset. To double check our findings, we can grep for the directory ‘\crownjewels\’ . In the console history, we saw that the attacker cd-ed into that directory, and listed its contents (refer to Question 17 image, cmd 13 and 14).
cat 3048.txt | grep -F '\crownjewels\'
The same three files appear in this directory. We can safely confirm that only three text files were added to the rar archive.
Answer: 3
20. ...What is the name of the file associated with the scheduled task?
The attacker appears to have created a scheduled task on Gideon’s machine...
Machine: Target2
Scheduled Tasks can be found in the Registry and under the \Tasks\ Directory:
cat target2-filescan.txt | grep -F '\Tasks\'
The files annotated in Yellow are quite suspicious, and are associated with malware. We can dump them and examine their contents:
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003fc399b8,0x000000003fd05bd8
cat file.None.0x85a86af0.At1.dat
The file being executed is 1.bat. Before looking at the file, we
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 hivelist
After finding the offset, we can print the key for At1:
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 printkey -o 0x8b267008 -K "Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\At1"
This confirms that the Scheduled Task is up and running. Finally, we can dump the 1.bat file and check its contents:
cat target2-filescan.txt | grep -F '1.bat'
vol.py -f target2/target2-6186fe9f.vmss --profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003f427e50
cat file.None.0x83faf398.1.bat.dat
The Scheduled Task runs Windows Credential Editor and dumps the plaintext passwords to w.tmp.
Answer: 1.bat
21. What is the malware CNC's server?
Machine: POS
First, we should find the which Pids are returned by the malfind plugin:
vol.py -f pos01/POS-01-c4e8f786.vmss --profile=Win7SP1x86_23418 malfind | grep Pid
First, we should find the which Pids are returned by the malfind plugin:
Next, we can check the netscan plugin for these Pids, using egrep:
vol.py -f pos01/POS-01-c4e8f786.vmss --profile=Win7SP1x86_23418 netscan | egrep '1828|2200|3740|1836|2700|3376|2092|3208|3136'
All the IPs are local Ips, except for the connection to iexplorer.exe:
We can do a quick strings search for this IP address and see if it comes up again:
strings pos01/POS-01-c4e8f786.vmss | grep -F '54.84.237.92' -B 10 -A 10
The first match is enough to confirm that it is the C2C server of the attacker. The attack follows the same pattern as the other machines.
Answer: 54.84.237.92
22. What is the common name of the malware used to infect the POS system?
Machine: POS
In the previous question, we found that the malware was (very likely) to be distributed through an email. We can find the files offset using the filescan plugin, dump it and then check its md5 hash in Virus Total:
vol.py -f pos01/POS-01-c4e8f786.vmss --profile=Win7SP1x86_23418 filescan > pos01-filescan.txt
cat pos01-filescan.txt | grep -F 'allsafe_update'
vol.py -f pos01/POS-01-c4e8f786.vmss --profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003e7ab038
md5sum 'file.None.0x8559cf78.allsafe_update[1].exe.dat'
#returns 99349d277cc5bcb138f4239151fb8370
Microsoft flags the file as ‘PWS:Win32/Dexter.A‘, commonly known as Dexter:
Answer: Dexter
23. In the POS malware whitelist. What application was specific to Allsafecybersec?
Machine: POS
We can analyze the dumped executable to see how it operates:
peframe 'file.None.0x8559cf78.allsafe_update[1].exe.dat'
Here is a list of files present in the executable:
There is only one potential match to Allsafecybersec – allsafe_protector.exe.
Answer: allsafe_protector.exe
24. What is the name of the file the malware was initially launched from?
Machine: POS
We previously identified that the initial malware was ‘allsafe_update.exe ‘. The executable was found at:
\Device\HarddiskVolume2\Users\pos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NEQ2CLDX.
It was suggested that it was delivered through a link to the C2C server. We can use the iehistory for more information:
vol.py -f pos01/POS-01-c4e8f786.vmss --profile=Win7SP1x86_23418 iehistory
There are more than one records of this link.
Answer: allsafe_update.exe
TLDR
– Malicious email attachments leads to a machine being infected.
– All memory dumps can be analyzed with volatility2.
– Consoles plugin shows Data Exfiltration attempts, and used wce.exe to dump credentials.
– The attackers also maintained persistence through Scheduled Tasks.
