An employee reported that his machine started to act strangely after receiving a suspicious email with a document file. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!
Information
Category Name: TeamSpy
Files : c74-TeamSpy.zip 1.4 GB
ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem 2.0 GB
ecorpoffice/win7ecorpoffice2010-36b02ed3.vmss 1.6MB
ecorpwin7/ecorpwin7-e73257c4.vmem 2.0 GB
ecorpwin7/ecorpwin7-e73257c4.vmss 1.5 MB
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c74-TeamSpy.zip
SHA1: 1bc677daf51be254c8bfb9085f7375bbf1ee8e3b
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/TeamSpy && cd Documents/CyberDefenders/TeamSpy
Volatility is all you need to solve this category:
vol.py -h
If this doesn’t work, then install it following these instructions.
Walkthrough
First, we must find the correct volatility profile for the images:
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem imageinfo
Usually, the first one works:
1. What is the PID the malicious file is running under?
File: ecorpoffice
Identifying PID’s returned by the malfind plugin:
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 malfind | grep Pid
Process SkypeC2AutoUpd is suspicious, as it is not a default executable. Googling it confirms its a Trojan Downloader. We can dump its executable and check the hash in VirusTotal:
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 procdump -D . --pid 1364
md5sum executable.1364.exe
#returns 6ecd2ed83b0bc2eea7c7a75d06a610b6
Not much going on in Virus Total for this hash. We can look at the handles for the PID and filter for Mutant Type:
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 handles --pid 1364 | grep Mutant
A little of Googling brings me to this article, that mentions MSCTF.Asm.MutexDefault1. But that’s not enough to make a conclusion.
In the Environmental Variables, the PSExecutionPolicyPreference is set to Bypass. This PID is the only one that even has the variable, which makes it sus AF.
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 envars --pid 1364
Answer: 1364
2. What is the C2 server IP address?
File: ecorpoffice
Using the networkpackets plugin, we can dump the packets to a pcap file to visualize the data better. T
mkdir packets
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 networkpackets -D packets
The IP Address with most packets is IP 54.174.131.235, with a total of 193 packets.
The same IP came up associated with PID 1364 in the NetStat plugin:
And looking at the dump pcap, despite the packets being somewhat incomplete, the conversation is kind of sus:
Answer: 54.174.131.235
3. What is the Teamviewer version abused by the malicious file?
File: ecorpoffice
I had to use Write-Ups for the original GrrCon 2016 CTF to solve this one 🙁 because the pcap was not provided.
strings ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem | grep -F '54.174.131.235'
Apparently, the TeamViewer version being abused is 0.2.2.2:
Answer: 0.2.2.2
4. What password did the malicious file use to enable remote access to the system?
File: ecorpoffice
Using the editbox plugin, which basically shows the edit controls of Win32 Apps.
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 editbox
Answer: P59fS93m
5. What was the sender's email address that delivered the phishing email?
File: ecorpoffice
File: ecorpoffice
The challenge’s scenario specifies that an email with a document caused some issues on the machine. To quickly find the potential attachment, we can follow these steps:
– use the filescan plugin and pipe output to a file (useful for future references)
– grep filescan file for pst and ost extensions
– dump files with pst/ost extension to output directory
– rename dumped files for cleaner output
– run pffexport on all dumped files
– find .doc file in output directory
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 filescan > ecorp-filescan.txt
cat ecorp-filescan.txt | grep -F '.pst'
#returns 9 entries
cat ecorp-filescan.txt | grep -F '.ost'
#returns no entries
mkdir pst_files
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 dumpfiles -n -u -r pst$ -D pst_files
#rename files manually for cleaner output
cd pst_files
find . -type f -exec pffexport -m all -f all "{}" \;
find . -type f -name "*.doc"
Now that we found the file, we need to understand how its malware operates. I suggest copying the files into a separate folder:
mkdir malicious_doc
find . -type f -name "*.doc" ! -size 0 -exec cp "{}" malicious_doc/ \;
We saw that the file was delivered as an attachment to philip_price’s email. The attachment belonged to Message00011. We can look at the email headers to find the sender:
cat 'file.2692.0xfffffa80042dcf10.phillip.price@e-corp.biz.pst.dat.export/Top of Outlook data file/Inbox/Message00011/OutlookHeaders.txt'
Answer: karenmiles@t-online.de
6. What is the MD5 hash of the malicious document?
File: ecorpoffice
We already dumped and identified the malicious file:
md5sum malicious_doc/1_bank_statement_088452.doc
#returns c2dbf24a0dc7276a71dd0824647535c9
Answer: c2dbf24a0dc7276a71dd0824647535c9
7. What is the bitcoin wallet address that ransomware was demanded?
File: ecorpoffice
Back to the OG working Directory:
grep -r -i bitcoin pst_files
We can look at the contents of Message00002/Message.txt for the full email:
The ransomware group, Armada Collective, is threatening to DDOs the servers if 5 BTC aren’t sent.
Answer: 25UMDkGKBe484WSj5Qd8DhK6xkMUzQFydY
8. What is the ID given to the system by the malicious file for remote access?
File: ecorpoffice
Using the editbox plugin again:
vol.py -f ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 editbox
Answer: 528 812 561
9. What is the IPv4 address the actor last connected to the system with the remote access tool?
File: ecorpoffice
To be honest, the challenge is quite messy, as one of the files from the original CTF is missing. So I am using strings on the whole dump to grep for the teamviewer and matching IP addresses:
strings -a -td ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem > ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem.txt
strings -a -td -el ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem >> ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem.txt
cat ecorpoffice/*.txt | grep -i -F 'teamviewer' -B 10 -A 20 | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq -c
The RegEx seems to match for versions too, not IPs. We can clean that up by doing:
cat ecorpoffice/*.txt | grep -i -F 'teamviewer' -B 10 -A 20 | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq -c | sed '/\.0\.0/d' | sed '/\.1\.1/d'
Which gives us the following IPs – if we ignore the unmatched ‘versions’
We can then grep for each IP address in the textfile:
cat ecorpoffice/*.txt | grep -i -F 'teamviewer' -B 10 -A 20 | grep -F '108.168.236.114' -B 10 -A 10
So thank god for that, because the output shows that grep caught a sort of list ? of IPs, that I suspect to be an IP routing table (???) . Most likely they don’t match what we are looking for. This helps us filter out the query. On top of that, we can remove ‘known ips’, such as the Machine’s IP and the C2C server.
#the filtered list is
#31.6.13.155
#75.70.165.88
cat ecorpoffice/*.txt | grep -i -F 'teamviewer' -B 10 -A 20 | egrep '31.6.13.155|75.70.165.88' -B 10 -A 10
The IP address 75.70.165.88 is found in a url, which doesn’t seem to have any links to teamviewer:
IP 31.6.13.155 has a somewhat direct reference to teamviewer.com:
We can validate the IP by looking for it in the text file:
cat ecorpoffice/*.txt | grep -F '31.6.13.155' -B 10 -A 10
Here it appears next to the Password used to enable Remote Login:
Answer: 31.6.13.155
10. What Public Function in the word document returns the full command string that is eventually run on the system?
File: ecorpoffice
Using olevba:
olevba pst_files/malicious_doc/1_bank_statement_088452.doc --decode --reveal
Answer: UsoJar
11. What is the MD5 hash of the malicious document?
File: ecorpwin7
The challenge description states that the machine started acting out after receiving email attachments. We can do the same process as before, and dump pst files:
rm -rf pst_files && mkdir pst_files
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 dumpfiles -r pst$ -u -n -D pst_files
cd pst_files
find . -type f -exec readpst -m -tea "{}" \;
grep -r 'filename=' *
Here are the matches returned:
Now we can use this oneliner to extract and decode the file:
cat scott.knowles@e-corp.biz1/Inbox/10.eml | grep 'filename=' -A 2000 | sed '/iamunique/d' | sed '/filename=/d' | sed '/^$/d' | base64 -d > rtf_file.rtf
But it doesn’t work, and is unfortunately a corrupt attachment since it contains so many GGG strings. Instead, we can use the good old filescan/dumpfiles method:
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 filescan > filescan.txt
cat filescan.txt | grep -F '.rtf'
mkdir rtf_files
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d6b33c0,0x000000007d6b3850 -u -n -D rtf_files
This time, the attachment is complete. However, there are trailing 0s at the end of file, which we can quickly remove with sed:
xxd -p rtf_files/file.None.0xfffffa80040b3260.Important_ECORP_Lawsuit_Washington_Leak.rtf.dat | sed '/000000000000000000000000000000000000000000000000000000000000/d' | sed '/0000000000000000000000000000000000000000000000000000/d' | sed 's/6131376136616631303365316533616437657d7d7d7d0000000000000000/6131376136616631303365316533616437657d7d7d7d/g' | xxd -r -p > Important_ECORP_Lawsuit_Washington_Leak.rtf
md5sum Important_ECORP_Lawsuit_Washington_Leak.rtf
#returns 00e4136876bf4c1069ab9c4fe40ed56f
Answer: 00e4136876bf4c1069ab9c4fe40ed56f
12. What is the common name of the malicious file that gets loaded?"
File: ecorpwin7
The object 5 of the rtf file contains a shellcode. We can cat the file, copy the hex value, decode it and run it in scdbg:
cat Important_ECORP_Lawsuit_Washington_Leak.rtf
echo -n '#hexstring' | xxd -r -p > obj5
scdbg
It’s not perfect, but the output provides significant information:
The file that gets created is ecorpav.exe. We can dump it using filescan/dumpfiles combo:
cat filescan.txt | grep ecorpav
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007d6f8070 -u -n -D .
md5sum file.None.0xfffffa80040f8500.ecorpav.exe.dat
#returns 8452de036abce44d531581d4a94b3f7f
In VirusTotal, the file is flagged as KorPlug amongst otherthings. KorPlug is a Variant of PlugX:
Answer: PlugX
13. What password does the attacker use to stage the compressed file for exfil?
File: ecorpwin7
I used all possible imaginable plugins and ways to figure out how ecorpav.exe was executed on the machine. One way to find out if it was renamed is to check the MFT records:
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 mftparser > mft.txt
cat mft.txt | egrep '\.rar|\.zip|\.tar|\.gz'
#most intersting match is ProgramData\reports.rar
Now we can use strings on the memory dump to find occurances of the filename:
strings -a -td -el ecorpwin7/ecorpwin7-e73257c4.vmem | grep -F 'ProgramData\reports.rar'
And here is the full command, the password used was password1234.
Answer: password1234
14. What is the IP address of the c2 server for the malicious file?
File: ecorpwin7
Using the networkpackets plugin, and opening the pcap in wireshark:
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 networkpackets -D packets
wireshark packets/packets.pcap
Filtering with tcp.srcport == 80:
Al 483 packets for port 80 are associated with IP Address 52.90.110.169.
Answer: 52.90.110.169
15. What is the email address that sent the phishing email?
File: ecorpwin7
Previously, we found that the attachment was stored in 10.eml.
cat pst_files/scott.knowles@e-corp.biz1/Inbox/10.eml
Answer: lloydchung@allsafecybersec.com
16. What is the name of the deb package the attacker staged to infect the E Coin Servers?
File: ecorpwin7
We can search for ‘.deb’ in the mft file:
cat mft.txt | grep -F '.deb'
This Particular line is intersting, because it has the same ‘parent directory’ (av) as the http path in the RTF shellcode:
cat mft.txt | grep -F 'av/linuxav.deb' -B 50
#filename is Users\scott.knowles\Documents\ecoin\ecoin.git\autogen.sh with offset 0x699e3c00
#dumping the file
vol.py -f ecorpwin7/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 mftparser -D . -o 0x699e3c00
cat file.0x699e3c00.data0.dmp
The file downloads linuxav.deb from the same url as before.
Answer: linuxav.deb
TLDR
– This is a Challenging Memory Forensics challenge. It’s especially hard, since the associated pcap file is not provided (which I found in other Writeups)…
– volatility2 is the only tool that will help.
