MrRobot Lab

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the SOC analysts team figure out what happened!

Tools

• Volatility 2

• strings

Questions

Q1: Machine:Target1 What email address tricked the front desk employee into installing a security update?

Starting with the Target1 machine, imageinfo plugin is used to determine the profile to be used for Volatility 2.

When the profile is determined, pstree is run to get an overview of the processes running on the Target1 machine.

Question 1 indicates that the user has been tricked into installing a security update via email. Within a running processes, there is OUTLOOK.exe with PID 3196. To find out more about the user activity in connection to this process, memdump plugin can be used to dump the memory of the specified process.

With the memory of the OUTLOOK.exe dumped, we can further analyze it by running strings against the dumped file.

The answer to question 1 can be found by looking for From: string within the outputted text file as this will point to the emails that have been accessed during the runtime of the dumped process.

Answer

th3wh1t3r0s3@gmail[.]com

Q2: Machine:Target1 What is the filename that was delivered in the email?

While analyzing the text file outputted by strings, additional information about the email can be found.

Answer

AnyConnectInstaller.exe

Q3: Machine:Target1 What is the name of the rat's family used by the attacker?

Malicious file name has been already found in the email - AnyConnectInstaller.exe. To find the RAT family this malware belongs to, we need to dump the file and calculate the hash so we can find further information about it online.

To do this, we will first use filescan plugin to find the malicious file and its physical offset value. By default, this plugin would scan for all files in the memory image, but as we already know the file name we are looking for, we can use Select-String (PowerShell alternative to grep) to display only lines containing the specified value.

We can see that there are multiple occurrences of this file name in the memory. The interesting ones are the files present in the Downloads folder of the frontdesk user. We can save the offset values of these files and move on to dumping these files to our local system. For that purpose, we will use dumpfiles plugin where we specify the physical offset value of the file by using -Q option and output directory with -D option.

After dumping this file, Windows Defender notification regarding the detected threat has showed up. This is the indicator that the dumped file is the malware we are looking for. As we are working in the isolated virtualized environment, Windows Defender's Real-time protection can be disabled, so we are able to get the hash of the dumped malware.

A quick lookup on VirusTotal is needed to find the RAT family this malware belongs to.

Answer

XtremeRAT

Q4: Machine:Target1 The malware appears to be leveraging process injection. What is the PID of the process that is injected?

The Behavior section on VirusTotal mentions the processes this malware injects - the first one being iexplore.exe which was also observed in the running processes.

To verify this, hollowfind plugin can be leveraged, but as standalone executable version of Volatility 2 does not contain this plugin, I switched to SIFT machine to run it.

We can verify if the given process is indeed malicious by dumping the process with procdump plugin, calculating the hash of the dumped file and looking it up on VirusTotal.

And we can see that according to VirusTotal, the process is indeed malicious.

Answer

2996

Q5: Machine:Target1 What is the unique value the malware is using to maintain persistence after reboot?

This question can be answered by further analysis of information provided by VirusTotal. In the MITRE ATT&CK Tactics and Techniques section, it is mentioned that the malware uses Registry Run Keys/Startup Folder for persistence. If we look at what registry keys are being set by the malware, we can observe that the first registry key on the list runs the AnyConnectInstaller.exe.

This can be also verified by running the printkey plugin and specifying the Run keys via -K option.

Answer

MrRobot

Q6: Machine:Target1 Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?

Malware often use mutex in order to run only one instance of malware and stop the potential process of reinfecting the host with the same malware. Plugin handles can be used to provide information about open handles for the specified process. We are able to use -t option to specify that we are looking for mutant object.

Answer

fsociety0.dat

Q7: Machine:Target1 It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.

To find the user that was used by previous hacker, filescan plugin can be used to list all file names present in the memory. A bit of a PowerShell magic is then needed to output only users (appearing in the file path after \Users\) and get only unique values so we see each user only once. We will therefore pipe the output of filescan plugin to the following PowerShell outlets:

The unknown users for now that also seem interesting are:

• gideon

• zerocool

Quick Google search helps with finding out that zerocool is a character from movie "Hackers".

Answer

Hackers

Q8: Machine:Target1 What is the NTLM password hash for the administrator account?

To find the NTLM password hash of the users, we can use hashdump plugin. This plugin requires virtual offset values of SYSTEM and SAM hives. To get these offsets, hivelist plugin can be used.

With virtual offset values for SYSTEM and SAM hives noted, we can move on to run hashdump and provide these required offsets.

Answer

79402b7671c317877b8b954b3311fa82

Q9: Machine:Target1 The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?

For this question, technique from Q7 can be reused where we use filescan to list all the files in the memory and use some PowerShell magic to only look for the files we want. In this scenario, attacker could use multiple directories where to store tools, but after some time, I have found that the directory is Windows\Temp\. Using the same technique as in Q7 we are able to only output unique file names present in this directory:

We have found 4 executables present in the Windows\Temp\ directory. However, answer 4 seems to be incorrect. Quick lookup of these executables will tell us that WCE (Windows Credential Editor) is a credential-dumping tool that contains two out of four executables in this directory:

• wce.exe

• getlsasrvaddr.exe

Question is asking how many tools (not how many executables) did the attacker move.

Answer

3

Q10: Machine:Target1 What is the password for the front desk local administrator account?

The password for the local administrator account can be found by using online hash lookup services like Hashes.com as we have already retrieved the NTLM hash in Q8.

Answer

flagadmin@1234

Q11: Machine:Target1 What is the std create data timestamp for the nbtscan.exe tool?

To find the creation timestamp for nbtscan.exe, MFT records need to be analyzed. To do so, mftparser plugin can be used to parse the MFT records into the specified output file. I have chosen to output the MFT records in the text format into specified text file using --output and --output-file options.

After the parsing of the MFT is done, we just need to access the specified output file and look for nbtscan.exe.

Answer

2015-10-09 10:45:12 UTC

Q12: Machine:Target1 The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?

To answer this question, nbs.txt that was previously found in Windows\Temp\ directory needs to be dumped and analyzed. To do so, we need to follow the same process as in Q3 using filescan and dumpfiles plugin.

The only thing left to do is then analyze the dumped file to find the IP address of the first machine.

Answer

10.1.1.2

Q13: Machine:Target1 What is the full IP address and the port was the attacker's malware using?

Plugin plugin netscancan be used to scan for connections and sockets. We have previously identified that the malware has injected process iexplore.exe with PID 2996. We can look for connections initiated by this process to find the IP address and port used by the malware.

Answer

180.76.254.120:22

Q14: Machine:Target1 It appears the attacker also installed legit remote administration software. What is the name of the running process?

In Q1, we have listed the running processes using pstree where we can also see that well-known remote administration software is running on the device.

Answer

TeamViewer.exe

Q15: Machine:Target1 It appears the attackers also used a built-in remote access method. What IP address did they connect to?

We can see that within running processes, there is one called mstsc.exe which is an executable file for Microsoft's Remote Desktop Connection tool. To find what IP address the attacker connected to, we need to grab the PID of mstsc.exe and look up network connections initiated by this process. We can find these network connections by using netscan plugin.

Answer

10.1.1.21

Q16: Machine:Target2 It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon's password?

We are moving on to the next system (Target2), so initially we need to find the suitable profile to use with volatility by running imageinfo plugin against the memory image file. When the right profile is found, we can start analyzing the memory dump.

As first, I have looked for the Gideon's password by following the same process as in Q8 where I located the virtual offset addresses of SYSTEM and SAM hives and used hashdump plugin to dump the password hashes of the users.

And even though I was able to look up the NTLM hash of the gideon's password online, it was not the correct answer for this question. Hints within this question point to the usage of consoles plugin which extracts and displays history of executed commands. This way, we are able to observe attacker's behavior on the system.

From the commands executed on the system, we can quickly spot the attacker's credential-dumping tool that we have previously seen on Target1 machine - wce.exe. The output from running of this executable has been saved to the file w.tmp which we can search for using filescan and dump it with dumpfiles, so we are able to analyze its content.

When file gets dumped, we can open it with text editor of our choice in order to analyze the content (output of the wce.exe -w command).

Answer

t76fRJhS

Q17: Machine:Target2 Once the attacker gained access to "Gideon," they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

This can be answered by analyzing the output of the consoles plugin from Q16. We can see that in the command number 16, the attacker has used rar command to archive all the text files on the Z:\ drive to crownjewlez.rar and encrypts the archive with password by specifying the -hp option.

Answer

123qwe!@#

Q18: Machine:Target2 What was the name of the RAR file created by the attackers?

This information is answered in Q17.

Answer

crownjewlez.rar

Q19: Machine:Target2 How many files did the attacker add to the RAR archive?

From the output of the consoles plugin from the previous questions, it is possible to find the process and its PID related to the commands executed by the attacker.

To find additional information about this process, we need to dump its memory by using memdump plugin as previously used in Q1. When the memory of the process gets dumped to the file, we can analyze it with strings and look for the name of the RAR archive - crownjewlez.rar.

Answer

3

Q20: Machine:Target2 The attacker appears to have created a scheduled task on Gideon's machine. What is the name of the file associated with the scheduled task?

To find the scheduled task present on the system, we need to look for files present in the C:\Windows\System32\Tasks directory. We can do this by running filescan plugin together with Select-String outlet to only look for the file path relevant for us:

When running this plugin, we get many hits for the files present in subdirectories within the Tasks folder. However, only one file is present directly in the Tasks directory.

This is the name of the scheduled task present on the system, but questions is asking about the executable associated with this scheduled task. To find this, we need to dump this file and analyze it in the text editor of our choice. We can use dumpfiles plugin and providing the physical address of the file specified with -Q option. When dumped, we can read the content of the file via text editor.

Answer

1.bat

Q21: Machine:POS What is the malware CNC's server?

As first, we can use malfind plugin to find the injected code in the processes. When correlating these processes with netscan plugin we are able to find that iexplore.exe process is connecting to the C2 server on port 80.

Answer

54.84.237.92

Q22: Machine:POS What is the common name of the malware used to infect the POS system?

To extract the malware, we can use the malfind plugin from the previous question and use -p option to specify PID and -D option to specify output directory.

Then we can calculate the hash of the dumped file and look it up in VirusTotal where we are able to find the name of the malware.

Answer

Dexter

Q23: Machine:POS In the POS malware whitelist. What application was specific to Allsafecybersec?

To find this whitelisted application, we can use already dumped process from Q22 and run strings against this file. We can then look for .exe files within the output of the strings while considering that answer field indicates that the file contains underscore character.

Answer

allsafe_protector.exe

Q24: Machine:POS What is the name of the file the malware was initially launched from?

The hints provided for this question indicates that we should look for the initial file name of the malware when accessed via web browser. This can be analyzed by using iehistory plugin which reconstructs and displays history of Internet Explorer.

Answer

allsafe_update.exe