MrRobot Lab
Last updated
Was this helpful?
Last updated
Was this helpful?
An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the SOC analysts team figure out what happened!
Volatility 2
strings
Starting with the Target1 machine, imageinfo plugin is used to determine the profile to be used for Volatility 2.
When the profile is determined, pstree is run to get an overview of the processes running on the Target1 machine.
Question 1 indicates that the user has been tricked into installing a security update via email. Within a running processes, there is OUTLOOK.exe with PID 3196. To find out more about the user activity in connection to this process, memdump plugin can be used to dump the memory of the specified process.
With the memory of the OUTLOOK.exe dumped, we can further analyze it by running strings against the dumped file.
The answer to question 1 can be found by looking for From: string within the outputted text file as this will point to the emails that have been accessed during the runtime of the dumped process.
th3wh1t3r0s3@gmail[.]com
While analyzing the text file outputted by strings, additional information about the email can be found.
AnyConnectInstaller.exe
Malicious file name has been already found in the email - AnyConnectInstaller.exe. To find the RAT family this malware belongs to, we need to dump the file and calculate the hash so we can find further information about it online.
To do this, we will first use filescan plugin to find the malicious file and its physical offset value. By default, this plugin would scan for all files in the memory image, but as we already know the file name we are looking for, we can use Select-String (PowerShell alternative to grep) to display only lines containing the specified value.
We can see that there are multiple occurrences of this file name in the memory. The interesting ones are the files present in the Downloads folder of the frontdesk user. We can save the offset values of these files and move on to dumping these files to our local system. For that purpose, we will use dumpfiles plugin where we specify the physical offset value of the file by using -Q option and output directory with -D option.
After dumping this file, Windows Defender notification regarding the detected threat has showed up. This is the indicator that the dumped file is the malware we are looking for. As we are working in the isolated virtualized environment, Windows Defender's Real-time protection can be disabled, so we are able to get the hash of the dumped malware.
A quick lookup on VirusTotal is needed to find the RAT family this malware belongs to.
XtremeRAT
The Behavior section on VirusTotal mentions the processes this malware injects - the first one being iexplore.exe which was also observed in the running processes.
To verify this, hollowfind plugin can be leveraged, but as standalone executable version of Volatility 2 does not contain this plugin, I switched to SIFT machine to run it.
We can verify if the given process is indeed malicious by dumping the process with procdump plugin, calculating the hash of the dumped file and looking it up on VirusTotal.
And we can see that according to VirusTotal, the process is indeed malicious.
2996
This question can be answered by further analysis of information provided by VirusTotal. In the MITRE ATT&CK Tactics and Techniques section, it is mentioned that the malware uses Registry Run Keys/Startup Folder for persistence. If we look at what registry keys are being set by the malware, we can observe that the first registry key on the list runs the AnyConnectInstaller.exe.
This can be also verified by running the printkey plugin and specifying the Run keys via -K option.
MrRobot
Malware often use mutex in order to run only one instance of malware and stop the potential process of reinfecting the host with the same malware. Plugin handles can be used to provide information about open handles for the specified process. We are able to use -t option to specify that we are looking for mutant object.
fsociety0.dat
To find the user that was used by previous hacker, filescan plugin can be used to list all file names present in the memory. A bit of a PowerShell magic is then needed to output only users (appearing in the file path after \Users\) and get only unique values so we see each user only once. We will therefore pipe the output of filescan plugin to the following PowerShell outlets:
filescan | Select-String -Pattern '\\Users\\([^\\]+)' -AllMatches | ForEach-Object { $_.Matches.Groups[1].Value } | Sort-Object -UniqueThe unknown users for now that also seem interesting are:
gideon
zerocool
Quick Google search helps with finding out that zerocool is a character from movie "Hackers".
Hackers
To find the NTLM password hash of the users, we can use hashdump plugin. This plugin requires virtual offset values of SYSTEM and SAM hives. To get these offsets, hivelist plugin can be used.
With virtual offset values for SYSTEM and SAM hives noted, we can move on to run hashdump and provide these required offsets.
79402b7671c317877b8b954b3311fa82
For this question, technique from Q7 can be reused where we use filescan to list all the files in the memory and use some PowerShell magic to only look for the files we want. In this scenario, attacker could use multiple directories where to store tools, but after some time, I have found that the directory is Windows\Temp\. Using the same technique as in Q7 we are able to only output unique file names present in this directory:
filescan | Select-String -Pattern '\\Windows\\Temp\\([^\\]+)' -AllMatches | ForEach-Object { $_.Matches.Groups[1].Value } | Sort-Object -UniqueWe have found 4 executables present in the Windows\Temp\ directory. However, answer 4 seems to be incorrect. Quick lookup of these executables will tell us that WCE (Windows Credential Editor) is a credential-dumping tool that contains two out of four executables in this directory:
wce.exe
getlsasrvaddr.exe
Question is asking how many tools (not how many executables) did the attacker move.
3
The password for the local administrator account can be found by using online hash lookup services like Hashes.com as we have already retrieved the NTLM hash in Q8.
flagadmin@1234
To find the creation timestamp for nbtscan.exe, MFT records need to be analyzed. To do so, mftparser plugin can be used to parse the MFT records into the specified output file. I have chosen to output the MFT records in the text format into specified text file using --output and --output-file options.
After the parsing of the MFT is done, we just need to access the specified output file and look for nbtscan.exe.
2015-10-09 10:45:12 UTC
To answer this question, nbs.txt that was previously found in Windows\Temp\ directory needs to be dumped and analyzed. To do so, we need to follow the same process as in Q3 using filescan and dumpfiles plugin.
The only thing left to do is then analyze the dumped file to find the IP address of the first machine.
10.1.1.2
Plugin plugin netscancan be used to scan for connections and sockets. We have previously identified that the malware has injected process iexplore.exe with PID 2996. We can look for connections initiated by this process to find the IP address and port used by the malware.
180.76.254.120:22
In Q1, we have listed the running processes using pstree where we can also see that well-known remote administration software is running on the device.
TeamViewer.exe
We can see that within running processes, there is one called mstsc.exe which is an executable file for Microsoft's Remote Desktop Connection tool. To find what IP address the attacker connected to, we need to grab the PID of mstsc.exe and look up network connections initiated by this process. We can find these network connections by using netscan plugin.
10.1.1.21
We are moving on to the next system (Target2), so initially we need to find the suitable profile to use with volatility by running imageinfo plugin against the memory image file. When the right profile is found, we can start analyzing the memory dump.
As first, I have looked for the Gideon's password by following the same process as in Q8 where I located the virtual offset addresses of SYSTEM and SAM hives and used hashdump plugin to dump the password hashes of the users.
And even though I was able to look up the NTLM hash of the gideon's password online, it was not the correct answer for this question. Hints within this question point to the usage of consoles plugin which extracts and displays history of executed commands. This way, we are able to observe attacker's behavior on the system.
From the commands executed on the system, we can quickly spot the attacker's credential-dumping tool that we have previously seen on Target1 machine - wce.exe. The output from running of this executable has been saved to the file w.tmp which we can search for using filescan and dump it with dumpfiles, so we are able to analyze its content.
When file gets dumped, we can open it with text editor of our choice in order to analyze the content (output of the wce.exe -w command).
t76fRJhS
This can be answered by analyzing the output of the consoles plugin from Q16. We can see that in the command number 16, the attacker has used rar command to archive all the text files on the Z:\ drive to crownjewlez.rar and encrypts the archive with password by specifying the -hp option.
123qwe!@#
This information is answered in Q17.
crownjewlez.rar
From the output of the consoles plugin from the previous questions, it is possible to find the process and its PID related to the commands executed by the attacker.
To find additional information about this process, we need to dump its memory by using memdump plugin as previously used in Q1. When the memory of the process gets dumped to the file, we can analyze it with strings and look for the name of the RAR archive - crownjewlez.rar.
3
To find the scheduled task present on the system, we need to look for files present in the C:\Windows\System32\Tasks directory. We can do this by running filescan plugin together with Select-String outlet to only look for the file path relevant for us:
filescan | Select-String -Pattern '\\Windows\\System32\\Tasks\\' | Sort-Object -UniqueWhen running this plugin, we get many hits for the files present in subdirectories within the Tasks folder. However, only one file is present directly in the Tasks directory.
This is the name of the scheduled task present on the system, but questions is asking about the executable associated with this scheduled task. To find this, we need to dump this file and analyze it in the text editor of our choice. We can use dumpfiles plugin and providing the physical address of the file specified with -Q option. When dumped, we can read the content of the file via text editor.
1.bat
As first, we can use malfind plugin to find the injected code in the processes. When correlating these processes with netscan plugin we are able to find that iexplore.exe process is connecting to the C2 server on port 80.
54.84.237.92
To extract the malware, we can use the malfind plugin from the previous question and use -p option to specify PID and -D option to specify output directory.
Then we can calculate the hash of the dumped file and look it up in VirusTotal where we are able to find the name of the malware.
Dexter
To find this whitelisted application, we can use already dumped process from Q22 and run strings against this file. We can then look for .exe files within the output of the strings while considering that answer field indicates that the file contains underscore character.
allsafe_protector.exe
The hints provided for this question indicates that we should look for the initial file name of the malware when accessed via web browser. This can be analyzed by using iehistory plugin which reconstructs and displays history of Internet Explorer.
allsafe_update.exe
