Go Hunting for Malware

-

Another Interesting Challenge from AISA CTF that I would like to blog about, is the final forensic challenge to find the following information, out of a malware infected system's memory dump

The Process ID of the malicious process ?

The Process ID of any spawned child processes ?

The date and time of when the initial Process ID was created ?

The attackers IP address ?

The port number the victim is connecting back to ?

The URL the user visited that let to the initial infection ?


And was provided with the memory dump "memoryisthekey.dmp"


So the above file is a RAM dump of the system after the infection, so then volatility is the best tool in further analyzing the dump


First we need to identify what profile we need to use with volatility. example: WINXP or 7, etc





So then i picked "Win7SP0x86", since there was not much changes between SP1 and SP0 memory storage


Lets check the process tree to identify the malicious process



Now the following processes were the ones i suspected. especially cmd.exe



So the user has did some operation in internet explorer (iexplore.exe) at 12:30, Which then spawned a new sub process rundll32.exe under the explorer.exe tree along with a cmd.exe process.


Lets check the established connections at that time



the process rundll32.exe has established a rogue connection with an foreign address at port 4444. Which is clearly abnormal. Also by default metasploit create handles on port 4444.




So at this point we have almost harvested 5/6 key informations needed. the next one is fetching the URL that the user visited which got him infected in first place


we can get the URL with a couple of ways

1. iexplore plugin (Lot of white noise)

2. yara scan (good if you define the process id as well)

3. wintree plugin (perfect when defined the process id)




Above is the example of the yarascan, which is hard to interpret. but if we use the wintree plugin we achieve the following result



So all the artefacts were collected and summary of them


The Process ID of the malicious process. - 2952

The Process ID of any spawned child processes. - 3112

The date and time of when the initial Process ID was created. - 2015-10-10 12:51:48

The attackers IP address. - 192.168.50.128

The port number the victim is connecting back to. - 4444

The urls the victim visited which intiated the infection - http://192.168.50.128/

Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more