Go Hunting for Malware

-

Another Interesting Challenge from AISA CTF that I would like to blog about, is the final forensic challenge to find the following information, out of a malware infected system's memory dump

The Process ID of the malicious process ?

The Process ID of any spawned child processes ?

The date and time of when the initial Process ID was created ?

The attackers IP address ?

The port number the victim is connecting back to ?

The URL the user visited that let to the initial infection ?


And was provided with the memory dump "memoryisthekey.dmp"


So the above file is a RAM dump of the system after the infection, so then volatility is the best tool in further analyzing the dump


First we need to identify what profile we need to use with volatility. example: WINXP or 7, etc





So then i picked "Win7SP0x86", since there was not much changes between SP1 and SP0 memory storage


Lets check the process tree to identify the malicious process



Now the following processes were the ones i suspected. especially cmd.exe



So the user has did some operation in internet explorer (iexplore.exe) at 12:30, Which then spawned a new sub process rundll32.exe under the explorer.exe tree along with a cmd.exe process.


Lets check the established connections at that time



the process rundll32.exe has established a rogue connection with an foreign address at port 4444. Which is clearly abnormal. Also by default metasploit create handles on port 4444.




So at this point we have almost harvested 5/6 key informations needed. the next one is fetching the URL that the user visited which got him infected in first place


we can get the URL with a couple of ways

1. iexplore plugin (Lot of white noise)

2. yara scan (good if you define the process id as well)

3. wintree plugin (perfect when defined the process id)




Above is the example of the yarascan, which is hard to interpret. but if we use the wintree plugin we achieve the following result



So all the artefacts were collected and summary of them


The Process ID of the malicious process. - 2952

The Process ID of any spawned child processes. - 3112

The date and time of when the initial Process ID was created. - 2015-10-10 12:51:48

The attackers IP address. - 192.168.50.128

The port number the victim is connecting back to. - 4444

The urls the victim visited which intiated the infection - http://192.168.50.128/

Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Sans Kringlecon 2022 - Christmas CTF Finale

-
Image
Finale Upon Collection of all 5 rings, we are being asked to meet Santa exciting the tunnels and Santa asks us to get into the building where we are greeted with Santa’s congratulations and credits to all the fantastic effort of smart folks from SANS rolling. Hidden Chests & Tunnel Map Was able to identify a total of 5 hidden chests. To find these hidden chests any new location you enter within the tunnel or even while navigating to the tunnels. Zoom out by pressing (Ctrl or Command) + “-“, which should make the hidden chests easily visible and you should be able to identify the pathways by playing with the arrow keys and even by looking for cracks in the mine wall that tells you can enter through to get to the hidden chest Most of the chest provide you with hints and almost all of them with Kringlecoins    Overall chest locations: 1 in Tokien Ring area 1 in Cloud Ring are 3 in pathways in the tunnel to different challenge areas Below is the Full Navigation map within the Tunnel h
Read more

Web Ring - Boria PCAP Mining Walkthrough

-
Image
As we progress through the web ring tunnel within 2022 Kringlecon CTF, we come across Alabaster Snowball who provides us the Victim.pcap file and weberror.log file. After which we are being asked a series of question to be analysed from the pcap and the log file to answer those questions. In the below answers for all of them have used the pcap to answer the questions and I have shown commands+output of log file analysis too Naughty IP - Difficulty Level 1/5 Use the artifacts from Alabaster Snowball to analyse this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.   To answer this question based on the hints provided on looking for top talkers, we can open up the pcap file within Wireshark and choose Statistics from menu bar and choose conversation options and choose IPv4 tab within the open window. Which presents to us that the IP that talks more the server is 18.2
Read more