Hi there, and welcome to this write-up. It’s the first time I’m publishing a writeup, after reading and using many others I felt the need to share my own way of working in the hope to help others like I was helped.

I will seek a combination of a little bit of storytelling and brief descriptions of ways of thinking. If you have any comments or feedback, please let me know below! This Write-up will not include the actual answers to the questions, but I’ll guide you to them.

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!

First steps

I downloaded the required files from Cyberdefenders.org. In the zip we observe 3 folders:

  • pos01
  • target1
  • target2

At this point, we assume that pos is a Point of Sale system (the thing cashiers use) and 2 ‘regular’ computers are included.

For each machine, we have a vmsd and vmss file. A vmss file is a ‘snapshot’ file of a machine, containing the memory of that given point in time. the vmsd file contains metadata about this snapshot. Each of these files was readable by volatility2 with no issues.

Observing the vmsd files we see snapshots have the following names. Nothing can really yet be extracted from this but might be useful information for future questions.

  • target1 “pre-hack”
  • target2 “pre-hack”
  • pos01 “before-firstrun”

Tooling

According to cyberdefenders, Volatility2, Volatiltiy3 and Rstudio are suggested for this Challenge. My personal preference lies with Volatility2 (standalone, since a python2.7 is a hassle to maintain), as after the profile is determined, it’s often quicker with results than 3.

At this time I would like to mention two cheat sheets that I always have on a second monitor when running volatility:

For more extensive commands I recommend the official Command Reference.

I personally did this Challenge in a Win10 Virtual Machine, but it should bo no issue to run in on any Linux based distro.

Tip: as volatility outputs often are very extensive and long, I recommend saving outputs somewhere. I like to put each command in a sublime text tab for easy searching. It will save you some time by avoiding rerunning commands.

Questions: Machine Target1

I divide the questions into sections per machine, as profiles may change over machines etc.

Before I start diving into the questions I want to know basic information about this memory image, so I run the Volatility2 imageinfo command.


> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss imageinfo

Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VMWareAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82765be8L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82766c00L
                KPCR for CPU 1 : 0x807c5000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-10-09 12:53:02 UTC+0000
     Image local date and time : 2015-10-09 08:53:02 -0400

We got our profile: Win7SP1x86_23418, which we will use for the questions for this machine. Now let’s dive into the first questions!

1: What email address tricked the front desk employee into installing a security update?

Alright, so the question wants us to find email traffic, but we do not have any files. by running the volatility pstree command on target1 we see that there’s an outlook process running at the time of the capture with PID 3196.

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x85c1e5f8:explorer.exe                             2116   2060     23    912 2015-10-09 11:31:04 UTC+0000
. 0x83eb5d40:cmd.exe                                 2496   2116      1     22 2015-10-09 11:33:42 UTC+0000
. 0x83f1ed40:mstsc.exe                               2844   2116     11    484 2015-10-09 12:12:03 UTC+0000
. 0x83fb86a8:cmd.exe                                 3064   2116      1     22 2015-10-09 11:37:32 UTC+0000
. 0x859281f0:vmtoolsd.exe                            2388   2116      7    164 2015-10-09 11:31:04 UTC+0000
. 0x85cd3d40:OUTLOOK.EXE                             3196   2116     22   1678 2015-10-09 11:31:32 UTC+0000

When we dump the files for this process using the dumpfiles module:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 dumpfiles -D "C:\Users\johndoe\Desktop\Challenges\target1\vola\filedump\3196" -n -u -p 3196

A file called [email protected] - outlook2.ost.dat gets dumped. An OST file is an offline Outlook data file, containing an offline copy of emails. An OST file can be opened in various ways, I used SysInfoTools OST File Viewer. Upon opening a suspicious mail is observed.

The senders email address is the answer we’re looking for.

2: What is the filename that was delivered in the email?

With the OST File Viewer it is possible to open the email from the .ost file. This contains the download URL, thus our filename.

3: What is the name of the rat’s family used by the attacker?

Upon this moment it is likely that during the investigation, you’ve run the filescan module from volatility2 already, if you didn’t, now is the time, since we have our filename, we can look up the file’s location in memory, and dump it. It was found in the downloads folder:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 dumpfiles -D "C:\Users\johndoe\Desktop\Challenges\target1\filedump" -n -u -Q 0x000000003ed57968
Volatility Foundation Volatility Framework 2.6
ImageSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\<name>.exe
DataSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\<name>.exe

The filename was already known and doesn’t give us a hint bout the malware family. I’ve hashed the file using the utility that comes with a 7zip install. If you don’t you can also calculate the hash of the file with: certutil -hashfile file MD5 on Windows or md5sum file on Linux distributions.

Looking up the hash in VirusTotal gives us a 60/68 detection:

Various VT providers use different names for this malware, make use of the mask given by the CyberDefenders question and you should be able to get the right one in no time.

4: The malware appears to be leveraging process injection. What is the PID of the process that is injected?

We can again leverage the output of a previous question, in this case, we reuse the pstree output from earlier on, by observing this we see a cmd.exe process inside a iexplore.exe process. Very sus, and thus, our answer.

 0x85d0d030:iexplore.exe                             <PID>   2984      6    463 2015-10-09 11:31:27 UTC+0000
. 0x83f105f0:cmd.exe                                 1856   <PID>      1     33 2015-10-09 11:35:15 UTC+0000

5: What is the unique value the malware is using to maintain persistence after reboot?

On the behavioral page of the VT page used in question 3, we see that it touches registry keys in a run subfolder in the registry, this is used for persistence. Easy find!

For me this was an easy find, it might occur that you don’t know about run keys yet, if that’s the case I recommend you reading this blog by cybersecurity.com. Another great tool for finding persistence on live machines is Sysinternals Autoruns, but unfortunately is only usable for offline machines when the System Root and User profile are collected.

6: Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?

This one tricked me for a bit (that’s a good thing, cause when we get tricked, we learn). We have a mask of a .dat file. The Virustotal page shows a .dat file right next to the security score:

But that’s not the .dat file we’re looking for (According to the mask of CyberDefenders we need a .dat file)

So I ran strings over the installer to see if we could find some other .dat files. Nothing of use was the result. In the earlier ran filescan output, there was also no luck for this one. Bummer.

At last, I went back to the VT report one more time, and in the community tab there is some hybrid analysis result, which contained a .dat file in combination with “PERSIST” in the line and our answer is found.

7: It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.

Alright, knowledge question. I do not know that many hacker movies to be honest, so we need to get our answer from purely the data itself. So let’s throw some more commands at the memory image we have in our hands.

cmdscan was the first one that gave a possible clue.

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 676
CommandHistory: 0x349ff8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x33fe58: cd ..
Cmd #1 @ 0x33fe70: cd Temp
Cmd #2 @ 0x3477a8: wce.exe -w
Cmd #3 @ 0x3487b8: runas /profile /user:Administrator
Cmd #4 @ 0x34e500: runas /profile /user:Administrator cmd

the wce.exe looks suspicious, which appears to be a windows credentials dumper, the -w flag dumps the passwords in cleartext. hence the attacker attempting to run commands as Administrator after dumping the credentials. Not really a useful clue for this question, but good to remind for the future maybe.

Another one that I found interesting was the presence of TeamViewer logs in the memory file. But these are also a dead end.

The third time lucky was enumerating possible accounts on the machine. There are multiple ways to do so, I created this command to search through previously saved output:

> type ..\Challenges\target1\vola\filescan | findstr Users | findstr /V front

I excluded “front” as the frontdesk user is already known and will clutter the output. The output contains a home directory for a user we’ve not heard of before. Upon googling this is indeed our notorious hacker.

8: What is the NTLM password hash for the administrator account?

Volatility has a hashdump module included, this will print out the hashes for the accounts. ezpz.

9: The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?

Filescan to the rescue!! upon earlier research, I’ve observed a Temp folder (which also contained the earlier wce.exe). I used the following command to list all executables in that Temp folder

> type ..\Challenges\target1\vola\filescan | findstr Temp | findstr exe

The output returns multiple executables. The hint here is to research the executables found, a single tool is known to come with 2 .exe files, which might trick you the same way as it did me.

10: What is the password for the front desk local administrator account?

Multiple ways to approach this one, I ran hashcat with the earlier found hash and rockyou wordlist, but didn’t give any result. Looking at the mask the password, 14 characters with a special character, it would take a very long time to brute-force this one.

From earlier questions, we’ve seen the wce.exe tool. which is a password/hash dumper. We’ve seen the execution of this in our search for the answer to question 7, but there was no useable output running this command. Going back to my cheatsheet/command reference there is another command we can run for retrieving the previous ran command output (consoles). And this one does indeed return the output for the wce.exe -w and the password we’re searching for:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 consoles
<lots of output
C:\Windows\Temp>wce.exe -w
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa ([email protected])
Use -h for help.


Administrator\front-desk-PC:<OUR FLAG>
frontdesk\ALLSAFECYBERSEC:<blurred>
FRONT-DESK-PC$\ALLSAFECYBERSEC:o0&77qj:^zctL2T]ljn3<niK2Kbqi`(:LeBoO7zE>'d8<>J"P
K;\*5IS@Oxg:rC:P:z Y!%fUiIX0y_J& uNUTJ?%:Y;qJY,xq/:)%5^f&zDK.)F%H;V?.^Z
<more output>

11: What is the std create data timestamp for the nbtscan.exe tool?

For this question, we need the MFT, so we export it using a pretty long command, as found on the wiki of volatility, which should be able to get us the create timestamp for the tool.


> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 mftparser --output=body -D C:\Users\johndoe\Desktop\Challenges\target1\vola\mft --output-file=mft.body

The mft.body contains all offsets for the files, we look up the nbtscan.exe and find that its located at the offset 0x1510c000

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 mftparser -o 0x1510c000

And our answer is found, in the creation column:

12: The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?

Saving earlier output is key again, we can look in our filescan output for the nbs.txt and find that its located at the offset 0x000000003fdb7808. Export it and voila.

The caveat here is that the file is in binary format. I personally use sublime text and use the toggle hex view command to get the output:

13: What is the full IP address and the port was the attacker’s malware using?

From earlier questions we know that iexpore.exe was used to hide the malware, using the netscan module in volatility we observe that this process has an open connection that matches our mask:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target1\Target1-1dd8701f.vmss --profile Win7SP1x86_23418 netscan

14: It appears the attacker also installed legit remote administration software. What is the name of the running process?

The tool is observed many times before during our investigation, if you don’t know the answer you probably have not been paying attention ;).

15: It appears the attackers also used a built-in remote access method. What IP address did they connect to?

The built-in remote access method is most likely RDP. we look at the output of the previous question and find an open connection by mstsc.exe, the remote desktop executable.

Questions: Target2

We switch on to the next machine and save all the outputs somewhere safe where we might need them. I ran imageinfo again, the profile is the same as Target1.

16: It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?

In a previous question, we found the answer using the consoles module. We run the same command on the target2 memory file.

We observe the usage of the wce.exe tool again (Which previously gave us the password) but this time they are not outputted to the console but piped to a file.

We do not have a filescan output of this machine yet, so this might be a good time to do so:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target2\target2-6186fe9f.vmss --profile Win7SP1x86_23418 filescan > C:\Users\johndoe\Desktop\Challenges\target2\vola\filescan

The filescan output lists the file we’re looking for, so again, we the file.

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\target2\target2-6186fe9f.vmss --profile Win7SP1x86_23418 dumpfiles -D "C:\Users\johndoe\Desktop\Challenges\target2\vola\filedump" -n -u -Q 0x000000003fcf2798

and it contains the password 🙂

17: Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

During our investigation for question 16, we observed commands being executed. Within these commands, there’s a rar command, which contains our password.

If this flag doesn’t work for you, make sure to check the man page of rar, which switch is used for encrypting?

18: What was the name of the RAR file created by the attackers?

The answer to this question is also observed in question 17. No extra investigation needed.

19: How many files did the attacker add to the RAR archive?

with the easiness of the previous question, I thought I would be able to find this one in the console output too, but nothing was there. The earlier filescan also doesn’t contain the information we need.
The information we do have is that dir was executed in the directory where all the .txt files were compressed, but no output for this command was found.

There are probably better ways to get the answer to this question, but I got it by using good old strings.exe piped to findstr (or grep if you’re on Linux), the output is a bit noisy, but contains the number of saucy files:.

> strings.exe C:\Users\johndoe\Desktop\Challenges\target2\target2-6186fe9f.vmss | findstr <NameOfTheRar>.rar

20: The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?

Again a more tricky question. I tried to use a community plugin called autoruns, but that didn’t do the trick as we did not have the proper files in our package. So instead I went with a slower option and dumped all hives using the dumpregistry command, which I then loaded into Eric Zimmerman’s RegistryExplorer. The loading of the files didn’t finish within the hour so I started pivoting around again.

During this pivoting in the previous filescan output I enumerated all files in the home directory of Gideon, there was a suspicious file matching the mask there. Which appeared to be our answer:

(if you know a better solution to this question, let me know in the comment section)

Questions: POS

Now on to the last machine, imageinfo came again back with the same profile 🙂

21: What is the malware CNC’s server?

Let’s start with netscan on this machine:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\pos01\POS-01-c4e8f786.vmss --profile Win7SP1x86_23418 netscan

Again an iexplore.exe process with a connection. This is most likely the one we’re looking for!

22: What is the common name of the malware used to infect the POS system?

I googled for “most common pos malware” and found a Wikipedia page that listed a family that matched our mask, but that’s too simple. so let’s try another way. We know from the previous question that iexplore.exe was making suspicious connections.

I dumped the executable but it appeared to be the legitimate iexplore.exe executable, so code is most likely injected into that process (for stealth reasons).

By listing all the volatility modules available (in the command reference mal page) I found the following entry: malfind Find hidden and injected code

I ran the module and saved the output. There are multiple hits but the one that stands out is the one for process 3208 (iexplore.exe).

Upon reading further on the malfind module, it is possible to dump all malicious code using the –dump-dir argument:

> volatility_2.6_win64_standalone.exe -f C:\Users\johndoe\Desktop\Challenges\pos01\POS-01-c4e8f786.vmss --profile Win7SP1x86_23418 malfind  -D  C:\Users\johndoe\Desktop\Challenges\pos01\vola\malfind

I hashed the outputs and searched them on VT. The second file gave a hit.

The name of the malware is in the list of detections, the same location as in question 3.

23: In the POS malware whitelist. What application was specific to Allsafecybersec?

For this question, I ran various “strings” against the previously found dump piped to findstr/grep such as “exe” “allsafe” “allsafecybersec” and “whitelist“.

The answer is under the red line 😉

24: What is the name of the file the malware was initially launched from?

The previous output contained another executable, located in the Downloads folder, which is the final answer for this challenge!

Conclusion

This challenge was fun to do. All questions were answerable with volatility and some internet. The most valuable page for me was the Command reference page. And thank god that a standalone version of volatility2 is released, without the hassle of having to maintain a python2 environment.

Some questions felt a bit repetitive to me, as the answer was already fully presented by a previous question, sometimes it was a bit too obvious.

Thanks for taking the time to read this write-up, I hope you’ve learned a thing or two, for any questions, comment down below or hit me up on Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *