BlackEnergy Walkthrough — Cyberdefenders
Scenario:
A multinational corporation has been hit by a cyber attack that has led to the theft of sensitive data. The attack was carried out using a variant of the BlackEnergy v2 malware that has never been seen before. The company’s security team has acquired a memory dump of the infected machine, and they want you to analyze the dump to understand the attack scope and impact.
Challenge: BlackEnery
Tools:
- Which volatility profile would be best for this machine?
In this question, I used both Volatility 2 and Volatility 3, and both tools indicated that the operating system associated with the build string and Service Pack was WinXPSP3x86.
vol.py -f CYBERDEF-567078-20230213-171333.raw kdbgscan
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.info
Here’s the explanation from ChatGPT:
The answer field did not accept ‘WinXPSP3x86’, but it accepted ‘WinXPSP2x86’ as the correct answer.
2. How many processes were running when the image was acquired?
The pslist plugin displays the processes in the memory dump. The ExitTime column indicates the time when a process was terminated, and if the process is still running, it shows N/A.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist
There are 25 processes on the results including the running and terminated processes.
Using grep -v “N/A” to filter out all the processes that are still running.
-v, — invert-match select non-matching lines.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist | grep -v "N/A"
The results indicate that there are 6 processes that have been terminated. We can subtract this number from the total number of processes to obtain the count of running processes.
3. What is the process ID of cmd.exe?
The command grep “cmd.exe” -C 3 will highlight the text “cmd.exe” and display 3 lines before and after “cmd.exe”. The first column of the results represents the Process ID.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist | grep "cmd.exe" -C 3
4. What is the name of the most suspicious process?
The pstree plugin generates a process tree view of the running processes in a memory dump.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pstree
The process ‘rootkit.exe’ is suspicious, not only due to its name but also because of its child-process ‘cmd.exe’.
5. Which process shows the highest likelihood of code injection?
The malfind plugin can be used to detect processes that potentially contain injected code.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.malfind
Multiple processes were detected to potentially contain injected code, but I focused on analyzing svchost.exe due to the presence of the ‘MZ’ header.
The following command will dump the process svchost.exe and save it in /home/remnux/Documents/BlackEnergy/extracted/
-o: Directory in which to output any generated files.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw -o /home/remnux/Documents/BlackEnergy/extracted/ windows.malfind --pid 880 --dump
md5sum pid.880.vad.0x980000-0x988fff.dmp
Scanning the hash in VirusTotal reveals that several security vendors have flagged it as Malicious.
6. There is an odd file referenced in the recent process. Provide the full path of that file.
The following command will extract all strings from “pid.880.vad.0x980000–0x988fff.dmp” that have a minimum length of 10 characters:
strings -n 10 pid.880.vad.0x980000-0x988fff.dmp
We can easily determine the full path since there is only one path in the results.
7. What is the name of the injected dll file loaded from the recent process?
The ldrmodules plugin can be used to list the loaded modules (DLLs) in a process, and it can also be used to detect unlinked/hidden DLLs. We can use this plugin to examine the malicious svchost.exe process, which has a PID of 880.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.ldrmodules --pid 880
The msxml3r.dll does not exist in any of the 3 DLL lists (InLoad, InInit, and InMem). The columns InLoad, InInit, and InMem indicates whether a module has been loaded into memory, initialized, or is currently in the process memory. If all these columns are False, it may indicate the presence of a rootkit or other malicious software that is trying to hide its presence.
8. What is the base address of the injected dll?
The base address is displayed in the 3rd column of the output of the malfind plugin.
python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.malfind
Resources/References:
- Book: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
- Book: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
- https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
- https://chat.openai.com/
