MrRobot Walkthrough — Cyberdefenders
Scenario:
An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the IR team figure out what happened!
Challenge: MrRobot
Tool:
- Machine:Target1
What email address tricked the front desk employee into installing a security update?
There are two plugins that can help us determine the proper profile. The first is imageinfo, which provides a high-level summary of the memory sample, including the date and time when the memory sample was acquired, suggested profile(s), the number of CPUs, and so on.
The second plugin is kdbgscan, which scans the memory sample for the Kernel Debugger Block (KDBG) structure.
I tried running kdbgscan without providing any profile, but it did not display the information I needed, which are the Build string, Service Pack, Major, and Minor.
I used the first suggested profile for the meantime to obtain the Build string, Service Pack, Major, and Minor information.
It seems that the memory sample Target1–1dd8701f.vmss is a Windows 7 Service Pack 0 (no service pack installed) x86 (32-bit) machine.
I used the same process to identify the appropriate profile for two of the remaining memory samples and found that all three samples have the same profile (Win7SP0x86).
Now that I have the profile, I used the pslist plugin to list all running processes, and the output shows that the email client running is Outlook with PID 3196.
After that, I used the yarascan plugin with the — yara-rules option to search for the ‘From:’ pattern in PID 3196. To view all available options for the yarascan plugin, you can use the command below:
vol.py yarascan -hvol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 yarascan --yara-rules="From:" --wide -p 31962. Machine:Target1
What is the filename that was delivered in the email?
The placeholder indicates that this is an exe file. I used the yarascan plugin with the ‘.exe’ pattern in PID 3196.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 yarascan --yara-rules=".exe" --wide -p 3196The results show that the application was downloaded from 180.76.254.120.
3. Machine:Target1
What is the name of the rat’s family used by the attacker?
To answer this question, I used two plugins. First, I used the filescan plugin to obtain the physical offset of AnyConnectInstaller.exe, which was necessary for the second plugin. Then, I used the dumpfiles plugin to extract the AnyConnectInstaller.exe application from the memory sample.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 filescan | grep "AnyConnectInstaller.exe"Multiple AnyConnectInstaller.exe files were found, but I downloaded the first application from the Downloads folder.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 dumpfiles -n -D extracted -Q 0x000000003e0bc5e0-n: includes the original filename in the output file-naming schema.
-Q: Physical offset.
-D: Directory in which to dump extracted files.
I used the ‘md5sum’ command to compute the MD5 hash value of AnyConnectInstaller.exe. I then searched for this hash value in VirusTotal to determine the rat’s family associated with the malware.
4. Machine:Target1
The malware appears to be leveraging process injection. What is the PID of the process that is injected?
The hollowfind plugin is used to identify process hollowing, which is a technique used by attackers to create a process in a suspended state and then replace its memory with malicious code.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 hollowfindThe results show that the process ‘iexplore.exe’ (Internet Explorer) with PID 2996 has been identified as potentially being hollowed out.
I will use the procdump plugin to dump the process and then upload the hash to VT to check if it is a malicious process.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 procdump -p 2996 -D extracted5. Machine:Target1
What is the unique value the malware is using to maintain persistence after reboot?
The printkey plugin is can be used to view the values of the Windows registry keys stored in memory. The -K option on the command below is the Registry Key. The “MICROSOFT\WINDOWS\CURRENTVERSION\RUN” is a registry key that stores information about programs that are configured to run automatically when the user logs on.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 printkey -K "MICROSOFT\WINDOWS\CURRENTVERSION\RUN"6. Machine:Target1
Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?
The handles plugin displays information about open handles for each process. Malware typically uses a mutant/mutex to run a single copy of malware on the system and to avoid reinfecting the host, which can increase the chances of detection by security tools.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 handles -t Mutant -p 29967. Machine:Target1
It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.
I used the filescan plugin and asked ChatGPT for the grep command to display only the usernames present in this memory sample.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 filescan | grep -oP '(?<=\\Users\\)[^\\]+(?=\\|$)' | sort | uniqI focused only on the two names, Gideon and Zerocool, and asked ChatGPT which movies they appear in.
8. Machine:Target1
What is the NTLM password hash for the administrator account?
The hashdump plugin can be used to dump account password hashes from memory.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 hashdump | grep 'Administrator'9. Machine:Target1
The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?
I used the filescan plugin and grep to display all the files in the Temp folder since this is often used by attackers to drop malicious files or tools.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 filescan | grep '\\Windows\\Temp\\'Multiple files were found in the Temp folder but I focused only on all the executable files.
wce.exe
getlsasrvaddr.exe
Rar.exe
nbtscan.exe
I answered 4 but it was incorrect. Then I ask ChatGPT about all the tools above. Wce.exe & getlsasrvaddr.exe are both related to password and credential retrieval.
And I found this GitHub that wce.exe & getlsasrvaddr.exe are in the same repo.
10. Machine:Target1
What is the password for the front desk local administrator account?
The consoles plugin display the command history by scanning for ( _CONSOLE_INFORMATION).
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 consoles | grep -i 'administrator'11. Machine:Target1
What is the std create data timestamp for the nbtscan.exe tool?
We can use either the timeliner or mftparser plugins for this question, as both of them are capable of generating timelines.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 timeliner | grep -i "nbtscan"vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 mftparser | grep -i "nbtscan"12. Machine:Target1
The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?
We know that the file “nbs.txt” is located in the Temp directory based on the results from Q.9. We can use the dumpfiles plugin to extract the “nbs.txt” file.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 dumpfiles -n -D extracted -Q 0x000000003fdb7808cat file.None.0x83eda598.nbs.txt.dat13. Machine:Target1
What is the full IP address and the port was the attacker’s malware using?
We know from Q.10 that the compromised machine is front-desk-PC, and using dumpfiles, we extracted the ‘nbs.txt’ file which revealed that the IP address of front-desk-PC is 10.1.1.20.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 netscan | grep '10.1.1.20'14. Machine:Target1
It appears the attacker also installed legit remote administration software. What is the name of the running process?
I used pslist plugin to find the remote access tool.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 pslist10. Machine:Target1
It appears the attackers also used a built-in remote access method. What IP address did they connect to?
The mstsc.exe or Remote Desktop Connection is a built-in remote access application in Windows and has the default port number 3389.
The following command will display the connections between the compromised host and other machine.
vol.py -f Target1-1dd8701f.vmss --profile=Win7SP0x86 netscan | grep 'mstsc.exe'16. Machine:Target2
It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 consolesThe output of the consoles plugin shows that the attacker used wce.exe and saved the retrieved password file as “w.tmp”.
Using the filescan plugin to get the physical offset of ‘w.tmp’ and extracting it using dumpfiles.
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 filescan | grep 'w.tmp'vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 dumpfiles -D extracted -Q 0x000000003fcf2798The results from the cat command show the password of gideon.
17. Machine:Target2
Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 consolesThe command above shows that the attacker used rar to create a rar archive (crownjewlez.rar) with the -hp switch (which is used to set a password for the archive being created) and added all files with a .txt extension to the archive.
18. Machine:Target2
What was the name of the RAR file created by the attackers?
The same command from the previous question is can be used to find the name of the created file.
19. Machine:Target2
How many files did the attacker add to the RAR archive?
When a user enters a command, cmd.exe is responsible for processing the command while conhost.exe is responsible for displaying the output in the console window.
The cmdscan plugin is used to list and examine the command history of the Command Prompt.
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 cmdscanThere are two conhost.exe processes, but the one with PID 3048 is responsible for handling the command when the attacker adds all the .txt files to the RAR archive.
The memdump plugin is used to dump the addressable memory for a process.
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 memdump --pid=3048 -D extracted/strings -el 3048.dmp > 3048.txtThe command above will extract the strings from the file 3048.dmp using little-endian encoding.
The attacker was in the crownjewels directory when they archived the file.
cat 3048.txt | grep '\\crownjewels\\'| grep ".txt"20. Machine:Target2
The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?
There are two Task Scheduler directories in Windows: Windows\System32\Tasks\ and Windows\Tasks.
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 filescan | grep '\\Windows\\System32\\Tasks\\'The results are mostly related to Microsoft, except for At1, which is a scheduled task that has been created using the AT command.
In order to examine the contents of the scheduled task, we can extract it using dumpfiles.
vol.py -f target2-6186fe9f.vmss --profile=Win7SP0x86 dumpfiles -n -D extracted -Q 0x000000003fc399b8The file is located within the <Command> tag.
21. Machine:POS
What is the malware CNC’s server?
The malfind plugin can be used to detect code injection.
vol.py -f POS-01-c4e8f786.vmss --profile=Win7SP0x86 malfindI extracted both iexplore.exe processes to determine whether they are malicious.
vol.py -f POS-01-c4e8f786.vmss --profile=Win7SP0x86 malfind -p 3208 -D extracted/Using netscan to display the network information of the iexplore.exe process.
vol.py -f POS-01-c4e8f786.vmss --profile=Win7SP0x86 netscan | grep -i "iexplore"22. Machine:POS
What is the common name of the malware used to infect the POS system?
From the VT results in the previous question, the common name can be found under Family labels.
23. Machine:POS
In the POS malware whitelist. What application was specific to Allsafecybersec?
The placeholder on this question indicates that the filename has an underscore symbol (_). The grep command can be used to display characters that have an underscore symbol (_) and end with .exe in PID 3208.
strings process.0x83f324d8.0x50000.dmp | grep '_.*\.exe'24. Machine:POS
What is the name of the file the malware was initially launched from?
We determined the CNC Server IP address from Q.21. The iehistory plugin is used to extract IE browser history from the sample memory.
vol.py -f POS-01-c4e8f786.vmss --profile=Win7SP0x86 iehistory | grep '54.84.237.92'Resources/References:
- Book: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
- https://chat.openai.com/
- https://github.com/returnvar/wce
- https://attack.mitre.org/techniques/T1055/012/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
- https://velociraptor.velocidex.com/hunting-malware-using-mutants-ea08e86dfc19
- https://www.sans.org/blog/strings-strings-are-wonderful-things/
