Task 1 Introduction
After having a severe attack from the Boogeyman, Quick Logistics LLC improved its security defences. However, the Boogeyman returns with new and improved tactics, techniques and procedures.
In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.
Prerequisites
This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.
Investigation Platform
Before we proceed, deploy the attached machine by clicking the ****Start Machine button in the upper-right-hand corner of the task. It may take up to 3-5 minutes to initialise the services.
The machine will start in a split-screen view. If the VM is not visible, use the blue Show Split View button at the top-right of the page.
Artefacts
For the investigation, you will be provided with the following artefacts:
- Copy of the phishing email.
- Memory dump of the victim’s workstation.
You may find these files in the /home/ubuntu/Desktop/Artefacts directory.
Tools
The provided VM contains the following tools at your disposal:
- Volatility – an open-source framework for extracting digital artefacts from volatile memory (RAM) samples.
vol -f memorydump.raw <plugin>
# To list all available plugins
vol -f memorydump.raw -h- Note: Volatility may take a few minutes to parse the memory dump and run the plugin. For plugin reference, check the Volatility 3 documentation.
- Olevba – a tool for analysing and extracting VBA macros from Microsoft Office documents. This tool is also a part of the Oletools suite.
olevba document.docAnswer the questions below
I am now ready for round 2 with the Boogeyman!
Task 2 Spear Phishing Human Resources
The Boogeyman is back!
Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.
Answer the questions below
What email was used to send the phishing email?
Answer: westaylor23@outlook.com
Open the email.
What is the email of the victim employee?
Answer: maxine.beck@quicklogisticsorg.onmicrosoft.com
What is the name of the attached malicious document?
Answer: Resume_WesleyTaylor.doc
What is the MD5 hash of the malicious attachment?
Answer: 52c4384a0b9e248b95804352ebec6c5b
Save the attached word document and get its md5 hash.
What URL is used to download the stage 2 payload based on the document’s macro?
Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png
Parse the file with olevba.
olevba Resume_WesleyTaylor.docWe see a URL where a payload is being hosted and will save the file as “update.js” instead.
What is the name of the process that executed the newly downloaded stage 2 payload?
Answer: wscript.exe
Scrolling down the results from above, we identified the process that executed a JavaScript.
What is the full file path of the malicious stage 2 payload?
Answer: C:\ProgramData\update.js
See image above.
What is the PID of the process that executed the stage 2 payload?
Answer: 4260
Use volatility to list down the processes and search for the process, which is “wscript.exe” that executed the payload.
vol -f WKSTN-2961.raw windows.pstree
What is the parent PID of the process that executed the stage 2 payload?
Answer: 1124
The result from the above command would indicate that WINWORD.EXE was the parent process.
What URL is used to download the malicious binary executed by the stage 2 payload?
Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe
We can use the command “string” to search for interesting strings in the memory and grep only strings that contain the domain name being used by the attacker.
strings WKSTN-2961.raw | grep boogeymanisback
What is the PID of the malicious process used to establish the C2 connection?
Answer: 6216
Use the plugin netscan for network connections that were established. Here we can see that the malicious file was able to establish a connection but it was closed.
vol -f WKSTN-2961.raw windows.netscan
What is the full file path of the malicious process used to establish the C2 connection?
Answer: C:\Windows\Tasks\updater.exe
List the dlls used by the suspicious process.
vol -f WKSTN-2961.raw windows.dlllist --pid 6216We see the full path of the malicious process.
What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)
Answer: 128.199.95.189:8080
See the result from above when netscan plugin was used.
What is the full file path of the malicious email attachment based on the memory dump?
Answer: C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc
Scan for files inside the memory dump and grep only strings that matches the name of the file attachment.
vol -f WKSTN-2961.raw windows.filescan | grep Resume_WesleyTaylor
The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?
Answer: schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR ‘C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\”‘
Dump the memory dump of the malicious process.
vol -f WKSTN-2961.raw windows.memmap --dump --pid 6216
Search in the dump memory of the process strings that contain the characters “schtasks”
strings pid.6216.dmp | grep -e 'schtasks'We got a result but it does not show the full command.
We will instead look into the memory dump.
strings WKSTN-2961.raw | grep schtasksFinally got the full command issued to create persistence in the machine.
Thank you for reading. Until next time. 🙂
Igor_sec's Blog 
Leave a comment