help@cyb4rgeek.xyz

+1 (512) 588 6950

Advent of Cyber 4 writeup: A case study in digital forensics and incident response

Home/Advent of Cyber 4 writeup: A c...
Advent of Cyber 4 writeup: A case study in digital forensics and incident response
Some image components from: Miraculous Ladybug (2022) and “kuraxmasha” (n.d.).
  1. Background
  2. Procedure
  3. Discussion
  4. Conclusion
  5. References

Email analysis

ubuntu@ip-10-10-84-135:~$ cd Desktop
ubuntu@ip-10-10-84-135:~/Desktop$ mv "Urgent:.eml" Urgent.eml
ubuntu@ip-10-10-84-135:~/Desktop$
ubuntu@ip-10-10-84-135:~/Desktop$ emlAnalyzer -i Urgent.eml --header --html -u --text --extract-all
==============
||  Header  ||
==============
X-Pm-Content-Encryption.....end-to-end
X-Pm-Origin.................internal
Subject.....................Urgent: Blue section is down. Switch to the load share plan!
From........................Chief Elf <chief.elf@santaclaus.thm>
Date........................Tue, 6 Dec 2022 00:00:01 +0000
Mime-Version................1.0
Content-Type................multipart/mixed;boundary=---------------------03edd9c682a0c8f60d54b9e4bb86659f
To..........................elves.all@santaclaus.thm <elves.all@santaclaus.thm>
X-Attached..................Division_of_labour-Load_share_plan.doc
Message-Id..................<QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==>
X-Pm-Spamscore..............3
Received....................from mail.santaclaus.thm by mail.santaclaus.thm; Tue, 6 Dec 2022 00:00:01 +0000
X-Original-To...............elves.all@santaclaus.thm
Return-Path.................<murphy.evident@bandityeti.thm>
Delivered-To................elves.all@santaclaus.thm

=========================
|| URLs in HTML part ||
=========================
[+] No URLs found in the html

=================
|| Plaintext ||
=================
[+] Email contains no plaintext

============
|| HTML ||
============
<span>Dear Elves,</span><div><br></div><div><span>Due to technical problems in the blue section of our toy factory, we are having difficulties preparing some toys. </span></div><div><br></div><div><span>There
are a few days left to Christmas, so we need to use time efficiently to
prepare every wishlist we receive. Due to that, the blue section’s
workload is shared with the rest to avoid any toy production delay.</span></div><div><br></div><div><span>The detailed division of labour is included in the attached document.</span></div><div><br></div><div><span>Good luck to you all.</span></div><div><br></div><div><b><span>Chief Elf</span></b></div><div><br></div>

=============================
|| Attachment Extracting ||
=============================
[+] Attachment [1] “Division_of_labour-Load_share_plan.doc” extracted to eml_attachments/Division_of_labour-Load_share_plan.doc

ubuntu@ip-10-10-84-135:~/Desktop$

 

  • That the sender’s email address is chief.elf@santaclaus.thm
  • That the recipient’s email address is elves.all@santaclaus.thm
  • That the return address is murphy.evident@bandityeti.thm
  • That the email was sent on behalf of “Chief Elf.”
  • That the X-Spam score of this email is 3.
Figure 1
ubuntu@ip-10-10-84-135:~/Desktop$ ls -l eml_attachments
total 60
-rw-r--r-- 1 ubuntu ubuntu 57856 Dec 25 00:43 Division_of_labour-Load_share_plan.doc
ubuntu@ip-10-10-84-135:~/Desktop$
ubuntu@ip-10-10-84-135:~/Desktop/eml_attachments$ sha256sum Division_of_labour-Load_share_plan.doc
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467  Division_of_labour-Load_share_plan.doc
ubuntu@ip-10-10-84-135:~/Desktop/eml_attachments$
Figure 2: Screenshot from VirusTotal (n.d.)

Malicious attachments

Figure 3: Adapted from “tryhackme” (2022)
[
{ "op": "Strings",
"args": ["Single byte", 258, "All printable chars (A)", false, false, false] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "[\\[\\]_\\n]" }, "", true, false, true, false] },
{ "op": "Drop bytes",
"args": [0, 124, false] },
{ "op": "From Base64",
"args": ["A-Za-z0-9+/=", true, false] },
{ "op": "Decode text",
"args": ["UTF-16LE (1200)"] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "['()+\"']" }, "", true, false, true, false] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "]b2H_" }, "http", true, false, true, false] },
{ "op": "Extract URLs",
"args": [false, false, false] },
{ "op": "Split",
"args": ["@", "\\n"] },
{ "op": "Defang URL",
"args": [true, true, true, "Valid domains and full URLs"] }
]
hxxps[://]cdn[.]bandityeti[.]thm/files/mysterygift[.]exe
hxxps[://]google[.]com/
hxxps[://]www[.]secretSanta[.]THM/Goldenticket/[redacted]
hxxps[://]cdn[.]bandityeti[.]THM/files/index/

Malware Analysis: Memory Forensics

elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.info
Volatility 3 Framework 2.4.1
Progress:  100.00PDB scanning finished                        
Variable Value

Kernel Base0xf803218a8000
DTB0x1ad000
Symbolsfile:///home/elfmcblue/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/E0093
F3AEF15D58168B753C9488A4043-1.json.xz
Is64BitTrue
IsPAEFalse
layer_name0 WindowsIntel32e
memory_layer1 FileLayer
KdVersionBlock0xf80321cd23c8
Major/Minor15.18362
MachineType34404
KeNumberProcessors4
SystemTime2022-11-23 10:15:56
NtSystemRootC:\Windows
NtProductTypeNtProductWinNt
NtMajorVersion10
NtMinorVersion0
PE MajorOperatingSystemVersion10
PE MinorOperatingSystemVersion0
PE Machine34404
PE TimeDateStampMon Apr 14 21:36:50 2104
elfmcblue@aoc2022-day-11:~/volatility3$

 

elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.pslist
Volatility 3 Framework 2.4.1
Progress:  100.00PDB scanning finished                        
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

40System0xc0090b286040141-N/AFalse2022-11-23 09:43:
13.000000 N/ADisabled
1044Registry0xc0090b2dd0804-N/AFalse2022-11-2
3 09:43:04.000000 N/ADisabled
3164smss.exe0xc0090e4384002-N/AFalse2022-11-2
3 09:43:13.000000 N/ADisabled
436428csrss.exe0xc0090ea6514010-0False2022-11-2
3 09:43:18.000000 N/ADisabled
512504csrss.exe0xc0090f35e14012-1False2022-11-2
3 09:43:19.000000 N/ADisabled
536428wininit.exe0xc0090f2c00801-0False2022-11-2
3 09:43:19.000000 N/ADisabled
584504winlogon.exe0xc0090f3830803-1False2022-11-2
3 09:43:19.000000 N/ADisabled
656536services.exe0xc0090e5323405-0False2022-11-2
3 09:43:20.000000 N/ADisabled
680536lsass.exe0xc0090f3a50806-0False2022-11-2
3 09:43:20.000000 N/ADisabled
792656svchost.exe0xc0090fa3324012-0False2022-11-2

[… snip …]

2040 5888 mysterygift.ex 0xc0090b52e4c0 3 – 1 False 2022-11-23 10:15:19.000000 N/A Disabled

[… snip …]

 

elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.dumpfiles
Volatility 3 Framework 2.4.1
Progress:  100.00PDB scanning finished

Cache File Object FileName Result

DataSectionObject0xc0090ba87280USBXHCI.SYS.muiError dumping file
DataSectionObject0xc0090e5cad50EtwRTEventlog-Security.etlError dumping f
ile
SharedCacheMap0xc0090e5cad50EtwRTEventlog-Security.etlError dumping file
DataSectionObject0xc0090e5c8680EtwRTEventLog-Application.etlError dumping f
ile
SharedCacheMap0xc0090e5c8680EtwRTEventLog-Application.etlError dumping file
DataSectionObject0xc0090e5c9930EtwRTDefenderAuditLogger.etlError dumping f
ile

[… snip …]

 

Malware Analysis: Binary Analysis

FLARE
C:\Users\Administrator>cd Desktop\"Malware Sample"

FLARE
C:\Users\Administrator\Desktop\Malware Sample>mv mysterygift mysterygift.exe

 

Figure 4
FLARE
C:\Users\Administrator\Desktop\Malware Sample>upx -d mysterygift.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96w       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

File size Ratio Format Name
——————– —— ———– ———–
502169 <- 227737 45.35% win64/pe mysterygift.exe

Unpacked 1 file.

FLARE
C:\Users\Administrator\Desktop\Malware Sample>

 

C:\Users\Administrator\Desktop\Malware Sample>capa mysterygift.exe
loading : 100%|████████████████████████████████████████████████████████████| 485/485 [00:00<00:00, 1724.35     rules/s]
matching: 100%|██████████████████████████████████████████████████████████████| 573/573 [00:17<00:00, 33.21 functions/s]

[… snip …]

 

Table 1
Figure 5: Adapted from “tryhackme” (2022)
Figure 6: Adapted from “tryhackme” (2022)
  • The malware survives by introducing a value in the Run key of the current user in the Windows Registry. Specifically, it writes the value C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat into the Run key.
  • The malware creates the files test.jpg and wishes.bat under the Administrator folder. Specifically, wishes.bat is in the Administrator’s start up folder.
  • The malware makes connection to two (2) domains: bestfestivalcompany.thm and virustotal.com — it starts to access a file on the former domain called favicon.ico.

Packet analysis

  • When calculating the “percent packets” of HTTP communications, I have found out that it accounts for 0.3 per cent of Wireshark entries.
  • The malware communicates with the attacker using the RDP protocol (Liang et al. 2021).
  • The dropper had the User-Agent of Nim httpclient/1.6.8 . Doing a wee research reveals that the dropper may have been written in the Nim Programming Language (n.d.).
  • The SHA-256 hash of the mysterygift.exe file is 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

Leave a Reply