Since the turn of the new millennium, computer malware has become more sophisticated and is produced in a much greater volume compared to the early days of the internet. The invention of equally sophisticated anti-malware and malware analysis tools has began to counter this new generation of malware — with ProcDOT (n.d.) being one of them. In this article, I will be discussing using ProcDOT to analyse a piece of ransomware.
Before I proceed, I must confess that I skimmed and briefly referenced previous writeups done by “Cursemagic” (2021) and “l0wk3y” (2021) when doing this room because some of the solutions seemed ambiguous to myself and I did not totally understand the directions from the room alone. Nonetheless, in this article I will try to contribute my own insights and some new ideas.
Malware analysis is a little more difficult to discuss than offensive capture the flags — for me at least. Part of the reason is that it is difficult to define a clear objective and malware analysis turns out to be something of an art in that one must try to work out the intentions of the malware author. Greg Hoglund noted that malware is just an extension of a hacker’s “digital identity” (“killab66661” 2010).
I mention this because usually when I write articles on offensive capture the flags, I am able to easily define an objective a priori to beginning work (like dump the contents of user.txt
and root.txt
). Here, I cannot do so easily and malware analysis in part involves myself “winging it.” So here, I will just outline my methodology and answer the room’s questions to the best of my ability.
I started by clicking on the green coloured “[s]tart machine” button on the top-right corner of the first task and got to answering the room’s questions.
“Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)” — “tryhackme” (2021).
Here, I had to directly rely on “Cursemagic” (2021)’s work. They opened up the ProcDOT utility and was presented with the following window (fig. 1):
To begin, I selected a Procmon log in CSV format (fig. 1b) and its respective packet capture (fig. 1c) and then selected an executable to analyse (fig. 1d). ProcDOT the proceeded to process the inputted logs (fig. 1a). Figure 2 depicts the processes on the system as a result of ProcDOT’s computations:
This is where Cursemagic’s keen eye comes in: they noticed a typo in the spelling of explorer.exe
as exploreer.exe
(fig. 2a, 2b; notice the two e
’s before the last r
)— such typos are typically used by malware authors to “hide in plain sight” (Splunk Security Essentials Docs n.d.). I shall proceed to further analyse these processes. They both have process IDs of 8644 and 7128, respectively.
“Provide the full path where the ransomware initially got executed” — “tryhackme” (2021)
I then proceeded to analyse one of the exploreer.exe
binaries with the PID of 8644. I selected it, then clicked on the “[r]efresh” button (fig. 1e) and then allowed ProcMon to do its analysis. Figure 3 depicts a high-level overview of the results what I obtained:
Finding the full path to where the ransomware is installed required a bit of trial and error with hovering my mouse’s cursor on individual nodes on this graph. But I was able to work out that the installation path is:
c:\users\sales\appdata\local\temp\exploreer.exe
As represented by the red-coloured rectangle near the top-right of the middle yellow-colured cluster of nodes (fig. 3a). Double clicking on it shows the full installation path:
“This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains?” — “tryhackme” (2021)
“What are the IPs of the malicious domains?” — Ibid.
So this one was a wee tricky at first. But after consulting “Cursemagic” (2021) and “lowkey” (2021) again, I realised that I should try to render a graph for both process IDs 8644 and 7128. I repeated the procedure described in question 1 to render a graph for exploreer.exe
with process ID 7128. Figure 5 depicts my results:
After inspecting some of the nodes and their data, I zoomed in to a subset of the graph around the cluster in figure 5a. Figure 6 depicts the graph data:
From figure 6, I have worked out that the two malicious domains are, most likely, mojobiden.com
and paymenthacks.com
— with the respective IP addresses of 146.112.61.108
and 206.188.197.206
.
“Provide the user-agent used to transfer the encrypted data to the C2 channel.” — “tryhackme” (2021)
Provide the cloud security service that blocked the malicious domain. — Ibid.
Working out the user-agent involved me following a TCP stream between the infected machine and one of the command and control servers. I right-clicked on mojobiden.com
and then clicked on “Follow TCP Stream.” Figure 7 depicts what resulted:
The POST request is made by the implant and the response is from the command and control server. Their respective user agents are Firefox/89.0
and Cisco Umbrella
respectively.
“Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.” — “tryhackme” (2021)
“Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim’s machine.” — Ibid.
Working out the answer to this question involves investigating values being written into the Windows registry. After doing a cursory review of various nodes in the graph and their respective labels, I worked out that in a cluster depicted in figure 5b is where the value is at. Figure 8 depicts a zooming in of this cluster:
The filename of the bitmap that was used to change the background is: ley9kpi9r.bmp
. Finding the process ID responsible for this background change involves “sliding back” to see which node is making a change to the Wallpaper key in the Windows registry. Figure 9 depicts this:
The process ID responsible for the desktop wallpaper change is 4892.
“The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.” — “tryhackme” (2021)
The answer to this question was solved in the previous question: in the right-bottom corner from figure 9, it shows the registry key:
HKLM\SYSTEM\MountedDevices\DosDevices\Z:
“Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack.”“tryhackme” (2021)
I looked up the domain mojobiden.com
on VirusTotal (n.d.) and found a report (VirusTotal n.d.-b) where community members have identified this domain being associated with a variant of Blackmatter Ransomware.
Blackmatter appears to be a “ransomware-as-a-service” that targets Windows and Linux systems — encrypting the victim’s information and demanding a payment in cryptocurrency in exchange for the decryption key (Cybersecurity and Infrastructure Security Agency 2021).
From this experience analysing the log files pertaining to the behaviour of a piece of ransomware, I find ProcDOT to be a fairly useful tool that be added to an analyst’s arsenal. From what I have ProcDOT does seem to have its limitations — like not being able to interact directly with the nodes and it can be cumbersome.
But nonetheless, it did provide some useful threat intelligence to assist myself in identifying the ransomware — which was eventually used to find the alert regarding the strain from Cybersecurity and Infrastructure Security Agency, which has instructions for prevention and mitigation strategies of said ransomware.
“Cursemagic” and “lowkey” for their writeups and, albeit indirectly, “steering” myself in the proper direction of completing this room.
Cybersecurity and Infrastructure Security Agency (2021). Alert: AA21–291A. Retrieved in Jan. 12, 2023 from: https://www.cisa.gov/uscert/ncas/alerts/aa21-291a
“Cursemagic” (2021). TryHackMe: Dunkle Materie Room Write-Up. Retrieved on Dec. 27, 2022 from: https://cursemagic.medium.com/tryhackme-dunkle-materie-room-write-up-4d0b657adcf5
“killab66661” (2010). Blackhat 2010 Malware Attribution tracking cyber spies Greg Hoglund Part. YouTube Video. Retrieved on Dec. 29, 2022 from: https://youtu.be/k4Ry1trQhDk
“lowkey” (2021). TryHackMe — Dunkle Materie Writeup. Retrieved on Dec. 27, 2022 from: https://dev.to/l0wk3y/tryhackme-dunkle-materie-writeup-2chb
ProcDOT (n.d.). Frequently Asked Questions. Retrieved on Jan. 12, 2023 from: https://www.procdot.com/faqs.htm
Splunk Security Essentials Docs (n.d.). Retrieved on Dec. 29, 2022 from: https://docs.splunksecurityessentials.com/content-detail/showcase_lookalike_filenames/
“tryhackme” (2021). Dunkle Materie: Investigate the ransomware attack using ProcDOT. TryHackMe. Retrieved on Dec. 29, 2022 from: https://tryhackme.com/room/dunklematerieptxc9
“VirusTotal” (n.d.-b). URL— dc008163b78ea05ae4f1b14665e95a677dceb36635b3866137dd0deeb4a6a767. Retrieved on Jan. 12, 2023 from: https://www.virustotal.com/gui/url/dc008163b78ea05ae4f1b14665e95a677dceb36635b3866137dd0deeb4a6a767/community