Tools involved:
SysInfoTools-ost-viewer-pro
volatility_2.6_lin64_standalone
VT online tools
Image files used:
target1-1dd8701f.vmss
target2-6186fe9f.vmss
POS-01-c4e8f786.vmss
Question stem:
An employee reported that his machine started behaving strangely after receiving a suspicious security update email. The incident response team captured several memory dumps from the suspect computer for further examination. Analyze the dump and help the SOC analyst team figure out what’s going on!
Target1
What is the email address used to trick front desk staff into installing security updates?
View image information
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss imageinfo
View process list
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 pslist
Because the title has already been mentioned and the email has been received, you can just look at outlook.exe; export the process to the dll directory.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -p 3196 -n -u -D ./dll
When I was going through the trash, I came across several ost.dat files. This file is actually an offline format of Microsoft’s mail. Of course, I am talking about ost, which is similar to pts.
You can open it directly with tools without converting the format.
You can also use the method I played in the previous issue to unpack it.
readpst -S [email protected]\ -\ outlook2.ost.dat
What is the name of the file used for phishing in the email?
What is the malicious file family?
The download address was obtained above. I originally wanted to compare it directly with the address, but found that I was still naive.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 filescan | grep AnyConnectInstaller.exe
Export any one
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003df12dd0 -D ./
Things after downloading have special suffixes, but this does not affect the comparison of samples through md5 values.
md5sum file.None.0x85cd09a0.img
The malware appears to be utilizing process injection. What is the PID of the injected process?
This question is quite far-fetched. It is difficult to tell which program may have process injection using only memory forensics. This is not DLL injection, so it is inappropriate to use the method of detecting DLL injection.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 pstree
In fact, many processes here have sub-processes, so it is impossible to determine which one is the problem with the help of vol alone. After looking at other people’s problem-solving ideas, I found that there is a process in vt.
IMHO, there are still many other processes being created, so why can’t it be svchost?
Then I remembered the IP address I found in the email I found.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 netscan | grep "180.76.254.120"
Why does malware continue to start after the computer is restarted?
This question is actually a test of one’s understanding of malware permission maintenance. In order to ensure that the regular malware can still run smoothly after the computer is restarted, especially in the Windows system, a variety of methods are used, such as starting the computer. item:
C:\Users\username\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup Registry Service
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 mftparser > output.txt
This command can export the file directory information in the memory image.
After the global search, it was not found in a similar startup directory, so I had to look for it in the registry.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpregistry --dump ./regedist
Use a tool to read the registry
Sorry to bother you, but later I found out that you can see it directly in vt
Malware often uses unique values or names to ensure only one copy is running on the system. What is the unique name used by the malware?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 handles -p 2996 | grep "Mutant"
Here, the resource handle of the 2996 process is directly printed; Mutant explains as follows:
In computer science, “Mutant” refers to a synchronization primitive or object used to implement a mutex (Mutex) in concurrent programming. Mutant is the term corresponding to a mutex lock in the Windows operating system.
Mutex is a synchronization mechanism used to control multiple threads’ access to shared resources. It provides a way to ensure that only one thread can access a shared resource at any given time, thus avoiding data races and inconsistencies.
In the operating system kernel, Mutant is implemented through kernel objects and is used to coordinate mutually exclusive access between processes. It can be used to protect shared resources to ensure that only one process can obtain access to the resource at a time.
It seems that a notorious hacker compromised the system before the current attackers, can you tell which movie this hacker was from?
I really didn’t get the answer here, it’s from a plagiarist.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 filescan | grep -oP '(?<=\Users\)[^\] + ' | sort -u
I don’t know why people directly locate /user here, but according to their positioning, it seems that the thing is in the registry, so you can find the user data in the registry.
You can view the registry software registry by
The content of this registration form is mainly some personal information of the user; here is just the name of the person, and you also need to find the movie. The problem is that I have not watched it, and I don’t know which one it is.
What is the NTLM password hash for the administrator account?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 hashdump
The attacker appears to have transferred some tools to the compromised front host. How many tools did the attackers move?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 consoles
This question should be connected to the next question. The uploaded tool should be used to crack the hash. It is supposed to be 4. After looking at other people’s answers, it is actually 3.
Later, I searched on github and found that there are two tools that are actually a tool for calculation.
What is the password for the front-end local administrator account?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 consoles
What is the creation timestamp of the nbtscan.exe tool?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 timeliner | grep 'nbtscan'
The attacker appears to have stored the nbtscan.exe tool output in a text file named nbs.txt. What is the IP address of the first computer in the file?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 filescan | grep "nbs.txt"
Export file
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003fdb7808 -D ./out
What is the full IP address and port used by the attacker?
Use netscan here to view all network connection status
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 netscan
Why circle this? Because in question 2, we have already obtained this IP address in the attacker’s email, and in question 4 we found that the attacker used the iexplore.exe process to perform process injection. The IP address we learned in question 12 also matches, so the answer comes out.
It appears that the attackers also installed legitimate remote management software. What is the name of the running process?
Here you can see TeamViewer.exe at the end of question 13, or you can execute pslist
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 pslist
As for why this must be TeamViewer, please see continued analysis.
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 cmdline
We saw a log from here, we can check it
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 filescan | grep TeamViewer10_Logfile.log
Then export these four files
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003fa2e2d8,0x000000003fa564e0,0x000000003fc9b038,0x000000003 fd5bbb8 -D ./TVlog
After we exported the log file, we can go in and take a look. Fortunately, the log inside is not very big. We found the IP address inside, which corresponds to the attacker IP address we saw before, so the answer to this question is It’s about to come out
The attackers also appear to have used built-in remote access methods. What IP address are they connecting from?
./volatility_2.6_lin64_standalone -f Target1-1dd8701f.vmss --profile=Win7SP1x86_23418 netscan | grep 3389
The first attacked machine has come to an end for the time being. The next issue will continue to connect here. As can be seen from the first question, the attacker carried out lateral movement within the intranet, so the next issue will continue to conduct traceability and evidence collection.