BTLOを始めてみました。
このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。
サービスの規約により、RetiredとなったInvestigationsとChallengesはwrite upを公開しても良いです。今回は、Challengesの内のMemory Analysis - Ransomwareのwrite upです。

BTLO Challenge Memory Analysis - Ransomware(Retired Challenge)

• Scenario
• Challenge Submission
  • 1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
  • 2. What is the parent process ID for the suspicious process?
  • 3. What is the initial malicious executable that created this process?
  • 4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
  • 5. Find the path where the malicious file was first executed
  • 6. Can you identify what ransomware it is? (Do your research!)
  • 7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

Scenario

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!

Challenge Submission

今回のメモリダンプ

Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/volatility/BTLO/BTLO Memory Analysis - Ransomware/infected.vmem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82948c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82949c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-01-31 18:24:57 UTC+0000
     Image local date and time : 2021-01-31 13:24:57 -0500

1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

Format: @ProcessName

$ vol.py -f infected.vmem --profile=Win7S 
P1x86 psscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000be92b88 dwm.exe            1424    856 0x1e6d92e0 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dc0fd40 svchost.exe         688    496 0x1e6d9140 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc22520 svchost.exe         736    496 0x1e6d9160 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc33030 taskhsvc.exe       2968   2924 0x1e6d92c0 2021-01-31 18:02:20 UTC+0000                                 
0x000000001dc58030 svchost.exe         856    496 0x1e6d91a0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc6d548 svchost.exe         896    496 0x1e6d91c0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc92a88 svchost.exe        1000    496 0x1e6d9200 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dca9030 svchost.exe        1068    496 0x1e6d9220 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dcd6030 spoolsv.exe        1196    496 0x1e6d9240 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dcd91c8 svchost.exe        2204    496 0x1e6d95e0 2021-01-31 18:03:14 UTC+0000                                 
0x000000001dd07290 svchost.exe        1252    496 0x1e6d9280 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dd32cb0 taskhost.exe       1348    496 0x1e6d92a0 2021-01-31 18:01:12 UTC+0000                                 
0x000000001df45030 csrss.exe           404    388 0x1e6d9040 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df5a450 svchost.exe        2380    496 0x1e6d9560 2021-01-31 18:03:15 UTC+0000                                 
0x000000001df5f030 services.exe        496    396 0x1e6d9080 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df63030 winlogon.exe        460    388 0x1e6d90c0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df72958 lsass.exe           504    396 0x1e6d90e0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df74030 lsm.exe             512    396 0x1e6d9100 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df975b0 svchost.exe        2508    496 0x1e6d9420 2021-01-31 18:21:28 UTC+0000                                 
0x000000001dfc25f8 conhost.exe        2976    404 0x1e6d94e0 2021-01-31 18:02:20 UTC+0000                                 
0x000000001dfcf108 powercfg.exe       3304    496 0x1e6d9460 2021-01-31 18:23:23 UTC+0000   2021-01-31 18:24:24 UTC+0000  
0x000000001dfe2b08 svchost.exe         620    496 0x1e6d9120 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e178968 csrss.exe           356    340 0x1e6d9060 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e1801f8 wininit.exe         396    340 0x1e6d90a0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000  
0x000000001ec3ea58 WmiPrvSE.exe       1296    620 0x1e6d9400 2021-01-31 18:01:14 UTC+0000                                 
0x000000001ec424a0 svchost.exe        2032    496 0x1e6d93a0 2021-01-31 18:01:13 UTC+0000                                 
0x000000001ec81d40 dllhost.exe        1740    496 0x1e6d9440 2021-01-31 18:01:14 UTC+0000                                 
0x000000001ed0a030 SearchFilterHo     3008   2232 0x1e6d9620 2021-01-31 18:23:00 UTC+0000                                 
0x000000001ed3d940 WmiPrvSE.exe        208    620 0x1e6d9520 2021-01-31 18:24:23 UTC+0000                                 
0x000000001ed5ead8 SearchProtocol     2304   2232 0x1e6d9180 2021-01-31 18:01:18 UTC+0000                                 
0x000000001ee6a030 explorer.exe       1456   1408 0x1e6d9300 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ee80a48 VGAuthService.     1560    496 0x1e6d9320 2021-01-31 18:01:12 UTC+0000                                 
0x000000001eef9d40 vm3dservice.ex     1688   1456 0x1e6d9340 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ef04498 vmtoolsd.exe       1700   1456 0x1e6d9360 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ef11030 vmtoolsd.exe       1720    496 0x1e6d9380 2021-01-31 18:01:13 UTC+0000                                 
0x000000001ef28a78 msdtc.exe          2044    496 0x1e6d93c0 2021-01-31 18:01:16 UTC+0000                                 
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:49 UTC+0000  
0x000000001efb5418 smss.exe            268      4 0x1e6d9020 2021-01-31 18:01:10 UTC+0000                                 
0x000000001efc1d40 SearchIndexer.     2232    496 0x1e6d9260 2021-01-31 18:01:18 UTC+0000                                 
0x000000001fcbc0f0 sppsvc.exe         2432    496 0x1e6d9580 2021-01-31 18:03:14 UTC+0000                                 
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000                                 
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000                                 
0x000000001fff1c40 System                4      0 0x00185000 2021-01-31 20:56:12 UTC+0000                                 
0x000000001fff6920 System                4      0 0x00185000 2021-01-31 18:01:10 UTC+0000

Answer: @WanaDecryptor

2. What is the parent process ID for the suspicious process?

Parent Process ID (PPID)
Answer: 2732

3. What is the initial malicious executable that created this process?

Format: filename.exe
2732は、or4qtckT.exe
Answer: or4qtckT.exe

4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

Format: filename.extension

$ vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep 2732
Volatility Foundation Volatility Framework 2.6.1
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000  
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:49 UTC+0000  
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000                                 
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000     

Answer: taskdl.exe

5. Find the path where the malicious file was first executed

Format: drive:\path\to\filename.extension

$ vol.py -f infected.vmem --profile=Win7SP1x86 cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    268
Command line : \SystemRoot\System32\smss.exe
************************************************************************
(snip)
or4qtckT.exe pid:   2732
Command line : "C:\Users\hacker\Desktop\or4qtckT.exe" 
************************************************************************
(snip)
# または
$ vol.py -f infected.vmem --profile=Win7SP1x86 filescan | grep or4qtckT.exe

Volatility Foundation Volatility Framework 2.6.1
0x000000001ed75ae8      7      0 R--r-- \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe
0x000000001fcaf798      3      0 R--r-d \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe

Answer: C:\Users\hacker\Desktop\or4qtckT.exe

6. Can you identify what ransomware it is? (Do your research!)

Ransomware Name
@WanaDecryptor? Hum....

Answer: wannacry

7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

$ strings infected.vmem | grep "*.eky"
00000000.eky
%08X.eky
00000000.eky
ntor-onion-key U4/KcG1psOjpLuE8cd8qI6zQ/52YTJaLX9WbxekySk0=
s+3Uc4gjE2RJhXkvwi6t1sUJmogfMlxLDDiXSpXekyHwVurAv/3yB6EPaRoujh1t
MIGJAoGBAPWZYCeKAn1MnwQjFNDim2Ie2eU6hDfDsaeky54mh8bJGIh1DgF2NJUL
3vmi1rxFkeazE6PEt6zZOYi/X2hcEpKmgTr+iLG/qPu7v/x6pp0OHR8cxUc1ekyW
%08X.eky
%08X.eky
$ strings infected.vmem | grep -n5 "00000000.eky"
183656-$02930FFEB87968D518101EB79202F1C3766078DA
183657-$109242967F596F4E3BF3D6996109EFF340FECB27
183658-Wur6
183659-  or4qtckT.exe
183660-00000000.res
183661:00000000.eky
183662-00000000.res
183663-00000000.res
183664-00000000.res
183665-00000000.pky
183666-00000000.res
--
1488780-13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
1488781-gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;
1488782-https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
1488783-00000000.res
1488784-00000000.pky
1488785:00000000.eky
1488786-( ) 
1488787-'k,k,^K^K
1488788-( ) 
1488789-'k,k,^K^K
1488790-( ) 
# 00000000.ekyはor4qtckT.exeと関連がありそう。
$ vol.py -f infected.vmem --profile=Win7SP1x86 dumpfiles -D output/ -p 2732
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x83ea6268   2732   \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky
SharedCacheMap 0x83ea6268   2732   \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky
ImageSectionObject 0x991ffeb8   2732   
(snip)
# 00000000.ekyがor4qtckT.exeで使われている。

Answer: 00000000.eky

• Details
• playbook
  • Search Log
  • Analyze URL Address
    • https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU
    • encrypted-tbn0.gstatic[.]com
    • 172.217.17.174
  • Add Artifacts
• End

Details

EventID: 32
Event Time: Dec. 1, 2020, 5:50 a.m.
Rule: SOC102 - Proxy - Suspicious URL Detected
Level: Security Analyst
Source Address 172.148.17.14
Source Hostname MikeComputer
Destination Address 172.217.17.174
Destination Hostname encrypted-tbn0.gstatic.com
Username Mike01
Request URL https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU
User Agent Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1
Device Action Blocked

playbook

Search Log

#	DATE	TYPE	SOURCE ADDRESS	SOURCE PORT	DESTINATION ADDRESS	DESTINATION PORT
Dec, 01, 2020, 05:58 AM	Proxy	172.148.17.14	48193	172.217.17.174	443

Request URL: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU
Request Method: GET
Device Action: Blocked
Process: chrome.exe
Parent Process: explorer.exe
Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e

同サーバのアクセスは、アラート時のもののみを確認された。
Endpointを見ると、気になるdocファイルの実行が見られたが今回のものとは関係無さそうなので一旦置いておく。
このサーバへのアクセスはアラート時のもののみ。

Analyze URL Address

https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU

Hybrid-Analysis: https://www.hybrid-analysis.com/sample/aa243e9bc80b1d466a8d3e9f1d2a285b8445f47bb173835ad1066aa8ebf63675/61e30b6bb545d72fa270b2c3
実際にアクセスしてみると、何かの画像であった。

そもそも、gstatic[.]comとは
gstatic.comは何に使用されますか?あなたが知る必要があるすべて！ - JA Atsit
What is gstatic.com used for? All you need to know!
公式の文言が見つからなかったが、Googleの画像キャッシュサーバのようだ。無知でした。
そうであるならば、今回のURLは問題ないと言えるのではないだろうか。
一応、ドメインやIPも。

encrypted-tbn0.gstatic[.]com

VirusTotal: https://www.virustotal.com/gui/domain/encrypted-tbn0.gstatic.com/community
いくらかコメントがあるが、時と場合によっては怪しい画像へリンクされたためだろうか。

172.217.17.174

VirusTotal: https://www.virustotal.com/gui/ip-address/172.217.17.174/community
googleであると。


以上から
Answer:Non-malicious

Add Artifacts

Value	Type	Comment
https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU	URL Address	Google's image cache
172.217.17.174	IP Address	Google's image cache server

False Positive.

End

今回は誤検知であったという結果になったが、そもそも誤検知となった理由があるはずである。それは、単純にルールのミスなのか過去にencrypted-tbn0.gstatic.comへのアクセスが悪用されたのか分からないが、この理由をはっきりさせなければ今後の検知精度向上には繋がらない。

• Details
• playbook
  • Are there attachments or URLs in the email?
  • Analyze Url/Attachment
    • http[:]//bit.ly/3ecXem52
    • netflix-payments.com
    • 112.85.42.180
  • Check If Mail Delivered to User?
  • Check If Someone Opened the Malicios File/URL?
  • Add Artifacts
• End

Details

EventID: 34
Event Time: Dec. 5, 2020, 10:33 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 112.85.42.180
Source Address admin@netflix-payments.com
Destination Address emily@letsdefend.io
E-mail Subject Netflix Deals!
Device Action Allowed

playbook

E-mail Subject: Netflix Deals!

From: admin@netflix-payments.com
admin@netflix-payments.com Dec. 5, 2020, 10:33 p.m.
->
To: emily@letsdefend.io
emily@letsdefend.io Dec. 5, 2020, 10:33 p.m.


Hey,

Register now and get 2 months free membership!

http://bit.ly/3ecXem52

Netflix.

Are there attachments or URLs in the email?

Answer:Yes

Analyze Url/Attachment

http[:]//bit.ly/3ecXem52

リンク先の確認を行う。
とりあえずのところ、現在はリンク先を確認できない。
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/3be0a7d94496ea7176e45463e09429f856a0f5cf2321c5378c363439a94b3921/5fcf987e5b15c81b920f89c9
Malicious Indicatorsがあるがbit.lyに対してである。よくよくスクリーンショット見てみると、リンク先が確認できている訳ではなさそうだ。

netflix-payments.com

送信元ドメインを調査する。
VirusTotal: https://www.virustotal.com/gui/domain/netflix-payments.com
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/e7197871d3093a8c017544dd0cffcac5c457b581d400bc286a2f55949d278994?environmentId=120
過去にはVirusTotalで3/79というレポートがある。リンク先の内容はこちらでも確認できない。
ViewDNS whois: https://viewdns.info/whois/?domain=netflix-payments.com
そもそも、ドメインレジストラを使っていたりNetflixと関係は無さそうで怪しい。

112.85.42.180

送信元のIPを調査する。
VirusTotal: https://www.virustotal.com/gui/ip-address/112.85.42.180
AbuseIPDB: https://www.abuseipdb.com/check/112.85.42.180
ip-sc: https://ip-sc.net/ja/r/112.85.42.180
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/004e716bb3c39e8f56a9a468e3db239410685b7d2f8eb97d07f9fc89adffb465?environmentId=120
SSH bruteforce attack元であるというレポートが複数確認された。
過去にはVirusTotalで7/73というレポートがある。
これはMaliciousであると判断する。

Answer:Malicious

Check If Mail Delivered to User?

Device Action Allowed

Answer:Delivered

Check If Someone Opened the Malicios File/URL?

Log Searchにはhttp[:]//bit.ly/3ecXem52へのアクセスを確認されず。
Answer:Not Opened

Add Artifacts

Value	Type	Comment
admin@netflix-payments.com	E-mail Sender
netflix-payments.com	E-mail Domain	godaddy - domain reristrar
http[:]//bit.ly/3ecXem52	URL Address
112.85.42.180	IP Address	VirusTotal - 7/73. SSH bruteforce attack IP.

True Positive.

End

ログに無かったためにhttp[:]//bit.ly/3ecXem52へアクセスしていないと考えたが違ったようだ。
Endpointを確認してみると、

Browser History

2020-12-05 14:13: https://github.com/SecurityRiskAdvisors/VECTR/blob/master/VECTREndUserLicenseAgreement.pdf
2020-12-05 14:14: https://github.com/SecurityRiskAdvisors
2020-12-05 14:15: https://github.com/SecurityRiskAdvisors/VECTR
2020-12-05 14:16: https://github.com/SecurityRiskAdvisors/VECTR/blob/master/README.md
2020-12-05 22:13: http://bit.ly/3ecXem52
2020-12-05 22:15: http://places.hayatistanbul.net/wp-content/themes/Netflix

確かにアクセスしている。今後は何らかの要因でログに記録されないことも見据えて、ログだけでなくEndpointの調査を必要そうだ。
さらに言えば、wordpressのNetFlixテーマ？にアクセスしているのも気になるが、このURLだけではほとんど情報が確認できないため今回はこの調査は見送る。