After seeing that Brian Baskin and Tony Cook had published a writeup solving the GrrCon 2015 Memory challenges I thought this would be an ideal way of testing VolUtility, A way to make sure that i have covered all the features, and if not then how to try and add them so it does. Plus it looked like fun :)
I had someone copy all the questions from Brian’s post so i could not read the answers as I also wanted to try this on my own. I later went back to read their post in full and confirm my answers, it’s also interesting to see how other Analysts approach challenges.
Anyway here are all the steps i used to solve the challenges.
I started with a Vanilla build of VolUtility, using the install guide on the wiki, and went to load in the first image. I noticed that GrrCon had provided an MD5 along with all the sample data, couldn’t understand why I had missed this from the session information, so I added an option to hash the image file at import. Turns out the provided hashes are for the rar file not the evidence contained within.
We do not know what OS this is so we set the AutoDetect, tick the option to generate an MD5 and tell the imageinfo plugin to automatically run.
Once its loaded you may need to refresh the page to view the newly populated imageinfo.
My config file was still set to run pstree and pslist on image load as well. Before i do anything i like to get a quick overview of whats running / been run on a box.
OK We have Win7SP1x86 according to the imageinfo and VolUtility has already compiled a list of valid plugins for this image. lets answer some questions.
Question 1 (target1.rar – 8353dj5R)
A front desk employee has reported that they may have clicked on a rather strange email. they thought was a security update. What is the email address that sent this email to the front desk users email box?
Searching for data like this instantly screams Yara. As I have already seen the list of processes I know OUTLOOK.EXE is running so I can use this as a target PID to reduce scan time. If it fails I can always run it again without the PID specified. As we are looking for an email address we can search for standard SMTP Fields like From, To, Subject etc. We could also use a regex for any email address but this has the potential for a lot of false positive results.
That looks like our answer: email@example.com
The last incident response employee has gone missing and the company faces their largest client cancelling their contract. E Corp has strict policies about having a senior responder dedicated to cases that may have potential impact to their company image. What is the file name that was delivered in the email?
We know that our email address is inside the outlook process, To find any other artifacts from the email we can dump the process memory and extract strings from it.
Process memory is typically a few hundred megs of data so you need to specify which process to dump. From the pslist right click the process row and select Store Process Mem (This can take a few minutes. You can close the loading image and move on it will continue in the background)
Once its completed check the memdump plugin and you will see the file stored. Open the file details to see more information.
We are interested in strings. You can either download the file and run your own extraction or open the strings tab, extract and then download the strings file. The benefit here is they are stored in the DB for future use.
Open the strings output search for email and we see something interesting. There is no attachment but there what looks like an HTML Email body with a link to an external exe file.
The attackers seem to have phished a completely innocent AllSafeCyberSec user, what is the name of the malware they used?
To identify the malware we need the actual file. It’s not in pslist or in psscan so we need to find another way of getting it. Filtering the plugins for file we see there are two.
- filescan – Scans for file objects in memory
- dumpfiles – Extract memory mapped files.
Running filescan first and filtering for AnyConnect shows us several results.
From here we can use the context menu to extract the single file.
Checking Virustotal results shows us that someone has already submitted this file. If it wasn’t present we would have the option to upload it ourselves and see the results.
We can also use Strings and any Yara Rules we have in order to identify the family.
A quick Google of XTRAT shows us this is likely to be Xtreme Rat. Looking at strings we find references to XTREME which seems to confirm it for us.
The malware appears to be leveraging process injection. what is the process ID of the process that in injected?
Process injection (very simply) involves putting code from the malware inside a legitimate running process as a method of hiding in plain sight. If we find strings from our original sample in any other process its safe to say this is our injection.
There are a couple of ways to do this.
The malfind plugin is designed to find injected code but understanding what is real or a false positive can be challenging. The biggest issue is that it doesn’t reveal our eventual answer.
The second method I tried was the Yara Mem Scanner.
I search for XTREME leave the optional PID empty so it scans all processes. I also limit the returned data to 30 chars so it’s a bit more table friendly.
Looks like iexplorer.exe has our injected code inside.
What is the unique value the malware is using in order to maintain persistence after reboot? (you will know it when you see it)
For the next set of questions i have a distinct advantage. One of my primary research subjects is Extracting configuration settings from common Remote Access Trojans, And i have researched XtremeRat before. Typically RATs have a config file / settings that are decrypted at runtime, this means all the settings should be together in one block in memory.
My aim here was to answer the next couple of questions as best i could without using my existing research.
As we have the sample we can also run it in a sandbox and see what results we get. Using Brads Modified Cuckoo i submit the sample and let it complete.
We can also view registry keys from the ToolsBar Search revealing the same answer
What password is the malware using when authenticating back to its command and control server
For this one we need to look closer at the malware. We know the process its inside and we know that all the malware’s settings should be located with each other.
Dumping the process memory for iexplorer, extracting strings and looking for MrRobot (we can also dump strings from the sandbox analysis if we selected the option)
From here its a little bit of guess work, some debugging and IDA work. Or Some basic google foo for XtremeRat research papers will help narrow down the guess work. We could also look for network traffic and try decrypting it to see if we get valid data.
There are a lot of other interesting artefacts in here but we will come back to these later.
Malware often uses a unique value or name to ensure only one copy of itself is running on the system, what is the unique name the malware is using?
This is commonly know as a mutex. This is set by the malware and is also typically included in the config section. Once again we can get this from our sandbox analysis or from our memory sample. mutantscan and handles are two plugins designed to extract this information.
Cross referencing between strings, plugins and sandbox results reveals our answer.
It appears that a notorious hacker compromised this box before our current attackers, name the movie he/she is from?
This was a difficult question to answer and was purely by luck that I found it. Its difficult to try and distinguish between our attacker and any other previous hackers. As I’m examining the output of plugins, trying to think of some logical way I can look for this answer, I saw zerocool. And that was it question answered. (Never underestimate the power of randomly looking through data)
What is the NTLM password hash for the administrator account
Running the hashdump plugin gives is this one easily.
the attackers appeared to have moved over some tools to compromised frontdesk host. what are they?
Files created on the box. This just sounds like a job for the $MFT. This will show us MAC times for all files on the disk. The web view is a little under matured to properly filter these values, so i also run this using the vol command line option and output the results to a txt file on disk using both the web view and the txt output where ever its easiest.
Starting with the creation of our malware we look at any FILE_NAME elements that follow and see if any look interesting. A good way to filter if using the web is to filter around a date / time stamp.
rar.exe, wce.exe and nbtscan.exe stand out. Everything else in this half hour window seem to be log /temp files and Attributes being set.
We also caught a glimpse of these in the strings for the memory dump of iexplore.exe
These tools can easily be identified by a quick Google or even dumping the files from the filescan table and examining them individually.
- nbtscan.exe – Network NetBIOS Scanner
- rar.exe – compression tool
- wce.exe – Windows Credential Editor
It appears the attackers used one of their tools to dump clear text passwords. What is the password for the frontdesk local administrator account?
If attackers are running tools remotely then it’s typically going to be a command line tool. There are 3 plugins that can help us here.
Running all three and looking at the results we see one that is interesting in the context of the question. We know from the earlier question that mce.exe is designed to manipulate user accounts. The plugins show us the command was run and the output piped to w.tmp
Heading back to filescan filtering for w.tmp and dumping the file in the same manner as the earlier question we get our answer.
We can also see this answer in the output of the console session using the consoles plugin.
What is the std create date timestamps for the nbtscan.exe tool?
We already have this from the $mft in a previous question.
Answer: 2015-10-09 10:45:12
The attackers appear to have stored the output from nbtscan tool in a text file on disk called nbs.txt. What is the IP Address of the first machine in that file?
filescan and filedump again to get this one.
What is the full Ip address and port the attacker malware was using?
The netscan plugin scans memory for all network connections. We know the malware is in iexplore.exe so filter for the process name or PID
Again we could also get this from the SandBox report
It appears the attacked also installed legit remote administration software. what is the name of the running process?
Looking through the pslist entires we see teamviewer. A well known legit remote administration tool.
Remember when we were looking through the strings for iexplore.exe one of the other things you would have seen if you scanned through that section of data were ‘shellcommands’ and dir listings among other things. Theses are all commands that were run in the context of this malware. Among them we see many references to TeamViewer confirming this was the attacker and not the user.
It appears a built in remote access method was also used by the attackers, what IP address did they connect to?
We are on windows and the built in Remote Desktop is RDP. We can look at connections and filter on the default port of 3389 or the process name mstsc.exe.
Interestingly strings also show a line 10.1.1.21 – Remote Desktop Connection. And a search in Timeliner for ‘Remote Desktop’ shows the frontdesk user has used RDP 7 times.
Question 17 (target2.rar)
It appears the attackers moved latterly from the frontdesk machine to the Security Admins (Gideon) Machine and dumped passwords. What is Gideons password?
Lateral Movement this means a new memory image. I load this one in to a new session in the same way I did the first.
The question is similar to the password dump one from earlier. Did the attacker use the same technique? A combination of cmdscan, consoles and cmdline reveals our answer.
Yes they did, so once again filescan and dumpfiles will give me the answer.
Once the attackers gained access to Gideon they pivoted to the AllSafeCyberSec domain controller in order to steal files. It appears they were successful, what password did they use?
The answer to this is visible in the cmdscan output. We can see a chain of events.
- Connect to a remote share
- navigate the directories
- copy rar.exe
- rar all the text files and password the archive
There seem to be two passwords listed in the cmdscan.
First command uses the wrong syntax our answer is the second.
What was the name of the rar file created by the attackers?
We have this from the same cmdscan output
What is the name of the files the attackers added to the rar archive? Should be listed in the order they were added.
The rar is on a remote system so it’s not in our filescan list. This also would not give us the order they were added. We know it was done via the command line so dumping memory for the PID that was actively running the commands may provide more detail.
Same method as before.
- pslist filter for PID 3048
- Store Process Memory
- Store the strings
in this case I also had to run the strings util against the memdump. At the time of writing the VolUtiltiy strings extraction doesn’t handle unicode very well and conhost seems to be all unicode strings.
Downloading the raw mem and strings -e l 3084.dmp.bin > 3048.strings.txt still reveals my answer. (filtered a little for readability)
Opening the raw dump in a hex editor or using some yara string searches would also get you the answer.
The attackers appear to have created a scheduled task on Gideons Machine. What is the name of the file associated with the scheduled task?
Scheduled tasks are stored on disk as .job files. filescan shows the presence of a generic named task. At1.job Trying to parse this file from disk doesn’t give us anything usable.
I was looking back through my answers from earlier and realised the $mft had data entries. If a file is below a certain size the contents are written in to the $mft as a $DATA entry. This was worth a look so i used the command line to dump the file out to txt and jumped in. And there was my answer.
If we cross reference this with data from target 1. Namely our strings from iexplore.exe if we search for 1.bat we find some interesting strings.
Volume in drive C has no label.
Volume Serial Number is FE0F-F423
Directory of C:\Users\frontdesk
10/09/2015 08:07 AM <DIR> .
10/09/2015 08:07 AM <DIR> ..
10/09/2015 07:56 AM 58 1.bat
10/09/2015 07:34 AM 51 a.bat
This shows us where the file came from and it also tells us something about the attacker. The first bullet is an extreme rat command. the attacker uploaded a file from his local machine which is the Whiterose user. Looking in the MFT for the $DATA section for 1.bat shows the bat file is used to run the wce command.
Question 22 (pos01.rar)
What is the malwares cnc server?
Another memory image so create a session in the same manner as the last two.
We are looking for command and control traffic so netscan is the plugin for this. Filtering for ESTABLISHED connections all we can see is outlook.exe to an internal IP Address in the same network. This seems legit so we move on.
Filtering for CLOSE will show us recent connections.
These have external IP’s but identifying if any of these belong to our malware is not obvious from this view alone.
We saw iexplore.exe was injected with xtremerat in the earlier image. So its worth checking for injected processes again. Running malfind will try to detect this behavior.
A key indicator when looking at malfind results is to look for an executable header MZ or 4d5a in hex. Both internet explorer processes have this indicator and 3208 has a closed connection so lets start with this one.
I don’t have a nice way (yet) of storing the data dump of malfind in the db so this needs command line. What I have done is add a way to easily run vol command line from inside the web gui.
You can specify –profile and -f or you can use %placeholders to include the sessions details
%profile% %path% malfind -p 3208 –dump-dir=/tmp/malfind
From here you can add external files in to the session using the Tools Bar Extra Files tab and we can extract strings scan with yara and VirusTotal as we can with any other extracted file.
VirusTotal scan comes back with a number of results so we can be reasonably sure this is malware and that the IP is likly our CNC.
What is the common name of the malware used to infect the POS system?
We can get this from the VirusTotal results. Dexter and Google confirms Dexter is a POS malware family
In the POS malwares white list what application was specific to AllsafeCyberSec?
If we want to know anything about the malware we can look at the strings of the binary or at the strings of the injected process.
Looking at the strings of or newly stored file, right at the top of the list, allsafe_protector.exe. After a quick scan through the rest of the strings, and the process memory this seems the most obvious answer
What is the name of the file the malware was initially launched from?
Looking at pslist and pstree there is no process that matches the PPID. I would normaly use the shimcache plugin here to get an idea of what is executing on the box, but in this instance it doesnt return any results. So instead i go for Prefetch. .pf files are created when executable files are run. The mft will contain entries for any prefetch files and the time they were created.
pslist gives me the time the iexplore.exe process was started so it’s just a matter of looking for .pf files in the same time.
Only one Prefetch file at the same time as IE was launched. Searching for allsafe_update in the filescan plugin reveals the full filename and path of the malware.
Its not directly related to the question, but we can see that this file is sat in temp internet files which means it was downloaded. I would be interested to see where the download came from and how it was initiated.
iehistory parses the db that contains this information and gives us the location of the download.
Hmmm looks like outlook opened the file, Outlook is still an active process so i dump memory get strings and off i go again.
Looks like gideons account was used to send more malware from the inside.
Anyway i can follow this thread forwards and backwards for a while collecting all the information, so back to the answer at hand.
Answer: allsafe_update.exe (the  is an internet explorer quirk not part of the filename)
Question 26 (ex01.rar)
What is the name of the file the attackers used to control the exchange server? Example value: file.aspx
Another Image, this time an Exchange Server. This memory image is a little over 8Gb so processing each command is going to take a lot longer than the other images, Especially features like autodetect. So I set the most common plugins im expect to use running and head of to make a cup of tea, Or two.
Once the plugins have loaded we can start.
It’s a file we are looking for and its used to control the exchange server. This leads me to run filescan (im probably going to need this later anyway) and netscan.
Netscan returns a lot of results 1057 of them. Putting them in IP order and scanning though list there are a couple of closed connections to external IP’s but the pid is listed as -1 This doesn’t help me much.
We know the machine is being controlled so I try cmdscan and consoles to look for any sign of this. Unfortunately these plugins do not return any data. I try in the native command line and still no results. pslist and others are working fine but this machines is so busy its hard to pick a start point.
I start looking through the processes and spot net.exe not all that unusual to see on a server but i know this has been used by our attackers in the past. But still nothing concrete. I need to understand what is happening on this system so I hit the Process Map button on the ToolBar. It takes several minutes but im then presented with a png that shows the output of pstree.
Saving this and opening in an image editor (With some zoom) and this puts everything in to a bit of perspective. It doesnt take long to see the starting point i have been looking for.
A single process spawning multiple command prompts which in turn spawn net.exe and conhost.exe Definitely looks suspect. If you had not yet guessed. Dumping the parent process memory to strings seems like the best move.
While i wait for the dump to complete i lookup w3wp.exe. TechNet says its an IIS worker process for handling requests sent to web servers.
If it’s a web service that’s compromised there is an above average chance you’re looking for a web shell and web shells for IIS are typically aspx files. (Seems like the example in the questions was more of a hint than an example.
The memory dump completes and comes in at 3Gb!. I download the memdump and use strings piping the output to a text file.
Strings completes so i start looking for cmd.exe and net and find some very interesting strings
None of the strings really help me answer the question, but it looks like they are using this folder as a staging area, so I run mftparser to see whats going on here. A few filenames jump out
Then I see what im looking for. An aspx page in the staging area with some suspect data that was stored in $DATA
What is the common name of the malware used to control the exchange server?
The aspx file was not memory resident so there was no way to simply scan the file. I took to google armed with a handful of the strings and came across a FireEye Blog https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html That contains all the same file indicators as the one im looking at in memory.
What is the key the malware that is on the exchange server uses? Not decrypted!
In the staging area we saw th3k3y.txt Not much of a leap to assume this is the file we want. A quick check of the mft we dumper earlier shows us the data we need.
And that brings us to the end of the challenge. There are still plenty of questions that can be asked and there is an abundance of extra information that can be extracted from the memory samples. But thats a job for another day.
As I said at the start this post was mainly about showcasing VolUtility and making some improvements / adding features as I went, but it was also a lot of fun.
As usual Questions, Queries, Comments below.