GrrCon 2016 DFIR Write up - Part 1

CTF HOMEPAGE https://ir.e-corp.biz/home

To start off, get Volatility or a prebuilt vm like SANS SIFT Workstation, they've recommended using the provided Security Onion image. Also, check out the community plugin repo for Volatility.

Download CTF files - specifically NSM.zip

** SPOILER ALERT **

Level 1

Question 1)

First lets find out what started the shit storm on his computer! What is the c2 address of the malware? (this case involves the host IP 10.1.1.122 of Phillip Price)

I decided to go at the Bro log files.

cat * 2016-10-0*/http* | grep 10.1.1.122

Answer: 54.174.131.235

Question 2)

What is the User Agent string of the malware?

From the same log as above it provides the full user agent string.

Answer: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Question 3)

What is the AV common name Used by Kasperskyfor the delivered malware? (Case doesn't matter some times there is more than one name used by av vendors so try alt names if you're sure or message me) Example: darkrat Update: I'm going through the answers of this once in a while to check to see if those are close I will mark it correct.

cat * 2016-10-0*/http* | grep 10.1.1.122 | grep 54.174.131.235 | grep exe

Check out the Bro extracted files...

open them up in VirtualTotal OS X Uploader

Looking into the ones highlighted as malicious. 2 of the files had the same file hash (f33cb6aeaba31c6ffff19872b3d53f364a3ff934e728cb3e0e771e2372fae6b2) and were detailed as AVUpdates. This left me with

Looking at the Kaspersky AV names, Trojan-Spy.Win32.Teamspy.aa stands out and there are numerous articles about a Teamviewer malware with that name.

Answer: teamspy

Question 4)

What is the malware version?

Using the same bro logs you can see a request which is different to the rest

Bro http.log string

1475582882.764273	CMno3nDHhxUxNNBM7	10.1.1.122	49284	54.174.131.235	80	1	GET	54.174.131.235	/getinfo.php?id=528812561&stat=1&tout=10&osbt=2&osv=6.1&osbd=7600&ossp=0.0&ulv=2&elv=0&rad=0&agp=1&devicea=0&devicev=0&uname=phillip.price&cname=WIN-191HVE3KTLO&vpn=0&tvrv=0.2.2.2

Kevin Breen submitted his write up in which he said the answer was in the HTTP strings but within the process memory dump of the SkypeC2AutoUpdate.exe.

Time to fire up Vol and have a further look into SkypeC2AutoUpdate.exe.

First thing is to get the image type of the memory dump.

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem imageinfo

Now we can show the running processes.

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 pslist

We can dump the process memory for that PID.

./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 memdump -D ./evidence -p 1364
strings -n 10 1364.dmp | grep 54.174.131.235

Answer: 0.2.2.2

Onto part 2...