GrrCon 2017 DFIR write up - Level 1

#GrrCon 2017 #DFIR #CTF challenge. Several host images and memory dumps need to be analysed and investigated. Submit IOCs as you progress...

GrrCon 2017 DFIR write up - Level 1

SPLOILER ALERT Some answers will be available - I'm currently still playing the later rounds, so some of this might seem unfinished. Hopefully this can help others get started.


This year's CTF is a realistic digital forensics and incident response challenge where you submit indicators of compromise as you go. It's also based on the characters from the Mr. Robot TV series so some names might be familiar.
Download the network logs (NSM), memory images and disk images before proceeding. The ECORPSO provided image contains network logs + memory images for your ease.

Everything you need it over at and Level 1 can be started here Downloads

Computer ecorpwin7 is owned by Angela Moss and has recently been infected with what looks like ransomware. We have to investigate and submit indicators to score points.

Tools I used:

  1. SANS SIFT / Remnux / Kali / Windows sandpit VM (I used my own but these 90 eval VMs are perfect - just load your tools)
  2. Volatility Framework - standalone Mac and SIFT (comes with various +plugins).
  3. Timeline Explorer by Eric Zimmerman
  4. / OneNote for note taking and diagramming.

Sandpit VM tools - I'm sure there are better lists but these are mine. Not all were used but most should help.

Another little tip is to use the free SANS resources especially the posters
Key ones;

  • Finding Evil
  • Windows Forensics Evidence Of
  • SIFT & Remnux Poster
  • DFIR Advanced Smartphone Forensics

1. Network Logs

Although we're looking at something that might have ran on Angela's PC I wanted to understand the network a bit more first. Plus I knew I had to do it at some stage as part of this 3 level CTF and it could possibly help.

I decided to attack these logs via the commandline and not use the Elastic Search / Security Onion provided VM. My SIEM skills are Splunk biased but I should really learn more about ELK in future! Given the amount of content in the CTF I'd rather crack on and revisit ELK stack after.

Just to note; not all network traffic will make much sense at this moment in time but look for anything abnormal and take note for later use.

Downloading and extracting the logs /nsm/bro/extracted/ is always a good place to start if available. Throw these extracted executables into VT to quickly check their malicious nature and work backwards from there.


Submit MD5 hash 256d4639b4514c420f482cc9e795cac3
Hydrid Analysis

Also, while moving data around my AV kicked off

Try find where these executables came from

zcat < 2017-10-*/*http* | grep -v "windowsupdate" | grep exe
...	8080	11	GET	/psa.exe	8080	1	HEAD	/web/un.exe	8080	1	GET	/web/pputty.exe
Microsoft BITS/7.5

Submit USERAGENT Microsoft BITS/7.5

zcat < 2017-10-*/*http* | grep -v "windowsupdate" | grep
...	8080	1	HEAD	/web/	8080	1	HEAD	/web/	8080	1	HEAD	/web/
zcat < 2017-10-*/*http* | grep -v "windowsupdate" | grep -v	62647	8080	8	GET	/
zcat < http_eth1.* | grep | more   45051   80      1       GET  /vvsfmp -       1.1     Wget   45638  80      1       GET        /houdini4_32.tgz        -       1.0     Wget   55965    80      1       GET /android/config_update/07252017-sms-blacklist.metadata.txt      -       1.1     AndroidDownloadManager/4.4.4 (Linux; U; Android 4.4.4; VMware Virtual Platform Build/KTU84Q)   45053   80      1       GET  /IP06KC -       1.1     Wget   37169  80      1       GET      /houdini.php?v=4_32 -       1.1     Wget   55965    80      2       GET /android/config_update/07252017-sms-blacklist.txt       -       1.1     AndroidDownloadManager/4.4.4 (Linux; U; Android 4.4.4; VMware Virtual Platform Build/KTU84Q)   40617    80      1       GET     /    -   1.1     Wget


zcat < */http* | grep -v '#' | awk -F '\t' '{print $10}' | sort -u
zcat < */http* | grep -v '#' | awk -F '\t' '{print $13}' | sort -u


2.Memory Analysis of ecorp7win

The memory capture file: ecorp7win-mem
Check the profile and do quick triage for anything abnormal. Not much running here besides Outlook and the elastic host agent. imageinfo -f ecorpwin7-2a617fe4.vmem -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 pstree -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 netscan

Note the IP of her machine ecorp7win-mem ( Next I recently found this super useful for painting a picture of what the user saw. This was the last thing on the desktop at the time of the memory capture. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64  screenshot --dump-dir=/

Windows Explorer and Outlook are open with the ransom note on her PC. Time is ~10:57PM. I guess they clicked an email which lead to code execution displaying the note. Capture what is on the Notepad for confirmation. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 editbox

will show the contents of NOTICE.txt. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 pslist -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 pstree -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 psaux

Dump the memory for the running processes OUTLOOK.exe -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 memdump -p 1700 -dump-dir=/cases/mem-dump/ -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 memdump -p 1728 -dump-dir=/cases/mem-dump/

See remenance of emails in memory using strings on the dumped data or use -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 yarascan -Y "From:"
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from
	by (Dovecot) with LMTP id odbgJUPk71lmdAAAeAlg1Q
	for <[email protected]>; Tue, 24 Oct 2017 19:09:23 -0600
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 24 Oct 2017 19:09:23 -0600
Received: from ([]:61248)
	by with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
	(Exim 4.87)
	(envelope-from <[email protected]>)
	id 1e7ACA-00088w-RB
	for [email protected]; Tue, 24 Oct 2017 19:09:23 -0600
Received: from [] by 3c-app-mailcom-lxa15.server.lan (via HTTP);
 Wed, 25 Oct 2017 03:09:11 +0200
MIME-Version: 1.0
Message-ID: <trinity-032d6e70-6bf8-440d-ad84-acb728d53f03-1508893750403@3c-app-mailcom-lxa15>
From: "Lloyd Chung" <[email protected]>
To: [email protected]
Subject: Cool game
Content-Type: multipart/mixed;
Date: Wed, 25 Oct 2017 03:09:11 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
From: <[email protected]>
To: <[email protected]>
Subject: help this game lloyd sent me is bugging out
Date: Tue, 24 Oct 2017 19:58:09 -0600
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMqpZDQ6p+OA+881tRTSsrOPslmmg==
Content-Language: en-us
X-OlkEid: 498403204A4FFABCBBD1A64FB3EB961FA476515A
This is a multipart message in MIME format.
Content-Type: multipart/alternative;
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
I think this game I wanted to pass the time is messed up I got this

Quick search for PST files from memory. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 filescan | grep pst

Probably best to take note for now and pull from disk image later as it'll be much more easier.

Another quick win is to filscan for .exes in memory. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 filescan > ecorpwin7_fiolescan_output.txt
cat ecorpwin7_filescan_output.txt | grep.exe
cat ecorpwin7_filescan_output.txt | grep.exe | grep -v Windows

SaveDataObj.exe is suspicious. Noted for later. We can recover the file from memory but as we have the disk image we can check there first. If it was deleted and we could not undelete then carving it from memory would be an option.

3.Disk Analysis of ecorp7win

There are various ways to mount a VMDK disk and extract the contents. I'm using a Mac so methods will differ. I used Paragon VMDK Mounter to quickly triage but found the below worked well too.

  1. Import downloaded OVA disk image.
  2. Once VM is imported. Ignore any OVA warning / error messages. Click retry.
  3. Under MacOS Vmware, Right click > Open "Show Package Contents"
  4. Remove VMDK and attach to SIFT Workstation VM (while SIFT vm is powered off)
    a. Add disk
    b. Existing
    c. Share with VM
  5. Boot SIFT
  6. Elevate to root sudo su -
  7. List disks/partitions fdisk -l. Look for /dev/sdXX or similar at the bottom
  8. mount -t ntfs -o ro /dev/sdc1 /mnt/windows_mount/
  9. Browse to /mnt/windows_mount/ to view files.
  10. Done

To quickly triage known badness I kick off a Loki yara scan of the disk.

git clone
cd Loki
sudo apt-get install python-pip
pip install netaddr psutil pylzma yara-python
python -p /mnt/windows_mount/ sansforensics@siftworkstation:~/Loki$ sudo python -p /mnt/windows_mount


Nothing found so I proceeded to search for the PST files from the disk as indicated in the earlier memory analysis. Once found in C:\Users\Angela.Moss\AppData\Local\Microsoft\Outlook\ copy locally and fire up KernelPSTviewer
There are lots of emails to take note of here. I read them all and added them to a timeline order. Interesting stuff...

Submit MD5 1ae87e7366afaf3758c51621ab598915
Submit MD5 683183673f340364a170db3382248ab9
Submit EMAIL [email protected]

Quick analysis of the binary.

strings saveDataObj.exe | grep -oE "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"

Submit IP
Check NSM logs for that IP - doesn't seem to be reaching out.

As caught in the memory forensics earlier, run a system wide search on the disk for SaveDataObj.exe to see where it copied itself.

find -type f -name saveDataObj.exe -exec md5sum {} \;


So manually checking over Document locations. Possibly encrypted files?
C:\Users\All Users\Documents\My Pictures\Sample Pictures\
using file you can check the file headers against a known list. I would normally expected picture formats not data. Content is scrambled when view with cat too.
Odd location to encrypt. So will check using the extension for any other places.

find -type f -name *.xoxoxo
find -type f -name *.xoxoxo | wc -l

So just a few more files (1831)... looks like the ransomware has a specific file type to encrypt. Not a complete match with the NOTICE.txt quote of

We're sorry but 4,569 of your important documents have been encrypted! You must pay us 10.000 Monero to be given the key to get your information back.
Browse to for instructions on how to proceed.
Your personal key is 8ibuPEJyxO52JCflG3lJo_WQX2Wp0BGJi2HzuVMYa6EuAyHtqcfyGYV6xBA9So5q

Also of note, which leads onto Level 2's Insider Threat theme if you've already view the question.

I noticed in some of the results I'm getting that the time is skewed so we need to confirm the correct timezone. The above email has had the time changed locally on my sandpit Windows 7 VM but when viewing the PST at first you will get the early hours if working from UTC/GMT/BST. -r /mnt/windows_mount/Windows/Sytem32/config/SYSTEM -p timezone


Just confirm the last logged on user was Angela. -r /mnt/windows_mount/Windows/Sytem32/config/SOFTWARE -p lastloggedon



Unlike previous GrrCon CTFs we have lots more information and on several systems. Using timelining like log2timeline and Volatility's timeliner tools it'll help automate and visualize events that have occurred. Rinse repeat with the other host images too.

MEMORY TIMELINE -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 timeliner --tz=MST7MDT --output=body --output-file=volmem-body_v2
mactime -b memory-body -z MST7MDT -d > memory-timeline_MST7MDT.csv

DISK TIMELINE /cases/plaso.dump /mnt/windows_mount/ -v /cases/plaso.dump -z list -z "US/Mountain" -o L2tcsv /cases/plaso.dump "date > '2017-10-25' AND date < '2017-10-26'" > /cases/supertimeline_MTZ.csv


Combine those memory and disk timelines together. /cases/plaso.dump /mnt/windows_mount/ --verbose /cases/plaso.dump

Check configured_zone = MST7MDT. PINFO will list out some more useful information that you can take note of such as Host, Time Zone, User information, and OS versions. -f ecorpwin7-2a617fe4.vmem --profile=Win7SP1x64 timeliner --tz=MST7MDT --output=body --output-file=/cases/timeliner.body -z list --parsers "mactime" -z "US/Mountain" /cases/plaso.dump /cases/timeliner.body -z "US/Mountain" -o L2tcsv /cases/plaso.dump "date > '2017-10-24' AND date < '2017-10-26'" > /cases/supertimeline_MST7MDT.csv
  1. Import *.csv into Time Line Explorer.
  2. Filter on 24th October
  3. Run through it once and "tag" interesting or suspicious events.
  4. Filter on only tagged documents to build.
  5. Done

Generated, imported and filtered timeline in Time Line Explorer.
Opening Outlook, clicking the Excel attachment and SaveDataObj.exe hitting the disk.
Then is executed, starts encrypting lots files with extension .xoxoxo ....
GRR ( Google Rapid Response ) kicking in @ 2257hrs like what we saw earlier in the ghost screenshot.

5. Diagramming (optional)

Not fully finished but it helped with getting the numerous systems painted out. As I go through the dumps I add key information such as login IDs, computer names, IPs, key files downloaded, malware execution etc.. hopefully by the end it should explain what happened. Take a look over at @malwareunicorn and her mad diagramming skills (Check out Bad Rabbit and Wannacry diagrams). It would be awesome to be able to do this more fluidly during incidents...



DigitalOcean Referral Badge