I’ve been enjoying the IR challenges lately, perhaps just because I’ve gotten bored of the same webapp attack vectors and am learning something new over here. Anyhew, let’s learn some memory analysis techniques!
At the time of writing there’s no write-up for this challenge, so hopefully I can be the first to the draw here and help others.
User Information
System Information
-> Operating System Information
File Download History
File Download History
home
and click the second optionFile Download History
File System
in the Analysis Data menuSelect the entire disk:
Filter for the extension change, the answer should be matches/2
, but it’s actually matches*2 (An error in the room I think!)
Go to the timeline and filter to .bmp
Click filesystem and look for a readme file!
Filter for Favorites folder - the answer is the longest filename.
Filter for desktop and look at the two files with 0 bytes
.
We can see the file he downloaded onto his deskop. Take the filename and search the timeline to get the MD5 hash.
Look at the user’s browser history and search for decrypt
This one was tricky because I could only find two names myself. You can quickly get two from Virustotal, the third was actually an alias for the group name rather than the payload itself, but I found it mentioned on Tripwire.com
.
We’re provided a machine with the challenge that we boot up, there’s one folder on the desktop containing a redline session that I opened:
Fair warning - I’ve never heard of this software before so this is all new to me!
Alright once it finished loading we’re presenting a big nested list of analysis data:
I quickly found the first few pieces of information, and started looking to figure out what malicious payload has been executed. There is no data in the Processes
menu.
I looked in event logs, and there are logs starting from 2011 to 2021 here. No wonder it took so long to load this.
I sorted for newest logs first and started reading through to try to notice some paterns.
There’s a huge list of System fatal alters near the end of log capture with fatal alert was received: 70 || 40
. I tried to scroll to the top of that to see what may have triggered it:
- DNS query for gavelmasters.com
- MSIEXEC.exe
triggered a system reboot
Their browser history may prove useful as well:
Here’s a little summary of notable activity:
- Last visited was btloader.com
- Visited Torproject frequently, could easily have contracted malware from there while trying to obtain something himself…
- Was hosting something on his machine: http://192.168.75.129:4748/Documents
(Not from future self, this wasn’t his machines IP!)
- It looks like a browser was used to access some files on the system (Is this remote access activity or something?), picture below
File downloads seem very telling:
I kept poking around, and wound up going back to home and clicking the second option which produced a lovely filtered dashboard of what appears to be everything important. I searched for the .exe
and found the MD5 of the payload!
This is pretty well discussed on Virustotal.
The Hints in this room tell us to look at the user’s desktop but I can’t seem to figure out how to do that… turns out you just need to click file system
which I thought was just a heading not an actual menu:
A lot of the remaining questions are very easy once you know how to navigate around this UI a little…
interesting to note, the file he downloading trying to get his files back was another piece of malware. Poor guy.
Using the virustotal page I quickly found two of the names associated with this piece of malware, but I had trouble finding the third… because it turned out to actually be an alias for the group rather than the payload…
$ cd content && tree
.
|____2022
| |____November
| | |____home_lab_6
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_update_networking
| | |____blue_team_2
| | |____blue_team_1
| | |____hackthebox_redpanda
| | |____tryhackme_neighbour
| | |____post_exploitation_journey_2
| | |____post_exploitation_journey_1
| | |____try_hack_me_vulnnetendgame
| | |____try_hack_me_corridor
| | |____try_hack_me_surfer
| | |____try_hack_me_epoch
| | |____try_hack_me_template
| | |____modern_image_format_conversion
| |____October
| |____September
| |____February
| | |____perfect_opsec_anon_accounts
| | |____perfect_opsec_pgp
| | |____perfect_opsec_anon_payment
| | |____perfect_opsec_disk_encryption
| | |____perfect_opsec_hardware_spoofing
| | |____perfect_opsec_vpn_vps_and_tor
| | |____perfect_opsec_tor_browser
| | |____perfect_opsec_source_network
| | |____perfect_opsec_os_install
| | |____perfect_opsec_mitigate_author_profiling
| | |____perfect_opsec_hardware
| | |____perfect_opsec_clearnet_browser
| | |____perfect_opsec_basic_os_config
|____2021
| |____May
| |____April
| |____February
|____2020
| |____December
| |____January
| |____August
| |____July
| | |____playbook
| | |____kioptrix_level_5
| | |____kioptrix_level_4
| | |____kioptrix_level_3
| | |____kioptrix_level_2
| | |____kioptrix_level_1
| | |____ringzer0team_sysadmin_linux_8
| | |____ringzer0team_sysadmin_linux_7
| | |____ringzer0team_sysadmin_linux_6
| | |____ringzer0team_sysadmin_linux_5
| | |____ringzer0team_sysadmin_linux_4
| | |____ringzer0team_sysadmin_linux_3
| | |____ringzer0team_sysadmin_linux_2
| | |____ringzer0team_sysadmin_linux_1
| | |____planning_phase_0
| | |____blog_creation