A hard level Sherlocks challenge which focuses on memory forensics and malware analyst
Scenario
A non-technical client recently purchased a used computer for personal use from a stranger they encountered online. Since acquiring the computer, the client has been using it without making any changes, specifically not installing or uninstalling any software. However, they have begun experiencing issues related to internet connectivity. This includes receiving error messages such as "Server Not Found" and encountering difficulties with video streaming. Despite these problems, checks with the Windows Network Troubleshooter indicate no issues with the internet connection itself. The client has provided a memory image and disk artifacts for investigation to determine if there are any underlying issues causing these problems.
In this challenge, we will receive two files: Files.ad1 and memdump.mem. The Files.ad1 file is a logical image, while the memdump.mem file contains memory dump data.
Task 1: What is the best volatility profile match for the memory image?
Answer 1: Win10x64_19041
Task 2: When was the image captured in UTC?
For memory forensics, we will use a tool called Volatility 3 and the windows.info plugin to extract basic information from the memdump.mem file. The script and the resulting output are shown below.
Task 3: Check running processes and confirm the name of the suspicious running process.
For rapid triage analysis, we will use the windows.pslist plugin to view all the running processes captured in the memory dump.
A large number of processes were displayed, making it difficult to identify suspicious ones. To narrow down the results, we will use the windows.cmdline plugin to check if any malicious scripts were executed.
Unfortunately, I could not detect any malicious activity in the output above. However, I now have the full path's name for the running processes, which allows me to narrow down the analysis by focusing on suspicious process paths. By excluding processes located in "C:\Windows\system32", which are typically legitimate, two processes stand out: fmgr.exe and SecurityCheck.exe. After conducting a Google search, I discovered numerous reports about a malware named SecurityCheck.exe. Therefore, this process is highly suspicious.
SecurityCheck.exe 's searching result
Answer 3: SecurityCheck.exe
Task 4: What is the full path of malicious process?
From the previous task, we identified the full path of SecurityCheck.exe.
To complete this task, we will use the FTK Imager tool to export the SecurityCheck.exe file from Files.ad1. The process will be as follows:
Import Files.ad1 to FTK Image (Choose Image) ⇒ Go to path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SecurityCheck.exe" ⇒ Right click on SecurityCheck.exe ⇒ Choose Export
SecurityCheck.exe's path in FTK Imager
After successfully exporting the malicious file, we will use the following PowerShell script to calculate its SHA256 hash value:
Task 6: What is the compilation timestamp for the malware?
We will conduct a static analysis of the malicious file using a tool called CFF Explorer from the Explorer Suite. This tool allows us to extract basic information about the malware. We can identify the compilation timestamp, which represents the modified date of the file. This information is shown in the image below.
Answer 6: 2037-09-03 08:20:55
Task 7: What is the name of the mutex that the malware creates?
Task 8: At the top of main function which anti-debugging function is being used?
Task 9: How many minutes does the malware sleep before calling above anti- debugging function?
In these tasks, we will perform a code analysis of the SecurityCheck.exe using Ghidra. This reverse engineering tool will allow us to analyze the malware's binary code and gain insights into its functionality and behavior. The picture below will show the entry function of the program
UsUsing Ghidra to disassemble SecurityCheck.exe.
In the entry function, we observe a call to another function, FUN_00401180(). Upon closer examination of FUN_00401180(), it becomes apparent that it subsequently calls another function, FUN_00402660(). Let's examine this function.
Main function of SecurityCheck.exe
In this function, a Windows API function named CreateMutexA is called with three parameters. The third parameter specifies the name of the mutex object.
CreateMutexA Win32 API
Answer 7: config_m2
Additionally, another function named IsDebuggerPresent is called, and its name is displayed in plain text. Based on the name, it appears to be a boolean function designed to check whether the malware is being executed within a debugger environment.
Answer 8: IsDebuggerPresent
Moreover, the Sleep function is called with a parameter representing the time in milliseconds. This indicates that the malware is programmed to pause execution for 15 minutes after successfully creating a mutex.
Answer 9: 15
Task 10: This malware uses DGA, how many unique C2 domains in total is this DGA capable of generating?
A Domain Generation Algorithm (DGA) is a technique used by malware to automatically generate domain names for command-and-control (C2) communication. This approach makes it more difficult for defenders to block and detect the C2 channels, as the domains can change frequently and unpredictably.
At the end of FUN_00401180, the function FUN_004016f4 is called. Through quick analysis, I identified this as a Domain Generation Algorithm (DGA) because it automatically generates a domain name and assigns it to DAT_004099a0. Subsequently, it constructs a full URL in the format http://<Generated_Domain_Name>.xyz.
To have a deeper understand how the domain name was generate, we need to analyze this part of function
The code appears to randomly select characters from the string encoded in local_3fand local_37 ("nr8a2bcl5"), using the offset local_2c, and stores them in a buffer (&DAT_004099a0). The generated domain name will have 6 characters because the for loop iterates 6 times, selecting one character in each iteration. However, the third character (local_20 == 2) is always set to 0. Therefore, with 9 possible characters for the remaining 5 positions, the total number of unique C2 domains that this DGA can generate is 9^5 = 59049
Answer 10: 59049
Task 11: How many unique C2 domains start with “rb”?
With "rb" fixed as the first two characters of the domain name, only 3 positions remain variable. The total number of unique C2 domains starting with "rb" will be 9^3=729
Answer 11: 729
Task 12: How many unique C2 domains end with “rla”?
Similar to Task 11, if only 2 positions are available, the total number of unique C2 domains will be 9^2=81
Answer 12: 81
Task 13: Which file is being used to store active C2 domain?
Returning to the function FUN_0040266, we observe that the malware opens two files, as illustrated in the image below.
Detecting the function that opens config.ini and win.ini
To decide which one contains the active C2 domains, we will have a look at their content by using Files.ad1
win.ini file's content
The win.ini file contains a domain name. We can confirm that it is an active domain by examining the FUN_0040254e function. This function calls the Windows API InternetCheckConnectionA to verify the connection to the domain specified in the win.ini file.
Function that check connection
Answer 13: C:\Users\Public\Documents\win.ini
Task 14: Which file is being used to store commands from the C2 server?
The answer should be the other file that we found in task 13
Answer 14: C:\Users\Public\config.ini
Task 15: What was the active C2 FQDN at the time of artifact collection?
Answer 15: http://cl0lr8.xyz
Task 17: What is the FQDN of the target website.
Task 18: What was the expiration date for the active attack at the time of artifact collection in UTC?
We need to examine the content of the config.ini file located in Files.ad1. The content is encoded in Base64 format, and I will use CyberChef to decode it. The decoded result is shown in the images below.
config.ini file's content
Decoded content
From the image above:
The first line is the FQDN of the target website.
The last line is the time in unix format. We will use this tool to convert it to UTC time
Converting time to UTC
Answer 17: http://nbscl231sdn.mnj
Answer 18: 2023-08-31 11:45:58
Task 16: How many kinds of DDoS attacks can this malware perform?
Task 19: How many GET requests does the malware perform against target domain before sleeping for a while?
Task 20: There seems to be another attack method with ICMP requests. How many of these requests can the malware send before sleeping for a while?
By examining the FUN_00401560 function, I realize that it has two conditions for param_2, each leading to a different type of DDoS attack.
In the first mode (param_2 = 1), by decoding the hexadecimal value of each variable and concatenating them, we get the command "ping -n 16 %s". In this type of DDoS attack, the malware sends 16 ICMP requests, then executes the system command. After clearing the memory, it goes into sleep mode for 10 minutes before repeating the process.
In the second mode, the malware will send a request to the target URL, which is stored in param_1, 20 times before going to sleep.
DDoS function
Answer 16: 2
Answer 19: 20
Answer 20: 16
Task 21: Is this malware prone to Botnet hijacking?
