BOughT
A hard level Sherlocks challenge which focuses on memory forensics and malware analyst
Scenario
A non-technical client recently purchased a used computer for personal use from a stranger they encountered online. Since acquiring the computer, the client has been using it without making any changes, specifically not installing or uninstalling any software. However, they have begun experiencing issues related to internet connectivity. This includes receiving error messages such as "Server Not Found" and encountering difficulties with video streaming. Despite these problems, checks with the Windows Network Troubleshooter indicate no issues with the internet connection itself. The client has provided a memory image and disk artifacts for investigation to determine if there are any underlying issues causing these problems.
In this challenge, we will receive two files: Files.ad1 and memdump.mem. The Files.ad1 file is a logical image, while the memdump.mem file contains memory dump data.
Task 1: What is the best volatility profile match for the memory image?
Answer 1: Win10x64_19041
Task 2: When was the image captured in UTC?
For memory forensics, we will use a tool called Volatility 3 and the windows.info plugin to extract basic information from the memdump.mem file. The script and the resulting output are shown below.
python3 vol.py -f "<path_to_memdump.mem>" windows.info
Answer 2: 2023-08-07 21:28:13
Task 3: Check running processes and confirm the name of the suspicious running process.
For rapid triage analysis, we will use the windows.pslist plugin to view all the running processes captured in the memory dump.
> python3 vol.py -f "<path_to_memdump.mem>" windows.pslist
Volatility 3 Framework 2.11.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x960af7868040 134 - N/A False 2023-08-07 21:16:18.000000 UTC N/A Disabled
92 4 Registry 0x960af79a8040 4 - N/A False 2023-08-07 21:16:11.000000 UTC N/A Disabled
316 4 smss.exe 0x960afa543040 2 - N/A False 2023-08-07 21:16:18.000000 UTC N/A Disabled
424 408 csrss.exe 0x960afaf1a2c0 10 - 0 False 2023-08-07 21:16:46.000000 UTC N/A Disabled
500 408 wininit.exe 0x960afc0bb080 1 - 0 False 2023-08-07 21:16:47.000000 UTC N/A Disabled
516 492 csrss.exe 0x960afc0c6140 12 - 1 False 2023-08-07 21:16:47.000000 UTC N/A Disabled
596 492 winlogon.exe 0x960afc106080 3 - 1 False 2023-08-07 21:16:47.000000 UTC N/A Disabled
616 500 services.exe 0x960afc10c080 7 - 0 False 2023-08-07 21:16:47.000000 UTC N/A Disabled
640 500 lsass.exe 0x960afa90a240 6 - 0 False 2023-08-07 21:16:47.000000 UTC N/A Disabled
748 596 fontdrvhost.ex 0x960afc192140 5 - 1 False 2023-08-07 21:16:48.000000 UTC N/A Disabled
756 500 fontdrvhost.ex 0x960afc15d080 5 - 0 False 2023-08-07 21:16:48.000000 UTC N/A Disabled
764 616 svchost.exe 0x960afc193080 11 - 0 False 2023-08-07 21:16:48.000000 UTC N/A Disabled
864 616 svchost.exe 0x960afce2f2c0 7 - 0 False 2023-08-07 21:16:49.000000 UTC N/A Disabled
956 596 dwm.exe 0x960afce7e080 15 - 1 False 2023-08-07 21:16:49.000000 UTC N/A Disabled
428 616 svchost.exe 0x960afcf1b240 45 - 0 False 2023-08-07 21:16:49.000000 UTC N/A Disabled
408 616 svchost.exe 0x960afcf1d080 1 - 0 False 2023-08-07 21:16:49.000000 UTC N/A Disabled
880 616 svchost.exe 0x960afcf2e280 14 - 0 False 2023-08-07 21:16:49.000000 UTC N/A Disabled
1100 616 svchost.exe 0x960afcfa42c0 14 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1108 616 svchost.exe 0x960afcfa92c0 12 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1168 616 svchost.exe 0x960afcf672c0 20 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1224 4 MemCompression 0x960afcfe6080 22 - N/A False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1328 616 svchost.exe 0x960afd03d2c0 22 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1476 616 svchost.exe 0x960afd0e52c0 2 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1496 616 svchost.exe 0x960afd0e72c0 10 - 0 False 2023-08-07 21:16:50.000000 UTC N/A Disabled
1560 616 svchost.exe 0x960afd0e3240 2 - 0 False 2023-08-07 21:16:51.000000 UTC N/A Disabled
1592 616 svchost.exe 0x960afd0c00c0 3 - 0 False 2023-08-07 21:16:51.000000 UTC N/A Disabled
1600 616 svchost.exe 0x960afd0e92c0 4 - 0 False 2023-08-07 21:16:51.000000 UTC N/A Disabled
1784 616 spoolsv.exe 0x960afd1a3200 7 - 0 False 2023-08-07 21:16:51.000000 UTC N/A Disabled
1832 616 svchost.exe 0x960afd1c82c0 12 - 0 False 2023-08-07 21:16:51.000000 UTC N/A Disabled
1936 616 svchost.exe 0x960afd1c4240 9 - 0 False 2023-08-07 21:16:53.000000 UTC N/A Disabled
2024 616 MsMpEng.exe 0x960afd285280 22 - 0 False 2023-08-07 21:16:53.000000 UTC N/A Disabled
1360 616 svchost.exe 0x960afd239080 12 - 0 False 2023-08-07 21:16:54.000000 UTC N/A Disabled
2196 616 svchost.exe 0x960afd416340 7 - 0 False 2023-08-07 21:17:04.000000 UTC N/A Disabled
2560 616 svchost.exe 0x960afd5572c0 5 - 0 False 2023-08-07 21:17:32.000000 UTC N/A Disabled
2924 428 sihost.exe 0x960afd820280 7 - 1 False 2023-08-07 21:17:46.000000 UTC N/A Disabled
3008 616 svchost.exe 0x960afd8ca2c0 10 - 1 False 2023-08-07 21:17:47.000000 UTC N/A Disabled
284 428 taskhostw.exe 0x960afd8b0300 6 - 1 False 2023-08-07 21:17:47.000000 UTC N/A Disabled
1988 428 MicrosoftEdgeU 0x960afd950300 3 - 0 True 2023-08-07 21:17:48.000000 UTC N/A Disabled
2380 880 ctfmon.exe 0x960afd953080 9 - 1 False 2023-08-07 21:17:49.000000 UTC N/A Disabled
2944 596 userinit.exe 0x960afa59a080 0 - 1 False 2023-08-07 21:18:05.000000 UTC 2023-08-07 21:18:22.000000 UTC Disabled
1136 2944 explorer.exe 0x960afa59e080 62 - 1 False 2023-08-07 21:18:07.000000 UTC N/A Disabled
3212 616 svchost.exe 0x960afd5b9300 5 - 1 False 2023-08-07 21:18:35.000000 UTC N/A Disabled
3396 616 NisSrv.exe 0x960afa64f300 3 - 0 False 2023-08-07 21:18:40.000000 UTC N/A Disabled
3680 616 WUDFHost.exe 0x960afa7410c0 8 - 0 False 2023-08-07 21:18:57.000000 UTC N/A Disabled
2632 764 TextInputHost. 0x960afd8f7080 10 - 1 False 2023-08-07 21:19:24.000000 UTC N/A Disabled
2652 764 StartMenuExper 0x960afdc17240 7 - 1 False 2023-08-07 21:19:24.000000 UTC N/A Disabled
3068 764 RuntimeBroker. 0x960afdd67080 3 - 1 False 2023-08-07 21:19:30.000000 UTC N/A Disabled
2740 764 SearchApp.exe 0x960afdd970c0 28 - 1 False 2023-08-07 21:19:44.000000 UTC N/A Disabled
1456 764 RuntimeBroker. 0x960afdf182c0 1 - 1 False 2023-08-07 21:19:47.000000 UTC N/A Disabled
3224 764 SkypeBackgroun 0x960afa5d1080 4 - 1 False 2023-08-07 21:19:57.000000 UTC N/A Disabled
3856 1136 msedge.exe 0x960afde94080 0 - 1 False 2023-08-07 21:20:08.000000 UTC 2023-08-07 21:21:14.000000 UTC Disabled
1012 616 SearchIndexer. 0x960afddba080 15 - 0 False 2023-08-07 21:20:17.000000 UTC N/A Disabled
344 1136 SecurityHealth 0x960afe2cb0c0 1 - 1 False 2023-08-07 21:20:19.000000 UTC N/A Disabled
3288 616 SecurityHealth 0x960afe1680c0 6 - 0 False 2023-08-07 21:20:20.000000 UTC N/A Disabled
1580 1136 OneDrive.exe 0x960afe2540c0 15 - 1 True 2023-08-07 21:20:21.000000 UTC N/A Disabled
2572 1136 SecurityCheck. 0x960afe3de0c0 1 - 1 False 2023-08-07 21:20:39.000000 UTC N/A Disabled
4264 2572 conhost.exe 0x960afe354080 3 - 1 False 2023-08-07 21:20:41.000000 UTC N/A Disabled
5112 616 SgrmBroker.exe 0x960afe42d080 6 - 0 False 2023-08-07 21:21:09.000000 UTC N/A Disabled
2376 1136 fmgr.exe 0x960afdd6a080 12 - 1 True 2023-08-07 21:21:38.000000 UTC N/A Disabled
1220 616 svchost.exe 0x960afe32f080 8 - 0 False 2023-08-07 21:21:57.000000 UTC N/A DisabledA large number of processes were displayed, making it difficult to identify suspicious ones. To narrow down the results, we will use the windows.cmdline plugin to check if any malicious scripts were executed.
> python3 vol.py -f "path_to_memdump.mem" windows.cmdline
Volatility 3 Framework 2.11.0
Progress: 100.00 PDB scanning finished
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
92 Registry Required memory at 0x20 is not valid (process exited?)
316 smss.exe \SystemRoot\System32\smss.exe
424 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
500 wininit.exe wininit.exe
516 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
596 winlogon.exe winlogon.exe
616 services.exe C:\Windows\system32\services.exe
640 lsass.exe C:\Windows\system32\lsass.exe
748 fontdrvhost.ex "fontdrvhost.exe"
756 fontdrvhost.ex "fontdrvhost.exe"
764 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p
864 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
956 dwm.exe "dwm.exe"
428 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p
408 svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p
880 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1100 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1108 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1168 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1224 MemCompression Required memory at 0x20 is not valid (process exited?)
1328 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
1476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1496 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1560 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p
1592 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1600 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1784 spoolsv.exe C:\Windows\System32\spoolsv.exe
1832 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1936 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p
2024 MsMpEng.exe "C:\Program Files\Windows Defender\MsMpEng.exe"
1360 svchost.exe C:\Windows\System32\svchost.exe -k netsvcs
2196 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
2560 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2924 sihost.exe sihost.exe
3008 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
284 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1988 MicrosoftEdgeU Required memory at 0x791ae8 is inaccessible (swapped)
2380 ctfmon.exe "ctfmon.exe"
2944 userinit.exe Required memory at 0x3848fea020 is not valid (process exited?)
1136 explorer.exe C:\Windows\Explorer.EXE
3212 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
3396 NisSrv.exe "C:\Program Files\Windows Defender\NisSrv.exe"
3680 WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-24f56cba-a495-4a9d-a437-4abd1001a0bd -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-66cd4b1a-9215-4fbd-b0fd-67083cc28712 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-2c39ed04-2a22-4f54-8773-d09c2fdeb445 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-95bc4bbd-8d4f-4c02-95b0-f5889eba36e3 -LifetimeId:5c7c053b-fa40-4967-8bf1-d6fffd788c78 -DeviceGroupId:WpdFsGroup -HostArg:0
2632 TextInputHost. "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
2652 StartMenuExper "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
3068 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
2740 SearchApp.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1456 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
3224 SkypeBackgroun Required memory at 0x1ee58203478 is inaccessible (swapped)
3856 msedge.exe Required memory at 0x6000f39020 is not valid (process exited?)
1012 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
344 SecurityHealth "C:\Windows\System32\SecurityHealthSystray.exe"
3288 SecurityHealth C:\Windows\system32\SecurityHealthService.exe
1580 OneDrive.exe "C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
2572 SecurityCheck. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SecurityCheck.exe"
4264 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
5112 SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
2376 fmgr.exe "E:\Imager\fmgr.exe"
1220 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -pUnfortunately, I could not detect any malicious activity in the output above. However, I now have the full path's name for the running processes, which allows me to narrow down the analysis by focusing on suspicious process paths. By excluding processes located in "C:\Windows\system32", which are typically legitimate, two processes stand out: fmgr.exe and SecurityCheck.exe. After conducting a Google search, I discovered numerous reports about a malware named SecurityCheck.exe. Therefore, this process is highly suspicious.
Answer 3: SecurityCheck.exe
Task 4: What is the full path of malicious process?
From the previous task, we identified the full path of SecurityCheck.exe.
Answer 4: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SecurityCheck.exe
Task 5: What is the sha256 value of the malware?
To complete this task, we will use the FTK Imager tool to export the SecurityCheck.exe file from Files.ad1. The process will be as follows:
Import Files.ad1 to FTK Image (Choose Image) ⇒ Go to path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SecurityCheck.exe" ⇒ Right click on SecurityCheck.exe ⇒ Choose Export
After successfully exporting the malicious file, we will use the following PowerShell script to calculate its SHA256 hash value:
Get-FileHash -Path <path_to_file> -Algorithm SHA256
Answer 5: 4062963405cc71c032ca51ffd409e832120fcfd496969f4ef548774323c72413
Task 6: What is the compilation timestamp for the malware?
We will conduct a static analysis of the malicious file using a tool called CFF Explorer from the Explorer Suite. This tool allows us to extract basic information about the malware. We can identify the compilation timestamp, which represents the modified date of the file. This information is shown in the image below.
Answer 6: 2037-09-03 08:20:55
Task 7: What is the name of the mutex that the malware creates?
Task 8: At the top of main function which anti-debugging function is being used?
Task 9: How many minutes does the malware sleep before calling above anti- debugging function?
In these tasks, we will perform a code analysis of the SecurityCheck.exe using Ghidra. This reverse engineering tool will allow us to analyze the malware's binary code and gain insights into its functionality and behavior. The picture below will show the entry function of the program
In the entry function, we observe a call to another function, FUN_00401180(). Upon closer examination of FUN_00401180(), it becomes apparent that it subsequently calls another function, FUN_00402660(). Let's examine this function.
In this function, a Windows API function named CreateMutexA is called with three parameters. The third parameter specifies the name of the mutex object.
Answer 7: config_m2
Additionally, another function named IsDebuggerPresent is called, and its name is displayed in plain text. Based on the name, it appears to be a boolean function designed to check whether the malware is being executed within a debugger environment.
Answer 8: IsDebuggerPresent
Moreover, the Sleep function is called with a parameter representing the time in milliseconds. This indicates that the malware is programmed to pause execution for 15 minutes after successfully creating a mutex.
Answer 9: 15
Task 10: This malware uses DGA, how many unique C2 domains in total is this DGA capable of generating?
A Domain Generation Algorithm (DGA) is a technique used by malware to automatically generate domain names for command-and-control (C2) communication. This approach makes it more difficult for defenders to block and detect the C2 channels, as the domains can change frequently and unpredictably.
At the end of FUN_00401180, the function FUN_004016f4 is called. Through quick analysis, I identified this as a Domain Generation Algorithm (DGA) because it automatically generates a domain name and assigns it to DAT_004099a0. Subsequently, it constructs a full URL in the format http://<Generated_Domain_Name>.xyz.
void FUN_004016f4(void)
{
char cVar1;
uint _Seed;
ulonglong uVar2;
undefined2 *puVar3;
undefined2 local_4c;
undefined local_4a;
undefined2 local_49;
undefined local_47;
undefined4 local_46;
undefined2 local_42;
undefined local_40;
undefined8 local_3f;
undefined local_37;
undefined local_36;
undefined local_35;
undefined4 local_34;
undefined local_2d;
int local_2c;
undefined4 local_28;
undefined4 local_24;
int local_20;
int local_1c;
local_3f = 0x6e7238613262636c;
local_37 = 0x35;
_Seed = FUN_00401560((__time64_t *)0x0);
srand(_Seed);
for (local_1c = 0; local_1c < 6; local_1c = local_1c + 1) {
local_20 = local_1c;
local_24 = L'Ņ';
local_28 = L'l';
local_2c = rand();
local_1c = local_20;
local_2c = local_2c % 9;
local_2d = 'h';
if (local_20 == 2) {
local_35 = 4;
local_36 = 'b';
uRam00000000004099a2 = '0';
}
else {
local_34 = 27;
local_28 = 9;
(&DAT_004099a0)[local_1c] = *(undefined *)((longlong)&local_3f + (longlong)local_2c);
}
local_28 = 3;
local_2d = 'h';
}
local_42 = 0x7474;
local_40 = 0;
local_46 = 0x2f2f3a;
local_49 = 0x782e;
local_47 = 0;
local_4c = 0x7a79;
local_4a = 0;
DAT_00409a00 = 0x68;
strcat((char *)&DAT_00409a00,(char *)&local_42);
uVar2 = 0xffffffffffffffff;
puVar3 = &DAT_00409a00;
do {
if (uVar2 == 0) break;
uVar2 = uVar2 - 1;
cVar1 = *(char *)puVar3;
puVar3 = (undefined2 *)((longlong)puVar3 + 1);
} while (cVar1 != '\0');
*(undefined2 *)(~uVar2 + 0x4099ff) = 0x70;
strcat((char *)&DAT_00409a00,(char *)&local_46);
strcat((char *)&DAT_00409a00,&DAT_004099a0);
strcat((char *)&DAT_00409a00,(char *)&local_49);
strcat((char *)&DAT_00409a00,(char *)&local_4c);
memset(&DAT_004099a0,0,5);
return;
}To have a deeper understand how the domain name was generate, we need to analyze this part of function
local_3f = 0x6e7238613262636c;
local_37 = 0x35;
_Seed = FUN_00401560((__time64_t *)0x0);
srand(_Seed);
for (local_1c = 0; local_1c < 6; local_1c = local_1c + 1) {
local_20 = local_1c;
local_24 = L'Ņ';
local_28 = L'l';
local_2c = rand();
local_1c = local_20;
local_2c = local_2c % 9;
local_2d = 'h';
if (local_20 == 2) {
local_35 = 4;
local_36 = 'b';
uRam00000000004099a2 = '0';
}
else {
local_34 = 27;
local_28 = 9;
(&DAT_004099a0)[local_1c] = *(undefined *)((longlong)&local_3f + (longlong)local_2c);
}
local_28 = 3;
local_2d = 'h';
}The code appears to randomly select characters from the string encoded in local_3f and local_37 ("nr8a2bcl5"), using the offset local_2c, and stores them in a buffer (&DAT_004099a0). The generated domain name will have 6 characters because the for loop iterates 6 times, selecting one character in each iteration. However, the third character (local_20 == 2) is always set to 0. Therefore, with 9 possible characters for the remaining 5 positions, the total number of unique C2 domains that this DGA can generate is 9^5 = 59049
Answer 10: 59049
Task 11: How many unique C2 domains start with “rb”?
With "rb" fixed as the first two characters of the domain name, only 3 positions remain variable. The total number of unique C2 domains starting with "rb" will be 9^3=729
Answer 11: 729
Task 12: How many unique C2 domains end with “rla”?
Similar to Task 11, if only 2 positions are available, the total number of unique C2 domains will be 9^2=81
Answer 12: 81
Task 13: Which file is being used to store active C2 domain?
Returning to the function FUN_0040266, we observe that the malware opens two files, as illustrated in the image below.
To decide which one contains the active C2 domains, we will have a look at their content by using Files.ad1
The win.ini file contains a domain name. We can confirm that it is an active domain by examining the FUN_0040254e function. This function calls the Windows API InternetCheckConnectionA to verify the connection to the domain specified in the win.ini file.
Answer 13: C:\Users\Public\Documents\win.ini
Task 14: Which file is being used to store commands from the C2 server?
The answer should be the other file that we found in task 13
Answer 14: C:\Users\Public\config.ini
Task 15: What was the active C2 FQDN at the time of artifact collection?
Answer 15:
Task 17: What is the FQDN of the target website.
Task 18: What was the expiration date for the active attack at the time of artifact collection in UTC?
We need to examine the content of the config.ini file located in Files.ad1. The content is encoded in Base64 format, and I will use CyberChef to decode it. The decoded result is shown in the images below.
From the image above:
The first line is the FQDN of the target website.
The last line is the time in unix format. We will use this tool to convert it to UTC time
Answer 17: http://nbscl231sdn.mnj
Answer 18: 2023-08-31 11:45:58
Task 16: How many kinds of DDoS attacks can this malware perform?
Task 19: How many GET requests does the malware perform against target domain before sleeping for a while?
Task 20: There seems to be another attack method with ICMP requests. How many of these requests can the malware send before sleeping for a while?
By examining the FUN_00401560 function, I realize that it has two conditions for param_2, each leading to a different type of DDoS attack.
In the first mode (param_2 = 1), by decoding the hexadecimal value of each variable and concatenating them, we get the command "ping -n 16 %s". In this type of DDoS attack, the malware sends 16 ICMP requests, then executes the system command. After clearing the memory, it goes into sleep mode for 10 minutes before repeating the process.
In the second mode, the malware will send a request to the target URL, which is stored in param_1, 20 times before going to sleep.
Answer 16: 2
Answer 19: 20
Answer 20: 16
Task 21: Is this malware prone to Botnet hijacking?
Answer: Yes
Last updated