Velociraptor P2
Last updated
Was this helpful?
Last updated
Was this helpful?
In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator.
Prerequisite:
Password: malware
Mitre Attack techniques used in this exercise:
T1204.002: User Execution: Malicious File T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1562.001: Impair Defenses: Disable or Modify Tools
Note: Disable the Windows Defender
Download the PUP Malware Sample from above and extract it.
1. Run pup4.exe as administrator
2. Move pup4message.exe to C:\
3. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin.
4. Restart your machine. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click Run.
After Login to our Win10 box, we can see this nice popup:
YOUR MACHINE IS PWNED BY DOUBLEBAD!
First made sure that the windows box is connected to the velociraptor server:
From here we can access the client ID and click on the Collected button.
We can click then on the plus-sign to prepare and execute a specific artefact on the client.
Use the search box to find this collector, as shown below.
Windows.Sysinternals.Autoruns
I'll launch the collector with its default values. After a while I get the results with 1453 rows back. For a better overview I'll download the results in a csv file.
With help of the csv file I can work with filters to show me only rows where the Company field is empty. I could successfull Identify the autorun path of pup4message.exe:
The MD5 hash of pup4message.exe could also be found in the csv file, but I'll use some other artifacts as well.
Windows.System.Pslist
Configure the collector with regex pattern pup.
The purpose of this step is to verify that the "pup4message" process is actually creating the pop-up message
For that we use the following artifact:
Windows.Triage.ProcessMemory
Again I'll use the regex pattern pup* and let it run
After a while it's possibe to download the dump under uploaded files
We can now analyse the dump by using the command strings
The purpose of this step is to see if other EXE files on the target computer are also involved.
For that I use the the following artifact:
Windows.Detection.Yara.NTFS
I set the following options:
I did expect a result, but for some reasons I got no results back. I did also miss the YARA shortener option which was not available in this artifact. Regarding the description it should be available. I have to let this stay for a moment and continue with the remediation!
The purpose of this step is to remove the malware from the client.
Launch these commands, one at a time:
TASKKILL /FI "IMAGENAME eq pup4message.exe"
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f
del c:\pup4message.exe
Linux VM ()
Windows 10 VM ()
PUP Malware Sample ()
If you need instructions how to setup velociraptor please go back to of this series.
developed by SAM BOWNE:
