Velociraptor P2

1. Introduction

In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator.

Prerequisite:

• Linux VM (https://livecd.hacking-lab.com/)

• Windows 10 VM (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)

• PUP Malware Sample (https://samsclass.info/152/proj/pup4.zip)

  • Password: malware

If you need instructions how to setup velociraptor please go back to Part1 of this series.

Mitre Attack techniques used in this exercise:

T1204.002: User Execution: Malicious File T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1562.001: Impair Defenses: Disable or Modify Tools

Original Lab developed by SAM BOWNE:

samsclass.info: Sam Bowne Class Information

2. Infecting Windows Client

Note: Disable the Windows Defender

Download the PUP Malware Sample from above and extract it.

1. Run pup4.exe as administrator 2. Move pup4message.exe to C:\ 3. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin. 4. Restart your machine. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click Run.

After Login to our Win10 box, we can see this nice popup:

YOUR MACHINE IS PWNED BY DOUBLEBAD!

3. Investigation with velociraptor

First made sure that the windows box is connected to the velociraptor server:

From here we can access the client ID and click on the Collected button.

We can click then on the plus-sign to prepare and execute a specific artefact on the client.

3.1 Check Autorun paths

Use the search box to find this collector, as shown below.

Windows.Sysinternals.Autoruns

I'll launch the collector with its default values. After a while I get the results with 1453 rows back. For a better overview I'll download the results in a csv file.

With help of the csv file I can work with filters to show me only rows where the Company field is empty. I could successfull Identify the autorun path of pup4message.exe:

3.2 Get MD5 Hash of binary

The MD5 hash of pup4message.exe could also be found in the csv file, but I'll use some other artifacts as well.

Windows.System.Pslist

Configure the collector with regex pattern pup.

3.3 Process Memory dump

The purpose of this step is to verify that the "pup4message" process is actually creating the pop-up message

For that we use the following artifact:

Windows.Triage.ProcessMemory

Again I'll use the regex pattern pup* and let it run

After a while it's possibe to download the dump under uploaded files

We can now analyse the dump by using the command strings

strings -el dmp2505619614.dmp | grep BAD  

3.4 YARA Hunt

The purpose of this step is to see if other EXE files on the target computer are also involved.

For that I use the the following artifact:

Windows.Detection.Yara.NTFS

I set the following options:

rule Hit {
   strings:
     $a = "PWNED" nocase wide ascii
    condition:
      any of them
}

I did expect a result, but for some reasons I got no results back. I did also miss the YARA shortener option which was not available in this artifact. Regarding the description it should be available. I have to let this stay for a moment and continue with the remediation!

4. Remediation

The purpose of this step is to remove the malware from the client.

Launch these commands, one at a time:

TASKKILL /FI "IMAGENAME eq pup4message.exe"

reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f

del c:\pup4message.exe