# Velociraptor P2

### 1. Introduction

![](/files/9wJfkG7eETvW0Vkkm5tr)

In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator. 

Prerequisite:

* Linux VM (<https://livecd.hacking-lab.com/>)
* Windows 10 VM (<https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/>)
* PUP Malware Sample (<https://samsclass.info/152/proj/pup4.zip>)
  * Password: malware

If you need instructions how to setup velociraptor please go back to [Part1](/cas-cybersecurity/live-response/velociraptor-p1.md) of this series.

Mitre Attack techniques used in this exercise:

**T1204.002**: User Execution: Malicious File\
**T1547.001**: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\
**T1562.001**: Impair Defenses: Disable or Modify Tools

[Original Lab](https://samsclass.info/152/proj/IR372.htm) developed by SAM BOWNE:

{% embed url="<https://samsclass.info/>" %}

### 2. Infecting Windows Client

Note: Disable the Windows Defender

Download the PUP Malware Sample from above and extract it.

<div align="left"><img src="/files/osq8Awqefh44ih0pbeOY" alt=""></div>

1\. Run `pup4.exe` as administrator\
2\. Move `pup4message.exe` to C:\\\
3\. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin.\
4\. **Restart your machine**. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click **Run**.&#x20;

<div align="left"><img src="/files/sQ8LvraDk2v6llCPrtVA" alt=""></div>

After Login to our Win10 box, we can see this nice popup:

YOUR MACHINE IS PWNED BY DOUBLEBAD!

![](/files/Rlq5iXxg0CsnHLUf1ImV)

### 3. Investigation with velociraptor

First made sure that the windows box is connected to the velociraptor server:

![](/files/OT6Sm7y1lgfe2ij5W4iL)

From here we can access the client ID and click on the **Collected** button.&#x20;

<div align="left"><img src="/files/hOJ6c1qWaeFb2oo2I0wm" alt=""></div>

We can click then on the **plus-sign** to prepare and execute a specific artefact on the client.

<div align="left"><img src="/files/TKMxkGoyaYiLiIokJM1V" alt=""></div>

### 3.1 Check Autorun paths

Use the search box to find this collector, as shown below.

> **Windows.Sysinternals.Autoruns**

<div align="left"><img src="/files/XkhseWB331DYsVraOKS3" alt=""></div>

I'll launch the collector with its default values. After a while I get the results with 1453 rows back. For a better overview I'll download the results in a csv file.

![](/files/yP7pD2d0DE4Ei5OpjFAp)

With help of the csv file I can work with filters to show me only rows where the Company field is empty. I could successfull Identify the **autorun path** of pup4message.exe:

![](/files/xeNxXipXpRlOEadigcZX)

### 3.2 Get MD5 Hash of binary

The MD5 hash of pup4message.exe could also be found in the csv file, but I'll use some other artifacts as well.&#x20;

> **Windows.System.Pslist**

<div align="left"><img src="/files/5pTCT0Uwv2ZjvbDLA0Qg" alt=""></div>

Configure the collector with regex pattern `pup.`

<div align="left"><img src="/files/EF6td3ee49U3VHtzS9vg" alt=""></div>

![](/files/02amNJ2XhTX2HeXt982p)

### 3.3 Process Memory dump

The purpose of this step is to verify that the "**pup4message**" process is actually creating the pop-up message

For that we use the following artifact:

> **Windows.Triage.ProcessMemory**

<div align="left"><img src="/files/zO4Fzy1meK2986wdJp3H" alt=""></div>

Again I'll use the regex pattern `pup*` and let it run

<div align="left"><img src="/files/uzPTu0bmPe5kSj12MQRb" alt=""></div>

After a while it's possibe to download the dump under uploaded files

<div align="left"><img src="/files/0CQqk7KAmTTZyYv6sDHt" alt=""></div>

We can now analyse the dump by using the command strings

```
strings -el dmp2505619614.dmp | grep BAD  
```

![](/files/X4qgSj6SBfM8CeSyVUfb)

### 3.4 YARA Hunt

The purpose of this step is to see if other EXE files on the target computer are also involved.

For that I use the the following artifact:

> **Windows.Detection.Yara.NTFS**

<div align="left"><img src="/files/07fldlFitKLz49pzGVGO" alt=""></div>

I set the following options:

<div align="left"><img src="/files/SumLJkglWQy2luTHU5UD" alt=""></div>

<div align="left"><img src="/files/MWB1v8WdeHtqZd1FCHJE" alt=""></div>

```
rule Hit {
   strings:
     $a = "PWNED" nocase wide ascii
    condition:
      any of them
}
```

I did expect a result, but for some reasons I got no results back. I did also miss the YARA shortener option which was not available in this artifact. Regarding the description it should be available. I have to let this stay for a moment and continue with the remediation!

### 4. Remediation

The purpose of this step is to remove the malware from the client.

Launch these commands, one at a time:

> **TASKKILL /FI "IMAGENAME eq pup4message.exe"**
>
> **reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f**
>
> **del c:\pup4message.exe**

![](/files/KM1PgKiW1EniRHeRRek4)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/live-response/velociraptor-p2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.