📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Infecting Windows Client
  • 3. Investigation with velociraptor
  • 3.1 Check Autorun paths
  • 3.2 Get MD5 Hash of binary
  • 3.3 Process Memory dump
  • 3.4 YARA Hunt
  • 4. Remediation

Was this helpful?

  1. Live Response

Velociraptor P2

PreviousVelociraptor P1NextVelociraptor P3

Last updated 2 years ago

Was this helpful?

1. Introduction

In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator.

Prerequisite:

    • Password: malware

Mitre Attack techniques used in this exercise:

T1204.002: User Execution: Malicious File T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1562.001: Impair Defenses: Disable or Modify Tools

2. Infecting Windows Client

Note: Disable the Windows Defender

Download the PUP Malware Sample from above and extract it.

1. Run pup4.exe as administrator 2. Move pup4message.exe to C:\ 3. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin. 4. Restart your machine. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click Run.

After Login to our Win10 box, we can see this nice popup:

YOUR MACHINE IS PWNED BY DOUBLEBAD!

3. Investigation with velociraptor

First made sure that the windows box is connected to the velociraptor server:

From here we can access the client ID and click on the Collected button.

We can click then on the plus-sign to prepare and execute a specific artefact on the client.

3.1 Check Autorun paths

Use the search box to find this collector, as shown below.

Windows.Sysinternals.Autoruns

I'll launch the collector with its default values. After a while I get the results with 1453 rows back. For a better overview I'll download the results in a csv file.

With help of the csv file I can work with filters to show me only rows where the Company field is empty. I could successfull Identify the autorun path of pup4message.exe:

3.2 Get MD5 Hash of binary

The MD5 hash of pup4message.exe could also be found in the csv file, but I'll use some other artifacts as well.

Windows.System.Pslist

Configure the collector with regex pattern pup.

3.3 Process Memory dump

The purpose of this step is to verify that the "pup4message" process is actually creating the pop-up message

For that we use the following artifact:

Windows.Triage.ProcessMemory

Again I'll use the regex pattern pup* and let it run

After a while it's possibe to download the dump under uploaded files

We can now analyse the dump by using the command strings

strings -el dmp2505619614.dmp | grep BAD  

3.4 YARA Hunt

The purpose of this step is to see if other EXE files on the target computer are also involved.

For that I use the the following artifact:

Windows.Detection.Yara.NTFS

I set the following options:

rule Hit {
   strings:
     $a = "PWNED" nocase wide ascii
    condition:
      any of them
}

I did expect a result, but for some reasons I got no results back. I did also miss the YARA shortener option which was not available in this artifact. Regarding the description it should be available. I have to let this stay for a moment and continue with the remediation!

4. Remediation

The purpose of this step is to remove the malware from the client.

Launch these commands, one at a time:

TASKKILL /FI "IMAGENAME eq pup4message.exe"

reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f

del c:\pup4message.exe

Linux VM ()

Windows 10 VM ()

PUP Malware Sample ()

If you need instructions how to setup velociraptor please go back to of this series.

developed by SAM BOWNE:

https://livecd.hacking-lab.com/
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
https://samsclass.info/152/proj/pup4.zip
Part1
Original Lab
samsclass.info: Sam Bowne Class Information
Logo