# Velociraptor P2
### 1. Introduction
In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator.
Prerequisite:
* Linux VM ()
* Windows 10 VM ()
* PUP Malware Sample ()
* Password: malware
If you need instructions how to setup velociraptor please go back to [Part1](https://cas-cyber.gitbook.io/cas-cybersecurity/live-response/velociraptor-p1) of this series.
Mitre Attack techniques used in this exercise:
**T1204.002**: User Execution: Malicious File\
**T1547.001**: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\
**T1562.001**: Impair Defenses: Disable or Modify Tools
[Original Lab](https://samsclass.info/152/proj/IR372.htm) developed by SAM BOWNE:
{% embed url="" %}
### 2. Infecting Windows Client
Note: Disable the Windows Defender
Download the PUP Malware Sample from above and extract it.
1\. Run `pup4.exe` as administrator\
2\. Move `pup4message.exe` to C:\\\
3\. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin.\
4\. **Restart your machine**. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click **Run**.
After Login to our Win10 box, we can see this nice popup:
YOUR MACHINE IS PWNED BY DOUBLEBAD!
### 3. Investigation with velociraptor
First made sure that the windows box is connected to the velociraptor server:
From here we can access the client ID and click on the **Collected** button.
We can click then on the **plus-sign** to prepare and execute a specific artefact on the client.
### 3.1 Check Autorun paths
Use the search box to find this collector, as shown below.
> **Windows.Sysinternals.Autoruns**
I'll launch the collector with its default values. After a while I get the results with 1453 rows back. For a better overview I'll download the results in a csv file.
With help of the csv file I can work with filters to show me only rows where the Company field is empty. I could successfull Identify the **autorun path** of pup4message.exe:
### 3.2 Get MD5 Hash of binary
The MD5 hash of pup4message.exe could also be found in the csv file, but I'll use some other artifacts as well.
> **Windows.System.Pslist**
Configure the collector with regex pattern `pup.`
### 3.3 Process Memory dump
The purpose of this step is to verify that the "**pup4message**" process is actually creating the pop-up message
For that we use the following artifact:
> **Windows.Triage.ProcessMemory**
Again I'll use the regex pattern `pup*` and let it run
After a while it's possibe to download the dump under uploaded files
We can now analyse the dump by using the command strings
```
strings -el dmp2505619614.dmp | grep BAD
```
### 3.4 YARA Hunt
The purpose of this step is to see if other EXE files on the target computer are also involved.
For that I use the the following artifact:
> **Windows.Detection.Yara.NTFS**
I set the following options:
```
rule Hit {
strings:
$a = "PWNED" nocase wide ascii
condition:
any of them
}
```
I did expect a result, but for some reasons I got no results back. I did also miss the YARA shortener option which was not available in this artifact. Regarding the description it should be available. I have to let this stay for a moment and continue with the remediation!
### 4. Remediation
The purpose of this step is to remove the malware from the client.
Launch these commands, one at a time:
> **TASKKILL /FI "IMAGENAME eq pup4message.exe"**
>
> **reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f**
>
> **del c:\pup4message.exe**
