Scenario

John Grunewald was deleting some old accounting documents when he accidentally deleted an important document he had been working on. He panicked and downloaded software to recover the document, but after installing it, his PC started behaving strangely. Feeling even more demoralised and depressed, he alerted the IT department, who immediately locked down the workstation and recovered some forensic evidence. Now it is up to you to analyze the evidence to understand what happened on John’s workstation.

Artifacts Provided

  • Trojan.zip - SHA256:4d423db0dd4595fbd507eb97e16c42f806f272445bab1356b3a486c7d4867ef8

Initial Analysis

From the artifacts in our disposal we know that we would need to do some network and memory forensics as well as analyze the disk image. We have:

  • .pcapng: Network packet capture. Analyze with Wireshark.
  • .ad1: Logical disk image copy. Analyze with FTK Imager.
  • .vmem: Memory capture. Analyze with Volatility.

Questions

1. What is the build version of the operating system?

Show solution
19041

To find the build version we can start from the memory dump file memory.vmem and we are going to use Volatilty 3 to get some basic info about the OS from the memory image.

1

vol.exe -f '.\memory capture\memory.vmem' windows.info

2. What is the computer hostname?

Show solution
DESKTOP-38NVPD0

For the hostname we can check the environmental variables of the system:

1

vol.exe -f '.\memory capture\memory.vmem' windows.envars

Or if we want we can open the network capture in Wireshark and look at the first NetBios packets.

3. What is the name of the downloaded ZIP file?

Show solution
Data_Recovery.zip

We can get that info either from Wireshark and looking at the HTTP traffic or by opening the disk image in FTK Imager and browsing the Downloads folder of the user.

4. What is the domain of the website (including the third-level domain) from which the file was downloaded?

Show solution
praetorial-gears.000webhostapp.com

For that we use Wireshark as suggested in the previous question.

5. The user then executed the suspicious application found in the ZIP archive. What is the process PID?

Show solution
484

That is a classic question for Volatility to answer.

1

vol.exe -f '.\memory capture\memory.vmem' windows.pslist

We focus on the first executable of the chain.

6. What is the full path of the suspicious process?

Show solution
C:\Users\John\Downloads\Data_Recovery\Recovery_Setup.exe

For this we need the tree of processes that show the full path.

1

vol.exe -f '.\memory capture\memory.vmem' windows.pstree --pid <PID>

7. What is the SHA-256 hash of the suspicious executable?

Show solution
C34601c5da3501f6ee0efce18de7e6145153ecfac2ce2019ec52e1535a4b3193

For this we can simply export the hash list from the FTK Imager. Or export the artifact itself and get its hash.

8. When was the malicious program first executed?

Show solution
2023-05-30 02:06:29

Initally we might think to see the execution timestamps of the processes from the memory dump, but as it turn out these are not correct. Question wants the first executed time of the malware and so it points that it was executed before. To answer the question we are going to look at the Prefetch files! So there could be other artifacts that can reveal us that info, but from the disk image we have we see that all the .\Prefetch folder is available to us. So we are going to export it as a folder(C:\Users\p4n4\Documents\trojan\Prefetch) from the FTK Imager and then we are going to use a Prefetch parser to get the data in a nice format for us. We are going to use PECmd.

1

PECmd.exe -d C:\Users\p4n4\Documents\trojan\Prefetch\ --csv C:\Users\p4n4\Documents\trojan\ --csvf prefetch.csv

Then we are going to load the prefetch.csv to our favorite Timeline Explorer! From there searching for the string of the malware file reveals us the execution times.

9. How many times in total has the malicious application been executed?

Show solution
2

Evident after finding the previous question.

10. The malicious application references two .TMP files, one is IS-NJBAT.TMP, which is the other?

Show solution
IS-R7RFP.TMP

That can be also found in the Timeline Explorer after searching from the malware file name.

11. How many of the URLs contacted by the malicious application were detected as malicious by VirusTotal?

Show solution
4

We look at the moment the HTTP requests start to happen to the C2 server, we get the URLs from these requests and look them up in VirusTotal.

12. The malicious application downloaded a binary file from one of the C2 URLs, what is the name of the file?

Show solution
puk.php

Finding the binary file from the C2 server involves looking at the packet capture and checking the HTTP packets again. Look at the ones containing more that normal data.

13. Can you find any indication of the actual name and version of the program that the malware is pretending to be?

Show solution
FinalRecovery v3.0.7.0325

So for this we had to do a bit of an investigation. From the installed app locations we knew it was named as FLSCover but the challenge wants something else. Memory and network artifacts didn’t reveal that so we looked online for public sandbox analysis of the malware file. Looking at the one from Hybrid Analysis revealed strings embedded into the malware that tell us the actual name and version.