Lab: https://blueteamlabs.online/home/investigation/divorce-court-91bc4ace7e
Category: Incident Response
Tools Used: PE Studio, HxD, Volatility 3, IDA, x64dbg, FTK Imager
Difficulty: Hard
Scenario
One of our senior executives, Lord Admin Clickford III demanded we give him a local admin account on his workstation, since he’s “*something of a computer genius*” as he likes to say.
Regardless, he clicks and opens nearly everything he sees and now we’re becoming increasingly concerned about what else he might have done, specially as APT32 has been reported actively targeting our region.
Since he’s known for following best practices, the wizard has yet again compromised our environment. We’ve performed a disk and memory acquisition for the workstation and handed off the analysis tasks for this workstation to you to follow up on.
Q&A
Q1) According to the E01 file, who were the examiners performing the acquisition of the victim’s workstation? (1 points)
A: Jaalma and SetecAstronomy
Q2) What is the name of the file that caused the initial infection, and from what URL was it downloaded? (3 points)
A: sample-divorce-agreement-clause.zip, http://bluehouselaw.com/sample-divorce-agreement-clause.zip
Q3) Specify the RESOURCE DEVELOPMENT and the INITIAL ACCESS techniques used by the adversary to compromise the victim. (Hint: We want the TECHNIQUE, NOT the SUB-TECHNIQUE) (3 points)
A: T1583, T1189
Q4) What is the MFT Record Number for the downloaded file, in HEX? (3 points)
A: 0xAD38
Q5) When the victim executed the file mentioned on on the previous question (first-stage downloader), it injected some shellcode. This shellcode downloaded a second-stager binary to some directory and ensured persistence. From which website did the downloader get the second-stager binary, and where did it download it to? (Hint: Make sure to remove the double escape character. For instance, if you get X:\\Dir\\file.exe, the accepted answer is X:\Dir\file.exe) (10 points)
A: https://dfir.pt/jaalmasetec.btl, C:\ProgramData\USOShared\certutil.exe
Q6) The shellcode mentioned on the previous question makes use of several windows libraries and several functions inside those libraries. For instance, it uses a lot of FUNCTIONS such as GetProcAddress from the Kernel32 LIBRARY. Which functions are used by the shellcode that do NOT belong to the Kernel32 library? List them in an alphabetic order. (Hint: 2 functions) (7 points)
A: RegSetKeyValueA, URLDownloadToFileA
Q7) The shellcode mentioned on the previous question also ensures persistence in accordance with MITRE ATT&CK Technique ID T1547.001. What was the registry key VALUE added for the persistence mechanism? (Hint: consider the following command to define what is a KEY, its VALUE and its DATA: reg add KEY /v VALUE /d DATA) (5 points)
A: Windows Defender Certificate Update
Q8) The first-stage downloader from the previous questions pulls down a msfvenom payload that has been XORed. What is the XOR key to decrypt the shellcode (in HEX), and in which PE file section is the key stored in? (Hint: Examples of PE sections: .text, .data, …) (7 points)
A: 0xBAD6E7EC, .rdata
Q9) What are the first 8 bytes of the decoded msfvenom payload shellcode? (8 points)
A: \x48\x31\xc9\x48\x81\xe9\xc0\xff
Q10) We know that the shellcode generated by msfvenom, that has been XOR encrypted by the adversary, also has also a built in XOR encryption mechanism. What is the XOR key that is protecting the reverse shell code? (Hint: the XOR key inside the shellcode itself) (10 points)
A: 0xD08A9CAC546A697D
Q11) When executed, the downloaded second-stage beacons out to a Command and Control (C2) server. What is the source port of the outbound communication, the destination IP, the destination port, and the destination domain name for the traffic? (6 points)
A: 55076, 134.213.138.55, 443, snafu.bofh.pt
Q12) The second-stage, after beaconing out, migrates itself to a different process. What’s the process name and its PID? (5 points)
A: explorer.exe, 3804
Q13) The adversary downloaded an additional tool from a website using certutil (LOLBAS) somewhere inside C:\ProgramData\. Knowing that certutil leaves specific artifacts in specific directories, identify the certutil artifact location for the downloaded file (copy of the downloaded file), where was the file downloaded to, and from where was it downloaded from (7 points)
A: C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C503C3665DE598B3B65000563215856C, C:\ProgramData\n0pe.exe, https://dfir.pt/n0pe.btl
Q14) The file mentioned on the previous questions is packed with the BTL packer. This packer appears to be a well known packer, however it has been manipulated so that it evades detection. What’s the original packer name (i.e. the one that was changed in order to create BTL)? (5 points)
A: UPX
Q15) Let’s unpack this file. What is the Original Entry Point (OEP) for the unpacked payload? (Hint: Remove the leading zeroes from the answer. For instance, if the OEP was FFFFFF, the answer would be 0xFFFFFF instead of 0x00FFFFFF (10 points)
A: 0x437300
Q16) How many import libraries (DLLs) and how many APIs within those libraries (functions) are used by the final payload once it has been unpacked? (Hint: This would be the same information that would be present on the unpacked file’s IAT) (10 points)
A: 5, 35