Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):
((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))
Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):
netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com
According to the article, it was known as “Compilation of Many Breaches” (COMB). This data was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak contains email and password pairs.
Inside the data dump, it was structured something like this:
So I’m wondered… What if we extract either email or password only from all those files? We can maybe create a password list from that. Or we can analyze the password trend. See what’s the top password being used & stuff.
So… We’re not going thru all hundreds of files which total up 100GB+ to extract the password manually… That’s crazy ma man!
To make it easier, I’ve created a Python script to extract the password from all dump file recursively. The code as below:
#!/usr/bin/env python
import os
from timeit import default_timer as timer
from datetime import timedelta
inputfile = "/Desktop/test/data" #change this to your dump files locations
outputfile = open("extracted_password.txt", "w")
print("\nStart extracting...")
start = timer()
for path, dirs, files in os.walk(inputfile):
for filename in files:
fullpath = os.path.join(path, filename)
with open(fullpath, "r") as f:
#print(f.read())
for line in f:
email, password, *rest = line.split(":")
outputfile.write("%s" % password)
#print(password, end='')
outputfile.close()
print("Finish!\n")
end = timer()
print("Time Taken: ", end='')
print(timedelta(seconds=end-start))
Save the code above & run the script:
$ python password_extractor.py
It may takes some times depending on your hardware resources and dump file size. You should see output something like this after the script completed execution:
When completed, you should see a new file named “extracted_password.txt” being created. Inside it contains all the password from all dump file; consolidated into 1 single big ass file.
Now we can start analyzing the password pattern. We can use this command below to see what’s the top 10 password:
$ time sort extracted_password.txt | uniq -c | sort -bgr | head -10
F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss'
vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
region[0]: start=0 end=c0000000.
region[1]: start=100000000 end=240000000.
Cannot translate linear address 0.
... 10 MBs written.
... 20 MBs written.
<snip>
... 8180 MBs written.
... 8190 MBs written.
Finished writing core.
After it finished, it will create a file named memory.vmem.
There you have it. So you can start doing your memory analysis using volatility if you want.
For example, here we’ll be using volatility in order to find out the profile for which .vmem is created.
$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/memory.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028530a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002854d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-12-23 17:42:50 UTC+0000
Image local date and time : 2019-12-23 11:42:50 -0600
This server is trying to get us to run some calculations but it's just too fast for us. Can you work out a way to solve this?
Domain: cgames-nm02.allyourbases.co Port: 9010
Let’s try connect to the domain & port given via netcat
Hmm. There’s mathematic question that we need to solve. But we’re too slow on solving it..
What if we create a bot to solve those question?
import pwn
import re
host, port = 'cgames-nm02.allyourbases.co', 9010
session = pwn.remote(host, port)
while True:
try:
what = session.recv(1024)
questionrm = (what.replace('=','')) #remove =
print "Q: " + questionrm
math = eval(questionrm)
math_str = str(math)
print "AS: " + math_str
print session.sendline(math_str)
print session.recvline()
except EOFError:
print('Done!')
break
session.close()
We have captured a file being transferred over the network, can you take a look and see if you can find anything useful?
https://cgames-files.allyourbases.co/nm01.zip
Hint: External tools like CyberChef can help decode the data.
Download & extract the file. You’ll see named “nm01.pcapng“
Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content.
On Frame 4 – right click – click “Follow” – click “TCP stream”
Todays file password is: SecurePa55word8!
hmm.. this “SecurePa55word8!” seems interesting. I tried to submit it as flag, but it says wrong..
So, I viewed another large frame, on Frame 26. I saw there’s string “7z“. I thought, it could be a 7z file. I took the hex number; “37 7a” & search on Google. Based on this site – https://www.filesignatures.net/index.php?page=search&search=377ABCAF271C&mode=SIG, it is confirm that this is indeed a 7z file.
notice the range that I highlighted.
So, on the same frame 26, right click and follow TCP stream. It will show you the stream/content of it. At bottom of the stream, on options “Show and save data as“, change it to “Raw”.
Click “Save as…” and save it as name you like – in this example, I’ll name it as “7out“.
When I open the file, there’s folder named “FLAG” and inside it contain file named “Flag.txt”. It’s password protected when we tried to view it.
got password?
So, maybe we can use the string/password that we discover earlier:
It works! The flag is “capturing_clouds_and_keys” .
Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to atakai[-]technologies[.]host; according to pDNS in Virustotal [1].
The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.
Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:
To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..
After you have enough credit, you can use the script as below:
#!/bin/bash
url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip="
for i in $(cat ip.txt); do
content="$(curl -s "$url$i")"
echo "$content" >> output.txt
done
Remember to put your API key into the script. It will basically produce result into “output.txt“.
After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:
Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.
Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.
Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉
For this question, I use Volatility to solve it. You can try to use Volatility Workbench. For me, it seems like not working properly (or I’m just too noob to use it).
First, download the file reminiscent.zip from the site. Extract it. You should see file named:
flounder-pc-memdump.elf
imageinfo.txt
Resume.eml
If you open the email file “Resume.eml“, you’ll find it contain a link “resume.zip“.
Based on clue/hint given:
Our recruiter mentioned he received an email from someone regarding their resume.
So maybe the recruiter opened the attachment from the email and something malicious happened.
To start analyzing this incident, we can use Volatility & dig further using the memdump “flounder-pc-memdump.elf“.
Usually, when I start doing memory forensic, I will try to determine which profile suitable to be used. To start with, run this command:
If thing goes correctly, you should see something like this:
So we’ll be using profile “Win7SP1x64_23418” for our investigation.
Next, we’ll try to see what were the running processes using “pstree“. This plugin used to display the processes and their parent processes. Run command as below:
From this process list, we can see couple of suspicious process; e.g. Thunderbird (free email application) spawning powershell? hmm..
Also remember our recruiter mentioned that he received email from someone? So maybe the recruiter is using Thunderbird to open that email; which he accidentally opened the attachment.
So we lets see if the recruiter host machine contains file named “resume“:
Now we know that on recruiter machine contains file name “resume.pdf.lnk“. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu.
Lets dump those 2 .lnk file for us to further investigate:
After we decoded it, it appear to be some sort of Powershell instruction for the host machine with various hard-coded parameter e.g. hard-coded User-Agent, IP address, path & HTB flag 😉
The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs under OpenXML Doc Info; section Package Relationships:
To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.
Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):
Its may look simple if you know which & where the file to be look at.
I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.
To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:
Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for domains that tied to these IPs. We can do that by using dig command to perform reverse DNS (rDNS).
Reverse DNS (rDNS) is a method of resolving an IP address into domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.
Its basically dump list of installed Cygwin packages in your workstation & save it to text file named “cygwin_packages.txt” with comma-separated.
Next, go to your Cygwin home folder (commonly locate at “C:\cygwin64\home\”), open the “cygwin_packages.txt” file that we save before & copy all the content inside the text file (CTRL-C).
Next, at your new workstation, ensure you have downloaded the latest Cygwin installer “setup-x86.exe” (32-bit) or “setup-x86_64.exe” (64-bit).
Then, open your Windows cmd & change you directory to where you save the Cygwin installer; for my case here, I save it in my Downloads folder “C:\Users\Zam\Downloads”.
Then, run this command below on your Windows cmd; replacing/inserting the content of cygwin_packages.txt inside the double-quote as below:
setup-x86.exe -q -P "<paste the cygwin_packages.txt content here>"
You should see the Cygwin GUI opened & UAC requesting permission pop-up:
Click “Yes”, go through “Next” button & wait until the installation finished.