Scenario : Allam, a senior infrastructure engineer at EZ-CERT, is known for hosting his annual “Haunted Festival” every Halloween. This year, during the event, a man named Omar approached Allam, asking if he could project something from his USB drive to enhance the party’s spooky atmosphere. A day or two after the festival, Allam discovered that all his files had been encrypted, leaving him unable to access his data. Suspecting Omar’s USB drive might be the cause; Allam has provided several digital artifacts for investigation. Your task is to analyze these artifacts and determine exactly what happened.
Q1) As you start piecing together the events from the festival, you notice that a USB device was connected to Allam’s machine. What is the serial number of this USB device? (Format: XXXXXXXX)
We were given artifacts from the C drive and a memory dump from the compromised machine. Several tools were available for analysis; however, a note on the desktop indicated that not all tools would be necessary, so we could choose the ones we found most convenient or preferred for the task.
To identify the serial number of the USB device, we need to examine a specific registry key, USBSTOR, within the SYSTEM registry hive. Using Registry Explorer simplifies this process, as it has already bookmarked this particular registry location. From there, we can easily retrieve the serial number of the sole USB storage device connected to the system.
Q2) To narrow down the timeline. When Omar’s USB drive was first plugged into Allam’s computer. What exact time does it show? (Format: YYYY-MM-DD HH:MM:SS UTC)
Get Installed or Last Connected time to answer this question.
Q3) Digging deeper into the details of the connected USB, you’ll need to identify its manufacturer. What is the vendor ID of this device? (Format: XXXX)
I also discovered that this value can be located under the USB registry key as well, making it another reliable location to extract the serial number.
Q4) Knowing which drive letter was assigned to the USB can help trace its activity on the system. Which drive letter did the operating system assign to Omar’s USB? (Format: X:)
We can also examine the values within the “MountedDevices” key, which stores the drive letters assigned to each mounted storage device on Windows. This key provides additional insights into the connected devices and their corresponding drive letters.
Q5) Upon examining the contents of the USB drive, you find several files and directories. Name two folders that were present on Omar’s USB. (Format: Folder1, Folder2)
Now let’s look at ShellBag, which stores information about user preferences and interactions with folders within the file system. If the user accessed any folders on the USB device, those interactions would be recorded in ShellBag. This data is located in the UsrClass.dat registry hive for each user, providing valuable insights into folder access history.
From the ShellBag data, we can identify two folders that were present on the USB device, indicating that these folders were accessed or interacted with by the user.
Q6) It seems Allam opened a file from Omar’s USB, mistaking it for a harmless video. What is the name of the file he opened? (Format: File Name)
The next artifact to analyze is the Jump Lists, which are located in the system. These can provide information about recently accessed files and folders.
To parse the “AutomaticDestinations” folder, you can use the tool JLECmd.exe, which simplifies the extraction and analysis of Jump List data, offering insights into user activity on the system.
This output will be rendered in an excel file and we can use Timeline Explorer to view it.
From the parsed Jump Lists, we identified that a PowerShell script, disguised as an MP4 video file, was accessed by the user. This suggests an attempt to execute a potentially malicious script under the guise of a media file.
Q7) To see when Allam interacted with the USB. When did he open the suspicious file, believing it to be just a video? (Format: YYYY-MM-DD HH:MM:SS)
Q8) Analyzing the method used to disguise the malicious file, refer to the MITRE ATT&CK framework. What is the ID for the technique the attacker utilized? (Format: TXXXX.XXX)
A little search on google give us this. This technique, employed by the malicious file, is known as file masquerading. It involves disguising a harmful script or executable as a harmless file type, such as an MP4 video, to deceive users into opening or executing it. This method is often used to bypass user suspicion and exploit trust in familiar file formats.
Q9) After opening the deceptive file, Allam’s machine initiated a download. Trace the network activity to find the full URL of the downloaded file. What is the full URL of the downloaded file? (Format: Full URL)
This part of the investigation required a more detailed approach. I began by parsing the Prefetch files using PECmd to extract information about program execution. The results were then opened in Timeline Explorer, which provides a clear and chronological view of the application’s execution history, allowing us to track when and how specific programs were accessed on the system.
From the analysis, I discovered that certutil was executed shortly after PowerShell and conhost. This sequence suggests that the malware likely leveraged certutil—a legitimate Windows utility—to download files from a Command and Control (C2) server. This tactic is commonly used by attackers to blend malicious activities with legitimate system processes, making detection more challenging.
Certutil stores both content and metadata inside CryptnetUrlCache folder under %AppData&\LocalLow\Microsoft\ so lets navigate to this folder.
There, we will found 2 files with has 43 KB and 71 KB size so lets confirm which one appear more suspicious.
I began analyzing a 43 KB file, and upon inspection, I observed that it contained an MZ header. This indicates that the file is a PE32 executable, a format commonly used for Windows executable files. This suggests it may be a potentially malicious file that requires further analysis.
To delve deeper into the metadata of this file, I used tools like strings or processed it through CyberChef to make the information more accessible and readable. By doing this, I identified a URL within the file that resembled a Command and Control (C2) address. This URL turned out to be the correct answer to the question, confirming the file’s connection to the C2 server.
Q10) Now that you have the URL, where did this file end up on the system? provide the full path. (Format: Full Path)
The next artifact I analyzed was the $MFT (Master File Table), a core component of the NTFS file system. This artifact provides a detailed record of all files and directories on a volume, including timestamps and file system metadata. By examining the $MFT, I could trace the creation, modification, and access history of files, offering valuable insights into the activities that occurred on the system.
Then we can see that this file was renamed and place it inside XPS Card Printer folder probably for DLL hijacking.
Q11) To ensure the integrity of your findings, calculate the SHA1 hash of the downloaded file on Allam’s system. What is the hash value? (Note: if you got the hash from anywhere else than the triage image, it won’t work.) (Format: SHA1 Hash)
Upon searching this file on VirusTotal, it was identified as a Cobalt Strike payload, commonly associated with advanced malicious campaigns. This strongly suggests that the attack may have involved DLL hijacking, a technique where malicious DLLs are placed in locations where legitimate applications load them, enabling the attacker to execute their payload covertly.
Q12) The attacker here exploited a vulnerable service on the machine to escalate his privilege on the machine. What is the CVE that he used? (Format: CVE-XXXX-XXXXX)
After researching the CVE associated with this service, I found that it is relatively new but confirmed to exploit a DLL vulnerability. This vulnerability enables local privilege escalation to SYSTEM, granting attackers the highest level of privileges on the affected system. Such an exploit underscores the importance of keeping systems updated and monitoring for abnormal DLL behaviors.
Q13) Reviewing the privilege escalation technique used by the attacker, What is the MITRE ATT&CK technique ID that describes this method? (Format: TXXXX.XXX)
Q14) To analyze the memory dump effectively, identify the profile image that matches the system’s configuration. What profile image does the memory dump correspond to? (Format: WinXXxXX_MinorVersion)
To analyze the memory dump efficiently, we can use the windows.info plugin in Volatility 3. This plugin provides essential details, such as the architecture (e.g., x86 or x64) and the major and minor version of Windows. By identifying these specifics, we can streamline the profiling process and select the appropriate plugins and methods for further analysis
Q15) During your investigation, you find that the malicious file was injected into a legitimate process. What is the Process ID (PID) of this process? (Format: XXXX)
The netscan plugin in Volatility 3 was instrumental in this part of the analysis. It revealed a suspicious network connection to a C2 server on port 1234. Further investigation showed that the process responsible for this activity was associated with PID 2620, providing a clear lead on the malicious activity within the memory dump.
Q16) Trace the timeline further to pinpoint, When the malicious file was loaded into the legitimate process? (Format: YYYY-MM-DD HH:MM:SS)
Given that we already identified the DLL that was loaded and the process (PID 2620) that connected to the C2, we can use the dllist plugin in Volatility 3. By specifying PID 2620, this plugin allows us to list all DLLs loaded by the process, including their respective load times. This information helps confirm when the malicious DLL was loaded and its association with the C2 activity.
Q17) What is the memory address representing the starting point of the malicious file loaded into the legitimate process? (Format: 0xXXXXXXXXXXXX)
We have to use vadinfo plugin for this one which we can see both starting point and ending point of this malicious file right here.
Q18) What was the first command the attacker executed after gaining SYSTEM access on Allam’s machine? (Format: Command Name)
Used the output of prefetch parser to find the any executable that was executed after malicious dll was loaded which is systeminfo.exe
