RogueOne

Hack The Box

Your SIEM system generated multiple alerts in less than a minute, indicating potential C2 communication from Simon Stark's workstation.
Despite Simon not noticing anything unusual, the IT team had him share screenshots of his task manager to check for any unusual processes.
No suspicious processes were found, yet alerts about C2 communications persisted. The SOC manager then directed the immediate containment of the workstation and a memory dump for analysis.
As a memory forensics expert, you are tasked with assisting the SOC team at Forela to investigate and resolve this urgent incident.

Identifying the Malicious Process

Initial Analysis Using Imageinfo

first thing let's find the profile using imageinfo plugin to start our invistigation

remnux@remnux:~/malware$ vol.py -f 20230810.mem imageinfo > imageinfo.txt
Volatility Foundation Volatility Framework 2.6.1

INFO    : volatility.debug    : Determining profile based on KDBG search...
remnux@remnux:~/malware$ cat imageinfo.txt 
          Suggested Profile(s) : Win10x64_19041
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/remnux/malware/20230810.mem)
                      PAE type : No PAE
                           DTB : 0x1ad000L
                          KDBG : 0xf80179000b20L
          Number of Processors : 8
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff80175b3a000L
                KPCR for CPU 1 : 0xffffc78138867000L
                KPCR for CPU 2 : 0xffffc7813892a000L
                KPCR for CPU 3 : 0xffffc781389ad000L
                KPCR for CPU 4 : 0xffffc78138aa3000L
                KPCR for CPU 5 : 0xffffc78138b26000L
                KPCR for CPU 6 : 0xffffc78138be9000L
                KPCR for CPU 7 : 0xffffc78138cec000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2023-08-10 11:32:00 UTC+0000
     Image local date and time : 2023-08-10 16:32:00 +0500

The output suggests the following profile:

Suggested Profile(s) : Win10x64_19041

With this profile, we can proceed to analyze the memory dump using volatility2.

Process Listing

listing the processes and checking if there is any malicious process

vol.py -f 20230810.mem --profile=Win10x64_19041 pslist

but all the processes seem ligitamate since all of them are normal windows processes

Network Connection Analysis

Investigating the TCP connections with the netscan plugin may reveal suspicious activities:

vol.py -f 20230810.mem --profile=Win10x64_19041 netscan

An unusual connection is discovered on port 8888, indicating a possible malicious connection. but we don't have infos about the process id (PID) that launches this connection (reverse tcp connection to an attacker listening on port 8888)

For more precise information about network activities, we use the netstat plugin from Volatility 3:

vol3 -f 20230810.mem windows.netstat.NetStat

Further analysis of the network connections revealed a suspicious activity associated with a process:

• Process Name: svchost.exe

• Process ID (PID): 6812

• Connection: The connection was established on TCP port 8888, which is not commonly used by standard Windows services.

Given that svchost.exe is a legitimate Windows process that hosts services, the presence of a svchost.exe process is not suspicious on its own. However, the unusual network activity associated with PID 6812 raises concerns that this instance of svchost.exe may have been compromised or is masquerading as a legitimate process to hide the Command and Control (C2) communication.

We will need to investigate process 6812 further to determine if it's indeed the source of the malicious traffic and take appropriate action to mitigate the threat.

Identifying the ChildProcess spawned by the Malicious Process svchost.exe

To investigate the child processes spawned by the potentially compromised svchost.exe process, we will use the pstree plugin, which visualizes parent-child relationships between processes:

vol.py -f 20230810.mem --profile=Win10x64_19041 pstree | grep 6812
Volatility Foundation Volatility Framework 2.6.1

*** 6812	7436	svchost.exe	0x9e8b87762080	3	-	1	False	2023-08-10 11:30:03.000000 	N/A
**** 4364	6812	cmd.exe	0x9e8b8b6ef080	1	-	1	False	2023-08-10 11:30:57.000000 	N/A

The child process analysis using pstree indicates that the svchost.exe process with PID 6812 spawned a cmd.exe process with PID 4364.

Hunting for malicious file sample

Further Investigation of the Malicious "svchost.exe" Process

we know that the malicious process is svchost.exe so let's search for the parent process that spawned this malicious process using pstree again and grepping the by the parent PID 7436 (PPID is next to PID)

vol.py -f 20230810.mem --profile=Win10x64_19041 pstree | grep 7436
Volatility Foundation Volatility Framework 2.6.1

** 7436	7400	explorer.exe	0x9e8b8c4d2080	75	-	1	False	2023-08-10 11:14:07.000000 	N/A
*** 5864	7436	WinRAR.exe	0x9e8b92bdb0c0	5	-	1	False	2023-08-10 11:20:21.000000 	N/A
*** 936	7436	svchost.exe	0x9e8b8cd89080	0	-	1	False	2023-08-10 11:22:31.000000 	2023-08-10 11:27:51.000000 
*** 9580	7436	SecurityHealth	0x9e8b90135340	1	-	1	False	2023-08-10 11:14:25.000000 	N/A
*** 9712	7436	vmtoolsd.exe	0x9e8b8cbd5080	9	-	1	False	2023-08-10 11:14:26.000000 	N/A
*** 2776	7436	RamCapture64.e	0x9e8b8aa66080	5	-	1	False	2023-08-10 11:31:52.000000 	N/A
*** 6812	7436	svchost.exe	0x9e8b87762080	3	-	1	False	2023-08-10 11:30:03.000000 	N/A

The fact that svchost.exe was started by explorer.exe is particularly alarming as explorer.exe is the Windows program responsible for the desktop and file management. It typically does not spawn svchost.exe processes. This indicates that the user might have accidentally executed malicious code leading to the spawning of a fake or compromised svchost.exe.

CMD History

let's search in the cmd history to see if the fake svchost.exe is executed there, let's use the cmdline plugin

vol.py -f 20230810.mem --profile=Win10x64_19041 cmdline | grep svchost.exe

we can notice that all the svchost.exe processes are spawned from system32 directory but the last which has the process id 6812 is executed from the simon's user downloads directory

so let's dump the svchost.exe file located at the downloads directory to do that we will dump all the files related to the malicious process id 6818 i am using volatility 3 for this

vol3 -f ../20230810.mem windows.dumpfiles.DumpFiles --pid 6812

...
...
...
file.0x9e8b8a4e4270.0x9e8b8a656d00.ImageSectionObject.mpr.dll.img
file.0x9e8b8ae25140.0x9e8b8a7e5a20.ImageSectionObject.cscapi.dll.img
file.0x9e8b8b0708b0.0x9e8b8a2a3d20.ImageSectionObject.wininet.dll.img
file.0x9e8b91ec0140.0x9e8b90819750.DataSectionObject.svchost.exe.dat
file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img

we got a lot of but the last one is the one we want file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img

let's calculate the md5 hash using md5sum

md5sum file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img
5bd547c6f5bfc4858fe62c8867acfbb5  file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img

Identify C2 IP address and ports

By using the windows.netstat.NetStat plugin in Volatility 3, we can view all active connections and their corresponding IP addresses and ports. This allows us to identify any suspicious connections that the malware could be using to communicate with an external C2 server.

vol3 -f 20230810.mem windows.netstat.NetStat

the results shows an active connection to an external IP address 13.127.155.166 on port 8888

we can also identify the C2 ip and port by searching for the sample in virustotal using the md5 hash obtained in the previous question

in the behavior section

Timeline Analysis of Malicious Process Activity

this information can be obtained By using the windows.netstat.NetStat plugin in Volatility 3

vol3 -f 20230810.mem windows.netstat.NetStat

the results shows an active connection to an external IP address 13.127.155.166 on port 8888 at 2023-08-10 11:30:03

memory offset of the malicious process

using any process listing plugin we can find the offset of processes

remnux@remnux:~/malware$ vol.py --profile=Win10x64_19041 -f 20230810.mem pslist | grep 6812
Volatility Foundation Volatility Framework 2.6.1

0xffff9e8b87762080 svchost.exe            6812   7436      3        0      1      0 2023-08-10 11:30:03 UTC+0000                                 
0xffff9e8b8b6ef080 cmd.exe                4364   6812      1        0      1      0 2023-08-10 11:30:57 UTC+0000 

the offset is the part changing in the address so the offset of the malicious process svchost.exe with PID 6812 is 0x9e8b87762080

First Submission to VirusTotal

first we have to search for the sample in virustotal using the md5 hash and then go to details tab

scrolling down we will find the first submission date

and we have completed all the questions.

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara