# RogueOne {% embed url="" %} ``` Your SIEM system generated multiple alerts in less than a minute, indicating potential C2 communication from Simon Stark's workstation. Despite Simon not noticing anything unusual, the IT team had him share screenshots of his task manager to check for any unusual processes. No suspicious processes were found, yet alerts about C2 communications persisted. The SOC manager then directed the immediate containment of the workstation and a memory dump for analysis. As a memory forensics expert, you are tasked with assisting the SOC team at Forela to investigate and resolve this urgent incident. ``` ### **Identifying the Malicious Process** #### Initial Analysis Using Imageinfo first thing let's find the profile using imageinfo plugin to start our invistigation ```bash remnux@remnux:~/malware$ vol.py -f 20230810.mem imageinfo > imageinfo.txt Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... remnux@remnux:~/malware$ cat imageinfo.txt Suggested Profile(s) : Win10x64_19041 AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/remnux/malware/20230810.mem) PAE type : No PAE DTB : 0x1ad000L KDBG : 0xf80179000b20L Number of Processors : 8 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff80175b3a000L KPCR for CPU 1 : 0xffffc78138867000L KPCR for CPU 2 : 0xffffc7813892a000L KPCR for CPU 3 : 0xffffc781389ad000L KPCR for CPU 4 : 0xffffc78138aa3000L KPCR for CPU 5 : 0xffffc78138b26000L KPCR for CPU 6 : 0xffffc78138be9000L KPCR for CPU 7 : 0xffffc78138cec000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2023-08-10 11:32:00 UTC+0000 Image local date and time : 2023-08-10 16:32:00 +0500 ``` The output suggests the following profile: ``` Suggested Profile(s) : Win10x64_19041 ``` With this profile, we can proceed to analyze the memory dump using volatility2. #### Process Listing listing the processes and checking if there is any malicious process ```bash vol.py -f 20230810.mem --profile=Win10x64_19041 pslist ``` but all the processes seem ligitamate since all of them are normal windows processes #### Network Connection Analysis Investigating the TCP connections with the `netscan` plugin may reveal suspicious activities: ```bash vol.py -f 20230810.mem --profile=Win10x64_19041 netscan ```

An unusual connection is discovered on port 8888, indicating a possible malicious connection. but we don't have infos about the process id (PID) that launches this connection (reverse tcp connection to an attacker listening on port 8888) For more precise information about network activities, we use the `netstat` plugin from Volatility 3: ```bash vol3 -f 20230810.mem windows.netstat.NetStat ```

Further analysis of the network connections revealed a suspicious activity associated with a process: * **Process Name**: svchost.exe * **Process ID (PID)**: 6812 * **Connection**: The connection was established on TCP port 8888, which is not commonly used by standard Windows services. Given that `svchost.exe` is a legitimate Windows process that hosts services, the presence of a `svchost.exe` process is not suspicious on its own. However, the unusual network activity associated with PID 6812 raises concerns that this instance of `svchost.exe` may have been compromised or is masquerading as a legitimate process to hide the Command and Control (C2) communication. We will need to investigate process 6812 further to determine if it's indeed the source of the malicious traffic and take appropriate action to mitigate the threat.

### **Identifying the ChildProcess spawned by the Malicious Process svchost.exe** To investigate the child processes spawned by the potentially compromised svchost.exe process, we will use the `pstree` plugin, which visualizes parent-child relationships between processes: ```bash vol.py -f 20230810.mem --profile=Win10x64_19041 pstree | grep 6812 Volatility Foundation Volatility Framework 2.6.1 *** 6812 7436 svchost.exe 0x9e8b87762080 3 - 1 False 2023-08-10 11:30:03.000000 N/A **** 4364 6812 cmd.exe 0x9e8b8b6ef080 1 - 1 False 2023-08-10 11:30:57.000000 N/A ``` The child process analysis using `pstree` indicates that the `svchost.exe` process with PID 6812 spawned a `cmd.exe` process with PID 4364.

### Hunting for malicious file sample #### Further Investigation of the Malicious "`svchost.exe`" Process we know that the malicious process is svchost.exe so let's search for the parent process that spawned this malicious process using pstree again and grepping the by the parent PID `7436` (PPID is next to PID) ```bash vol.py -f 20230810.mem --profile=Win10x64_19041 pstree | grep 7436 Volatility Foundation Volatility Framework 2.6.1 ** 7436 7400 explorer.exe 0x9e8b8c4d2080 75 - 1 False 2023-08-10 11:14:07.000000 N/A *** 5864 7436 WinRAR.exe 0x9e8b92bdb0c0 5 - 1 False 2023-08-10 11:20:21.000000 N/A *** 936 7436 svchost.exe 0x9e8b8cd89080 0 - 1 False 2023-08-10 11:22:31.000000 2023-08-10 11:27:51.000000 *** 9580 7436 SecurityHealth 0x9e8b90135340 1 - 1 False 2023-08-10 11:14:25.000000 N/A *** 9712 7436 vmtoolsd.exe 0x9e8b8cbd5080 9 - 1 False 2023-08-10 11:14:26.000000 N/A *** 2776 7436 RamCapture64.e 0x9e8b8aa66080 5 - 1 False 2023-08-10 11:31:52.000000 N/A *** 6812 7436 svchost.exe 0x9e8b87762080 3 - 1 False 2023-08-10 11:30:03.000000 N/A ``` The fact that `svchost.exe` was started by `explorer.exe` is particularly alarming as `explorer.exe` is the Windows program responsible for the desktop and file management. It typically does not spawn `svchost.exe` processes. This indicates that the user might have accidentally executed malicious code leading to the spawning of a fake or compromised `svchost.exe`. #### CMD History let's search in the cmd history to see if the fake svchost.exe is executed there, let's use the `cmdline` plugin ```bash vol.py -f 20230810.mem --profile=Win10x64_19041 cmdline | grep svchost.exe ```

we can notice that all the svchost.exe processes are spawned from system32 directory but the last which has the process id 6812 is executed from the simon's user downloads directory so let's dump the svchost.exe file located at the downloads directory to do that we will dump all the files related to the malicious process id 6818 i am using volatility 3 for this

vol3 -f ../20230810.mem windows.dumpfiles.DumpFiles --pid 6812

...
...
...
file.0x9e8b8a4e4270.0x9e8b8a656d00.ImageSectionObject.mpr.dll.img
file.0x9e8b8ae25140.0x9e8b8a7e5a20.ImageSectionObject.cscapi.dll.img
file.0x9e8b8b0708b0.0x9e8b8a2a3d20.ImageSectionObject.wininet.dll.img
file.0x9e8b91ec0140.0x9e8b90819750.DataSectionObject.svchost.exe.dat
file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img

we got a lot of but the last one is the one we want `file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img` let's calculate the md5 hash using `md5sum` ``` md5sum file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img 5bd547c6f5bfc4858fe62c8867acfbb5 file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img ```

### Identify C2 IP address and ports By using the `windows.netstat.NetStat` plugin in Volatility 3, we can view all active connections and their corresponding IP addresses and ports. This allows us to identify any suspicious connections that the malware could be using to communicate with an external C2 server. ```bash vol3 -f 20230810.mem windows.netstat.NetStat ```

the results shows an active connection to an external IP address `13.127.155.166` on port `8888` we can also identify the C2 ip and port by searching for the sample in virustotal using the md5 hash obtained in the previous question

in the behavior section

### Timeline Analysis of Malicious Process Activity this information can be obtained By using the `windows.netstat.NetStat` plugin in Volatility 3 ```bash vol3 -f 20230810.mem windows.netstat.NetStat ```

the results shows an active connection to an external IP address `13.127.155.166` on port `8888` at `2023-08-10 11:30:03`

### memory offset of the malicious process using any process listing plugin we can find the offset of processes ```bash remnux@remnux:~/malware$ vol.py --profile=Win10x64_19041 -f 20230810.mem pslist | grep 6812 Volatility Foundation Volatility Framework 2.6.1 0xffff9e8b87762080 svchost.exe 6812 7436 3 0 1 0 2023-08-10 11:30:03 UTC+0000 0xffff9e8b8b6ef080 cmd.exe 4364 6812 1 0 1 0 2023-08-10 11:30:57 UTC+0000 ``` the offset is the part changing in the address so the offset of the malicious process `svchost.exe` with PID `6812` is `0x9e8b87762080`

### First Submission to VirusTotal first we have to search for the sample in virustotal using the md5 hash and then go to details tab

scrolling down we will find the first submission date

and we have completed all the questions. hope you found this walkthrough easy to understand and follow Greeting From [**Sayonara**](https://github.com/ismail-arame)

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/dfir/htb-forensics-challenges/rogueone.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.