Jump to content
Kwelwild

Jackcr's Forensic Challenge Solutions With Volatility Framework

By Kwelwild, in Tutoriale video

Recommended Posts

Kwelwild Newbie

Kwelwild

Posted
Posted



Description: In this video I will show you how to solve Jackcr's forensic challenge using Volatility Framework.
1. Who delivered the attack?
"Security Department"
2. Who was the attack delivered too?
amirs@petro-market.org
callb@petro-market.org
wrightd@petro-market.org
3. What time was the attack delivered?
Mon, 26 Nov 2012 14:00:08 -0600 via phishing email.
4. What time was the attack executed?
By the user callb on machine ENG-USTXHOU-148:
Downloaded at Mon, 26 Nov 2012 23:01:53 UTC
Executed at Mon, 26 Nov 2012 23:01:54 UTC
(from IE history fragment, verified with timeline and prefetch entry)
By the user amirs on machine FLD-SARIYADH-43:
Downloaded at unknown (Visited: fragment in memory without timestamp)
Executed at Tue, 27 Nov 2012 00:17:58 UTC (timeline and prefetch entry)
5. What is the C2 IP Address?
58.64.132.141
6. What is the name of the dropper?
Symantec-1.43-1.exe
7. What is the name of the backdoor?
Gh0st
8. What is the process name the backdoor is running in?
svchost.exe via the injected DLL 6to4ex.dll
9. What is the process id on all the machines the backdoor is installed on?
ENG-USTXHOU-148 PID 1024
FLD-SARIYADH-43 PID 1032
10. What usernames were used in this attack?
callb (password Mar1ners@4655)
sysbackup (password T1g3rsL10n5)
11. What level of access did the attacker have?
Local Administrator (via sysbackup account)
12. How was lateral movement performed?
cmd.exe executed via PSEXEC from ENG-USTXHOU-148 to IIS-SARIYADH-03
PSEXEC was attempted against DC-USTXHOU but was not successful.
13. What .bat scripts were placed on the machines?
FLD-SARIYADH-43
system1.bat
system2.bat
system3.bat
system4.bat
system5.bat
system6.bat
ENG-USTXHOU-148
system5.bat
IIS-SARIYADH-03
system1.bat
system4.bat
system5.bat
14. What are the contents of each .bat script?
system1.bat – make the c:\windows\webuidirectory and share it as “Z” granting the
sysbackup user full permissions.
System2.bat – execute gs.exe and output to c:\windows\webui\svchost.dll
system3.bat – perform a recursive directory listing of c:\*.dwg and write output to
c:\windows\webui\https.dll
system4.bat – using winrar, compress the contents of
“C:\Engineering\Designs\Pumps\*.dwg” excluding *.dll, writing the resulting rar archive into
c:\WINDOWS\webui\netstat.dll using the password hclllsddlsdiddklljh.
system5.bat - copies wc.exe from the c:\windows\webui\ directory into the
c:\windows\system32\ directory and creates an AT task to execute it at various times.
system6.bat – execute various system utilities to gather information on the network.
15. What other tools were placed on the machines by the attacker?
PSEXEC (ps.exe)
Windows Credentials Editor (wc.exe)
WinRAR (ra.exe)
ScanLine (sl.exe)
gsecdump (gs.exe)
16. What directory was used by the attacker to drop tools?
C:\WINDOWS\webui
17. Was the directory newly created or was it there prior to the attack?
Newly created for the attack
18. What were the names of the exfiltrated files?
netuse.dll
system.dll
svchost.dll
netstat.dll
https.dll
19. What did the exfiltrated files contain?
netuse.dll – output of various commands executed on ENG-USTXHOU-148 - hashes included
system.dll – output of various commands executed on IIS-SARIYADH-03 - no hashes included
svchost.dll – output of hash dumping commands on IIS-SARIYADH-03
https.dll – directory listing of C:\Engineering\Designs\Pumps from IIS-SARIYADH-03
netstat.dll – RAR file
20. What time did winrar run?
Tue Nov 27 2012 01:11:19 UTC
21. What is the md5sum of pump1.dwg?
a48266248c04b2ba733238a480690a1c
22. Which machines were compromised and need to be remediated?
ENG-USTSXHOU-148
FLD-SARIYADH-43
IIS-SARIYADH-03
23. Which user accounts were compromised and need to be remediated?
callb
sysbackup
saadmin
24. Are there additional machines that need to be analyzed?
No.
25. Describe how each machine was involved
PDF: - file:///C:/Users/Administrator/Downloads/Jackcr+Forensic+Challenge+report+-+ver2-20121202-BN.pdf

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Original Source:


Surs?: Jackcr's Forensic Challenge Solutions With Volatility Framework

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...