← BACK

Part 2 - Malware Analysis

< Go back

Description

You are given a snapshot of an infected computer. The machine has been infected with ransomware. Your goal is to understand the execution trail of the malware and reverse engineer it to decrypt the files taken hostage by the malicious program.

URL to download dump : https://drive.google.com/file/d/1xPqeXy7yji6zaYmFQDV3gQHmDe7bD4cM/view?usp=sharing

Tools

  • Volatility3 ~ An advanced memory forensics framework
  • dnSpy ~ A .NET debugger and assembly editor
  • dotPeek ~ A free .NET decompiler by JetBrains

Step 1: Computer name

Let's start by analyzing the .vmem dump using volatility3:

vol3 -f dump.vmem windows.info
# Volatility 3 Framework 2.8.0
# Progress:  100.00               PDB scanning finished
# Variable        Value

# Kernel Base     0xf80002a52000
# DTB     0x187000
# Symbols file:///opt/volatility/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
# Is64Bit True
# IsPAE   False
# layer_name      0 WindowsIntel32e
# memory_layer    1 FileLayer
# KdDebuggerDataBlock     0xf80002c430a0
# NTBuildLab      7601.17514.amd64fre.win7sp1_rtm.
# CSDVersion      1
# KdVersionBlock  0xf80002c43068
# Major/Minor     15.7601
# MachineType     34404
# KeNumberProcessors      2
# SystemTime      2018-08-04 19:34:22+00:00
# NtSystemRoot    C:\Windows
# NtProductType   NtProductWinNt
# NtMajorVersion  6
# NtMinorVersion  1
# PE MajorOperatingSystemVersion  6
# PE MinorOperatingSystemVersion  1
# PE Machine      34404
# PE TimeDateStamp        Sat Nov 20 09:30:02 2010

We get some intersting information though it doesn't seem to give us the computer name, let's look in the environment variables instead:

vol3 -f dump.vmem windows.envars | grep COMPUTERNAME
# 396gresswininit.exe     0x2718f0PDB scanCOMPUTERNAME    WIN-LO6FAF3DTFE
# 432     winlogon.exe    0x1818f0        COMPUTERNAME    WIN-LO6FAF3DTFE
# 492     services.exe    0x91c40 COMPUTERNAME    WIN-LO6FAF3DTFE
# 500     lsass.exe       0x481c40        COMPUTERNAME    WIN-LO6FAF3DTFE
# 508     lsm.exe 0x3d1c40        COMPUTERNAME    WIN-LO6FAF3DTFE
# 604     svchost.exe     0x251d90        COMPUTERNAME    WIN-LO6FAF3DTFE
# 668     vmacthlp.exe    0x421d90        COMPUTERNAME    WIN-LO6FAF3DTFE
# 712     svchost.exe     0x2a1e10        COMPUTERNAME    WIN-LO6FAF3DTFE
# 808     svchost.exe     0x261e00        COMPUTERNAME    WIN-LO6FAF3DTFE
# ...
  • Retrieve the name of the computer this memory snapshot has been taken on.

WIN-LO6FAF3DTFE

Step 2: Credentials

vol3 -f dump.vmem windows.hashdump
# Volatility 3 Framework 2.8.0
# Progress:  100.00               PDB scanning finished
# User    rid     lmhash  nthash

# Administrator   500     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
# Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
# Rick    1000    aad3b435b51404eeaad3b435b51404ee        518172d012f97d3a8fcc089615283940

PS: windows.hashdump was not found at first, I thought I was cursed until I found this message from a vol3 contributor which mentioned to run volatility3 with -vvv, this showed some hidden errors saying that the modules yara, pefile, and Crypto were not found, after doing a pip install yara-python pefile pycryptodome it worked.

Okay let's run all 6 hashes trough CrackStation and see if anything comes out of it.

crackstation results

Nothing interesting for the first ones, though it did not find the 6th and that's part of the one we are actually looking for so let's keep searching. Maybe there's another way to extract user password/hashes from somehwere else.

After digging online for any vulnerabilities in windows that would leak the passwords, I found this blog that lists different volatility3 commands, searching for password I found lsadump, let's try it:

vol3 -f dump.vmem windows.lsadump
# Volatility 3 Framework 2.8.0
# Progress:  100.00               PDB scanning finished
# Key     Secret  Hex

# DefaultPassword (MortyIsReallyAnOtter   28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 6f 00 72 00 74 00 79 00 49 00 73 00 52 00 65 00 61 00 6c 00 6c 00 79 00 41 00 6e 00 4f 00 74 00 74 00 65 00 72 00 00 00 00 00 00 00 00 00
# DPAPI_SYSTEM    ,6©Uá   àcL tcØ KEZä¼òw¥%?G
#                                            åM¥È5ÏÜ      2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 36 9b ba a9 55 e1 92 82 09 e0 63 4c 20 74 63 14 9e d8 a0 4b 45 87 5a e4 bc f2 77 a5 25 3f 47 12 0b e5 4d a5 c8 35 cf dc 00 00 00 00
  • We are looking for both the username, and the password (in clear text)

Rick:MortyIsReallyAnOtter

Step 3: Local Network

After running windows.netscan we find a lot of references to a local IP address:

vol3 -f dump.vmem windows.netscan
# Volatility 3 Framework 2.8.0
# Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created

# 0x7d42ba90 TCPv4 - 0 56.219.196.26 0 CLOSED 2836 BitTorrent.exe N/A
# 0x7d60f010 UDPv4 0.0.0.0 1900 * 0  2836 BitTorrent.exe 2018-08-04 19:27:17.000000 UTC
# 0x7d6124d0 TCPv4 192.168.202.131 49530 77.102.199.102 7575 CLOSED 708 LunarMS.exe -
# ...

Let's do some bash magic to get the most re-occuring IPs from the netscan:

grep -Eoh "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" netscan.csv | sort | uniq -c | sort
# ...
#       1 99.251.199.160
#       2 104.18.20.226
#       2 122.62.218.159
#       2 56.219.196.26
#       2 72.55.154.81
#       2 77.126.30.221
#       4 23.37.43.27
#       6 127.0.0.1
#      52 192.168.202.131
#      62 0.0.0.0
  • What was the IP address of the machine on the local network?

192.168.202.131

Step 4: Internet

Using the information from step 3 and other dumps like windows.pstree let's examine the processes that stand out.

LunarMS

LunarMS seems to be a modded server/launcher for the game MapleStory, in the pstree the process exist under:

\Device\HarddiskVolume1\Nexon\MapleStory\LunarMS.exe

LunarMS had one process contacting 77.102.199.102:7575:

0x7d6124d0 TCPv4 192.168.202.131 49530 77.102.199.102 7575 CLOSED 708 LunarMS.exe -
0x7e413a40 TCPv4 - 0 - 0 CLOSED 708 LunarMS.exe -
0x7e521b50 TCPv4 - 0 - 0 CLOSED 708 LunarMS.exe -

Let's dump the process and analyze it with VirusTotal

vol3 -f dump.vmem windows.dumpfiles --pid 708

33/67

This could be it… It checks all the boxes, but let's keep looking.

Rick And Morty

This one doesn't appear in the netscan only in the pstree:

* 3820 2728 Rick And Morty 0xfa801b486b30 4 185 1 True 2018-08-04 19:32:55.000000 UTC N/A \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe "C:\Torrents\Rick And Morty season 1 download.exe"  C:\Torrents\Rick And Morty season 1 download.exe
** 3720 3820 vmware-tray.exe 0xfa801a4c5b30 8 147 1 True 2018-08-04 19:33:02.000000 UTC N/A \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe"  C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe

Let's take a look at the Rick And Morty season 1 download.exe process:

vol3 -f dump.vmem windows.dumpfiles --pid 3820

1/67

VMware Tray

As we can see in the previous pstree, our already very ironic process name executes a subprocess called vmware-tray.exe.

vol3 -f dump.vmem windows.dumpfiles --pid 3720

55/70

Given our research Rick and Morty doesn't directly call out to any IP in the windows.netscan, solely based on this, we could suspect LunarMS to be the culprit, though, we discovered that Rick and Morty started a vmware-tray.exe process which is recognized by VirusTotal to be known malware.

  • Was the malware communicating with a remote server? If yes, what was the IP address of the server?

No, if it does, then that already happened, and was not captured in the dump. Even looking at vmware-tray.exe strings for IP addresses we don't find anything. If we are talking about a remote server in regards to Rick and Morty season 1 download.exe, then once again, No, neither in the netscan nor in the strings.

Step 5: The Process

  • One process in particular should catch your attention: which one? You should dump both the binary of the process, and its runtime memory!

vmware-tray.exe executed by Rick and Morty season 1.exe

Step 6: The Malware

  • What kind of malware is it?

From VirusTotal: ransomware.msil/hiddentear, HiddenTear is the first open source ransomware, created for educational purposes by Utku Sen.

  • It looks like the bad guys use a payment address, what is it?

BTC Wallet address we found via a strings dump: 1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M

Step 7: The Root Cause

< Go back

  • We now want to understand how we got infected…

Via BitTorrent.exe, the user torrentented Rick and Morty season 1 download.exe they were probably expecting to get the series (i.e. a movie or set of movies).

We probably had file extensions disabled on Windows, this causes the file to just be named Rick and Morty season 1 download and if we don't pay too much attention to the icon of the program (or if they changed the icon too), then we executed the payload, which downloaded or de-obfuscated and ran vmware-tray.exe the ransomware.

It demands 0.16 BTC to decrypt the users files. (The memory dump is dated from August 2018, so 0.16 BTC was about 600 EUR)

Step 8: The Key

We can dumpfiles pid 3720 and get the .exe.img to start reverse engineering it:

vol3 -f dump.vmem widows.dumpfiles --pid 3720

⚠️ Obviously don't run malware on your main machine!

⚠️ Even if it's for educational purposes, use either a separate virtualized lab with good isolation, or if you want a quick check at dynamic analysis you can use any.run)

Renaming it to .exe and opening it via a .NET decompiler for example dotPeek we see the following functions:

{
    string password = this.CreatePassword(15);
    string location = this.userDir + this.userName + "\\Desktop\\";
    this.SendPassword(password);
    this.encryptDirectory(location, password);
    this.messageCreator();
}

public void SendPassword(string password)
{
    this.computerName + "-" + this.userName + " " + password;
}

This indicates that in memory we might have COMPUTERNAME-USERNAME password so let's try to grep for it

vol3 -f dump.vmem widows.memmap --pid 3720 --dump

strings -el pid.3720.dmp | grep "WIN-LO6FAF3DTFE-Rick"
# WIN-LO6FAF3DTFE-Rick aDOBofVYUNVnmp7
  • Find the decryption key

aDOBofVYUNVnmp7

Step 9: Get the flag

In the hidden-tear repo, we have a hidden-tear-decrypter directory that contains another project to help decrypt the files. Let's run it in Windows using Visual Studio.

Looking trough the filescan we find the file that was encrypted:

vol3 -f dump.vmem windows.filescan
# WARNING  volatility3.framework.layers.vmware: No metadata file found alongside VMEM file. A VMSS or VMSN file may be required to correctly process a VMEM file. These should be placed in the same directory with the same file name, e.g. dump.vmem and dump.vmss.
# 0x7e410890      \Users\Rick\Desktop\Flag.txt

Let's download it:

vol3 -f dump.vmem windows.dumpfiles --pid 3720 --physaddr 0x7e410890

And let's run the program. We had to patch the AES_Decrypt function with a try/catch to prevent it from crashing for no reason. We run the program, put the Flag.txt on our Desktop because hidden-tear only acts on the Desktop, then we rename our Flag.txt to Flag.txt.locked as it's required for the decrypter to find it. and We get the flag!

decrypted flag

  • Decrypt the files and get the final flag

CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}

← BACK