Boogeyman 2
After having a severe attack from the Boogeyman, Quick Logistics LLC improved its security defences. However, the Boogeyman returns with new and improved tactics, techniques and procedures.
In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.
Prerequisites
This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.
Artefacts
For the investigation, you will be provided with the following artefacts:
Copy of the phishing email.
Memory dump of the victim's workstation.
You may find these files in the /home/ubuntu/Desktop/Artefacts directory.
Tools
The provided VM contains the following tools at your disposal:
Volatility - an open-source framework for extracting digital artefacts from volatile memory (RAM) samples.
Note: Volatility may take a few minutes to parse the memory dump and run the plugin. For plugin reference, check the Volatility 3 documentation.
Olevba - a tool for analysing and extracting VBA macros from Microsoft Office documents. This tool is also a part of the Oletools suite.
Spear Phishing Human Resources
The Boogeyman is back!
Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.
1) What email was used to send the phishing email?
Answer: westaylor23@outlook.com
2) What is the email of the victim employee?
3) What is the name of the attached malicious document?
Answer: Resume_WesleyTaylor.doc
4) What is the MD5 hash of the malicious attachment?
Answer: 52c4384a0b9e248b95804352ebec6c5b
5) What URL is used to download the stage 2 payload based on the document's macro?
I used olevba to extract the information into the Resume_WesleyTaylor.doc document.
Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png
6) What is the name of the process that executed the newly downloaded stage 2 payload?
Answer: wscript.exe
7) What is the full file path of the malicious stage 2 payload?
Answer: C:\ProgramData\update.js
8) What is the PID of the process that executed the stage 2 payload?
Let’s use the raw file, which is the memory dump of the victim machine. I used windows.psscan to retrieve the processes.
Answer: 4260
9) What is the parent PID of the process that executed the stage 2 payload?
Answer: 1124
10) What URL is used to download the malicious binary executed by the stage 2 payload?
Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe
11) What is the PID of the malicious process used to establish the C2 connection?
Answer: 6216
12) What is the full file path of the malicious process used to establish the C2 connection?
I use the following command to view the original command of the executable file, showing its full file path and execution details.
Answer: C:\Windows\Tasks\updater.exe
13) What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)
Answer: 128.199.95.189:8080
13) What is the full file path of the malicious email attachment based on the memory dump?
Answer: C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc
14) The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?
Answer: schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"'
Last updated
