# Boogeyman 2 In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman. Prerequisites This room may require the combined knowledge gained from the [SOC L1](https://tryhackme.com/path-action/soclevel1/join) Path. We recommend going through the following rooms before attempting this challenge. * [Phishing Analysis Fundamentals](https://tryhackme.com/room/phishingemails1tryoe) * [Phishing Analysis Tools](https://tryhackme.com/room/phishingemails3tryoe) * [Boogeyman 1](https://tryhackme.com/room/boogeyman1) * [Volatility](https://tryhackme.com/room/volatility) #### Artefacts For the investigation, you will be provided with the following artefacts: * Copy of the phishing email. * Memory dump of the victim's workstation. You may find these files in the /home/ubuntu/Desktop/Artefacts directory. #### Tools The provided VM contains the following tools at your disposal: * Volatility - an [open-source framework](https://github.com/volatilityfoundation/volatility3) for extracting digital artefacts from volatile memory (RAM) samples. ``` vol -f memorydump.raw vol -f memorydump.raw -h ``` Note: Volatility may take a few minutes to parse the memory dump and run the plugin. For plugin reference, check the Volatility 3 [documentation](https://volatility3.readthedocs.io/en/latest/volatility3.plugins.html). * Olevba - a tool for analysing and extracting VBA macros from Microsoft Office documents. This tool is also a part of the [Oletools suite](https://github.com/decalage2/oletools). ``` olevba document.doc ``` ### Spear Phishing Human Resources #### The Boogeyman is back! Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation. The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise. 1\) What email was used to send the phishing email?

Answer: 2\) What is the email of the victim employee?

3\) What is the name of the attached malicious document?

Answer: Resume\_WesleyTaylor.doc 4\) What is the MD5 hash of the malicious attachment?

Answer: 52c4384a0b9e248b95804352ebec6c5b 5\) What URL is used to download the stage 2 payload based on the document's macro? I used olevba to extract the information into the Resume\_WesleyTaylor.doc document.

Answer: 6\) What is the name of the process that executed the newly downloaded stage 2 payload? Answer: wscript.exe 7\) What is the full file path of the malicious stage 2 payload? Answer: C:\ProgramData\update.js 8\) What is the PID of the process that executed the stage 2 payload? Let’s use the raw file, which is the memory dump of the victim machine. I used windows.psscan to retrieve the processes.

Answer: 4260 9\) What is the parent PID of the process that executed the stage 2 payload? ``` vol -f WKSTN-2961.raw windows.pstree ```

Answer: 1124 10\) What URL is used to download the malicious binary executed by the stage 2 payload? Answer: 11\) What is the PID of the malicious process used to establish the C2 connection? ``` vol -f WKSTN-2961.raw windows.pstree ```

Answer: 6216 12\) What is the full file path of the malicious process used to establish the C2 connection? I use the following command to view the original command of the executable file, showing its full file path and execution details. ``` vol -f WKSTN-2961.raw windows.cmdline | grep 6216 ```

Answer: C:\Windows\Tasks\updater.exe 13\) What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port) ``` vol -f WKSTN-2961.raw windows.netscan | grep updater.exe ```

Answer: 128.199.95.189:8080 13\) What is the full file path of the malicious email attachment based on the memory dump? ``` vol -f WKSTN-2961.raw windows.cmdline | grep doc ```

Answer: C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume\_WesleyTaylor (002).doc 14\) The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access? ``` strings WKSTN-2961.raw | grep schtasks ```

Answer: schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c "IEX (\[Text.Encoding]::UNICODE.GetString(\[Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))"' --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-1/boogeyman-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.