FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • Task:
  • Solution
  1. WEInnovate Training

Lumma C2

PreviousSOC Practical AssessmentNextNetwork Analysis

Last updated 3 months ago

Task:

Subject: Urgent Investigation Required – Potential Security Incident

We require your assistance in an urgent security investigation. While this may sound unusual, please hear us out.

Our CTO was watching a football match between Juventus and PSV when he encountered a pop-up advertisement claiming that he had won a signed jersey from Samuel Mbangula, who scored the winning goal. The advertisement directed him to a website where he was asked to complete a CAPTCHA. However, the ad turned out to be fraudulent.

Following this interaction, our SIEM triggered alerts related to:

  • Defense Evasion

  • Persistence

The alerts were generated on February 17, 2025, at approximately 15:00 PM Cairo Time. Unfortunately, we do not have additional detection rules in place, so you will need to work with the available data.

Additional details:

  • The malicious URL contained a reference to "cat", but we do not recall the full address.

  • An attempt was made to analyze the malware, but initial execution only resulted in a blank Command Prompt window, making it unclear whether it is functional or a false positive.

  • A suspicious text file named "don't read me please, I will hack you if u open this text.txt" was found in the same directory. It has not been opened for security reasons, and we advise against opening it.

We need you to investigate the URL, its functionalities, and the malware behavior, then document your findings. Let us know if you require any further details.

For more information about Lumma C2:

Solution

First, we need to adjust the timeline to cover the period from 14:30 to 16:30, ensuring our analysis focuses on the timeframe when the incident occurred.

Next, we aim to identify the URL the victim visited to watch the match, as well as the URL to which they were redirected after clicking on the advertisement.

http OR https

I obtained 134 events, so I will refine the filters further to narrow down the results. Based on the URL above, the fake CAPTCHA instructs users to open the Windows Run window by pressing Windows + R, paste the clipboard content using CTRL + V, and press ENTER to execute it. This action triggers a command that infects the system. To investigate further, I will filter for PowerShell activity to identify any relevant events.

(http OR https) AND *powershell*

Let's refine the results further.

(http OR https) AND *powershell*  AND powershell.command.name: "Invoke-WebRequest" 

Invoke-WebRequest: is a PowerShell cmdlet used to send HTTP requests (like GET, POST, etc.) to web pages or APIs. It retrieves content, downloads files, or interacts with web services, returning response data such as status codes, headers, or content.

Here is what the attacker did:

  • Downloads a file from the URL hxxps[://]files[.]catbox[.]moe/edhauf[.]zip.

  • Saves it to the desktop as I am Arthur Morgan.zip.

Let's apply a filter for "I am Arthur Morgan.zip" to analyze the available data.

"I am Arthur Morgan.zip"

After downloading and renaming the ZIP file, the attacker proceeded with the following actions:

  • Extracted the downloaded file to a folder named "A legitimate software" on the desktop.

  • Executed a file (pretty_normal_file_x64.exe) from the extracted folder.

Now, let's filter the logs using the specified file name and Event ID 4688 to analyze the processes created by this file upon execution.

*pretty_normal_file_x64.exe* AND event.code: 4688 AND event.action: "created-process" 

Let's include the CommandLine column and sort the results from oldest to newest.

Let's break down the attacker's actions step by step.

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  • C:\Windows\system32\conhost.exe:The Console Host is responsible for managing command-line interfaces (Command Prompt, PowerShell) and displaying their output in a window.

  • 0xffffffff: This is a handle (a unique identifier) passed to conhost.exe. In this case, 0xffffffff is a special value that typically means "invalid handle."

  • -ForceV1: This flag forces conhost.exe to use Console API Version 1 instead of the newer Version 2, which might be done to avoid newer security features.

Set-MpPreference -DisableRealtimeMonitoring $true
  • This command disables Windows Defender's real-time protection, which means that Windows Defender will no longer actively scan files and processes for malware as they are accessed or executed.

Set-MpPreference -DisableBehaviorMonitoring $true
  • Turns off behavior monitoring, which watches for suspicious activities.

  • Disabling behavior monitoring allows malware, privilege escalation scripts, and post-exploitation tools to run undetected.

Set-MpPreference -DisableBlockAtFirstSeen $true
  • Turns off Block at First Sight, a feature that block new and unknown threats.

  • Windows Defender includes a feature called "Block at First Seen" that automatically blocks files the first time they are encountered if they are suspected to be malicious, even before a signature is available.

Set-MpPreference -DisableIOAVProtection $true
  • Tells Microsoft Defender Antivirus to turn off its scanning of files downloaded from the internet and email attachments. In other words, it disables the “IOAV protection” feature.

Set-MpPreference -DisablePrivacyMode $true
  • This command tells Defender to turn off its “privacy mode” feature. In privacy mode, Defender may limit or mask certain details in its logs, notifications, or telemetry in order to protect sensitive information. By running

Set-MpPreference -MAPSReporting 0
  • Disables Microsoft Active Protection Service (MAPS), which sends data about detected threats to Microsoft for analysis and improved protection.

Set-MpPreference -SubmitSamplesConsent 2
  • Sets the sample submission consent to 2, which means "never send samples." This prevents Microsoft Defender from sending suspicious files to Microsoft for analysis.

Set-MpPreference -DisableIntrusionPreventionSystem $true
  • Turns off the Intrusion Prevention System (IPS), which blocks network-based attacks.

Set-MpPreference -DisableScriptScanning $true
  • Turns off script scanning, which scans scripts (e.g., PowerShell, JavaScript) for malicious code.

The attacker then created a scheduled task named "what_a_rat" that executes the program pretty_normal_file_x64.exe located in C:\Users\Public\Desktop\A legitimate software\ every time a user logs on, with the highest privileges.

To exfiltrate the victim's data, the attacker compressed the files within the Temp folder of the local user and transmitted them to a malicious website: "hxxp[://]callosallsaospz[.]shop/upload".

The path C:\Users\LOCALU~1\AppData\Local\Temp\ refers to the Temp folder for the userLOCALUSER . The Temp folder is a common location where programs store temporary files. However, attackers might target this folder to steal sensitive information.

  • Downloaded files (e.g., updates, documents, or media).

  • Cache files (e.g., browser cache, application cache).

  • Logs or debug information.

Let's download the edhauf.zip file and extract its contents to analyze any additional data it may contain.

I have obtained the attacker's Twitter handle. Let's access their Twitter account for further investigation.

The attacker is most likely a script kiddie. He lack technical skills (inability to encrypt files) and he reveals his X/Twitter handle

https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection