Ramnit - Hacking Write-ups - Obsidian Publish

*Category: Endpoint Forensics* *Difficulty: Easy* *https://cyberdefenders.org/blueteam-ctf-challenges/ramnit/* ![[Ramnit.jpg]] Scenario: Our intrusion detection system has alerted us to suspicious behavior on a workstation, pointing to a likely malware intrusion. A memory dump of this system has been taken for analysis. Your task is to analyze this dump, trace the malware’s actions, and report key findings. This analysis is critical in understanding the breach and preventing further compromise. Ramnit was an easy and straight forward lab that starts with determining the malicious process and ends with us isolating the file and blocking its associated domains. Lets get started! Q1: We need to identify the process responsible for this suspicious behavior. What is the name of the suspicious process? First I needed to show the lists of process that were running when the host crashed. I can do this using the Volatility3 toolset. ``` python3 vol.py -f /root/cydef/ramit/memory.dmp windows.pslist ``` ![[pslist.PNG]] I scanned through every single process and so far everything seemed very legitimate. I verified every process and couldn't find a clue on anything. So I changed gears and checked the pstree plugin hoping maybe more data on each process would give me a better clue. ``` python3 vol.py -f /root/cydef/ramit/memory.dmp windows.pstree ``` ![[pstree.PNG]] I skimmed through the data and found something a bit more interesting. There was a process running out of the user "Alex" downloads folder and Its parent process was explorer.exe. This seemed weird, and it made sense to continue investigation. Answer: ChromeSetup.exe Q2: To eradicate the malware, what is the exact file path of the process executable? Answer: C:\\Users\\alex\\Downloads\\ChromeSetup.exe Q3: Identifying network connections is crucial for understanding the malware's communication strategy. What is the IP address it attempted to connect to? Now that we have a PID of 4628 for the malicious process, tracking down its activity should be much easier. We can use this PID to identify any outbound communications using the netscan plugin ``` python3 vol.py -f /root/cydef/ramit/memory.dmp windows.netscan | grep "4628" ``` ![[netscan.PNG]] Looking at the data we can see that the IP 58.64.204.181 sent a SYN flag to this process. Answer: 58.64.204.181 Q4: To pinpoint the geographical origin of the attack, which city is associated with the IP address the malware communicated with? We can use the internet to see where this IP came from. ![[HongKong.PNG]] This process should not be reaching out to this location. This only further confirms we have found the malicous process. But we wont know exactly what we are dealing with without extracting this file and checking the hash in VirusTotal. Answer: Hong Kong Q5: Hashes provide a unique identifier for files, aiding in detecting similar threats across machines. What is the SHA1 hash of the malware's executable? Lets dump that file and get its hash for testing. ``` python3 vol.py -f /root/cydef/ramit/memory.dmp -o /root/cydef/ramit windows.dumpfile --pid 4628 ``` I check my output dir, and I got the PE! I can confirm by running binwalk on the .dat file. ``` binwalk file.0xca82b85325a0.0xca82b83c7770.DataSectionObject.*************.exe.dat ``` ![[binwalk.PNG]] Now I just need the hash. ``` sha1sum file.0xca82b85325a0.0xca82b83c7770.DataSectionObject.*************.exe.dat ``` Answer: b9921cc2bfe3b43e457cdbc7d82b849c66f119cb Q6: Understanding the malware's development timeline can offer insights into its deployment. What is the compilation timestamp of the malware? Before I check for this information, I wanna make sure that what I have is indeed malware. So I'll paste the hash into VirusTotal and see what comes back. ![[malware.PNG]] Yup, It sure is... Now that I'm sure it's malware I can get the compilation timestamp of the malware by using the [pefile](https://github.com/erocarrera/pefile) python library and isolating the pefile.FILE_HEADER.TimeDateStamp method. ``` vi pe_checker.py import pefile import datetime pe = pefile.PE('file.0xca82b85325a0.0xca82b83c7770.DataSectionObject.**************.exe.dat') timestamp = pe.FILE_HEADER.TimeDateStamp readable_timestamp = datetime.datetime.utcfromtimestamp(timestamp).strftime('%Y-%m-%d %H:%M:%S') print(f'Compilation Timestamp: {readable_timestamp}') <EOF> chmod +x pe_checker.py python3 pe_checker.py ``` Answer: Compilation Timestamp: 2019-12-01 08:36:04 Q7: Identifying domains involved with this malware helps in blocking future malicious communications and identifying current possible communications with that domain in our network. Can you provide the domain related to the malware? Now we can isolate any domains associated with this malware, This information is in VirusTotal. ![[domains.PNG]] Answer: dnsnb8.net Congrats on saving the day! And thank you for reading and or following along. Please check out some other write-ups of mine! Happy Hunting!