IR 372: Investigating a PUP with Velociraptor (40 pts)

What You Need for This Project

A Debian 10 Linux machine, running a Velociraptor server.
A Windows 10 machine, 64-bit, connected to the server as a Velociraptor client.

Purpose

To infect a Windows machine with a simple malware sample, and investigate the infection from a Linux Velociraptor server.

Task 1: Infecting the Windows Machine

This sample simulates a PUP (Potentially Unwanted Program).

Execute the steps below on your Windows machine.

Disable Windows Defender

If you are using our private cloud machines, skip this section.
Defender is already disabled.

1. Next to the Start button, search for "Defender". Open "Windows Security settings" or "Windows Defender settings".
2. Click "Virus & threat protection".
3. Under "Virus & threat protection settings", click "Manage settings".
4. Turn off "Tamper Protection".
5. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
6. Turn off "Cloud-delivered protection" and "Automatic sample submission".

Install the PUP

Note: this malware sample uses "Microsoft Visual C++ 2015 Redistributable Update 3 RC". If you are using the Windows machine with tools provided by your instructor, it's is already installed. If you are using some other machine, search for that package, download the x86 version, and install it.

1. Download this file: https://samsclass.info/152/proj/pup4.zip
2. Right-click pup4.zip. Click "Extract All...". Click Extract. Use the password "malware".
3. Run pup4\pup4\pup4.exe as administrator
4. Move pup4\pup4\pup4message.exe to C:\
5. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin.
6. Restart your machine. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click Run. 7. An irritating message pops up, as shown below.

ATT&CK Techniques

This simulated PUP infection demonstrates these ATT&CK techniques:

T1204.002: User Execution: Malicious File
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1562.001: Impair Defenses: Disable or Modify Tools

Task 2: Investigating the Incident with Velociraptor

Connecting to the Client

You should have a Linux machine with Velociraptor installed, with the Windows machine as a client.

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text, as shown below.

Using Autoruns

At the top center, click the Collected button.

At the top left, click the plus-sign, outlined in green in the image below.

Use the search box to find this collector, as shown below.

Windows.Sysinternals.Autoruns

Launch the collector with the default parameters.

It finds a lot of records: 1341 when I did it.

Download a CSV by clicking the button outlined in red in the image below.

IR 372.1: Run Key (10 pts)
Open the CSV with Notepad and find the Run key used to launch PUP4message.exe.
The flag is covered by a green rectangle in the image below.

IR 372.2: MD5 of EXE (5 pts)
Launch this collector:
Windows.System.Pslist
Find the MD5 hash of the EXE used to launch the process.
The flag is covered by a green rectangle in the image below.

IR 372.3: Process Memory (10 pts)
This one seems broken in Velociraptor version 7. Skip it.
The purpose of this step is to verify that the "pup4message" process is actually creating the pop-up message.
Launch this collector:
Windows.Memory.ProcessDump
Acquire the memory of the PUP's process. Move the DMP to Debian for safe analysis. Extract the Unicode strings containing "BAD".
To install strings, execute these commands:
auso apt update sudo apt install binutils -y
The flag is covered by a green rectangle in the image below.

IR 372.4: Yara (5 pts)
The purpose of this step is to see if other EXE files on the target computer are also involved.
Launch this collector:
Windows.Search.Yara
Find all EXE files containing the Unicode string "PWNED", as shown below.
The scan will take about one minute.
The flag is covered by a green rectangle in the image below.

Task 3: Remediation

Opening the Shell from Velociraptor

In the Velociraptor GUI, at the top left, click the down-arrow next to the search box. Click "Show All".

Click your client's Client ID, which appears in green text.

At the top right, click the Shell button.

IR 372.5: Remediation (5 pts)
The purpose of this step is to remove the malware from the client.
Launch these commands, one at a time:
TASKKILL /FI "IMAGENAME eq pup4message.exe"
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f
del c:\pup4message.exe
Click the "eye" icons to see the results of the commands.
The flag is covered by a green rectangle in the image below.

IR 372.6: Remediation (5 pts)
The purpose of this step is to remove the malware from the client.
Look at the Windows client. The pop-up message is still there! The Velociraptor shell doesn't seem to work for this purpose.
On the Windows client, in an Administrator Command Prompt, execute these commands, one at a time:
TASKKILL /FI "IMAGENAME eq pup4message.exe"
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f
del c:\pup4message.exe
Click the "eye" icons to see the results of the commands.
The flag is covered by a green rectangle in the image below.

Posted 7-30-2021
Note about Microsoft Visual C++ 2015 Redistributable Update 3 RC added 10-30-21
Azure workaround added 11-4-21
Flag 4 instructions updated with warning about Velociraptor versions 10-24-22
Updated, warning added to flag 3 and removed from flag 4, 22-21-23
Video added 4-17-24