IR 372: Investigating a PUP with Velociraptor (25 pts + 15 extra)

What You Need for This Project

Purpose

To infect a Windows machine with a simple malware sample, and investigate the infection from a Linux Velociraptor server.

Task 1: Infecting the Windows Machine

This sample simulates a PUP (Potentially Unwanted Program).

Execute the steps below on your Windows machine.

Disable Windows Defender

If you are using our private cloud machines, skip this section.
Defender is already disabled.

1. Next to the Start button, search for "Defender". Open "Windows Security settings" or "Windows Defender settings".
2. Click "Virus & threat protection".
3. Under "Virus & threat protection settings", click "Manage settings".
4. Turn off "Tamper Protection".
5. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
6. Turn off "Cloud-delivered protection" and "Automatic sample submission".

Install the PUP

1. Download this file: https://samsclass.info/152/proj/pup4.zip
2. Right-click pup4.zip. Click "Extract All...". Click Extract. Use the password "malware".
3. Run pup4\pup4\pup4.exe as administrator
4. Move pup4\pup4\pup4message.exe to C:\
5. Delete pup4.zip and the pup4 folder. Empty the Recycle Bin.
6. Restart your machine. If an "Open File - Security Warning" box pops up, uncheck the "Always ask before opening this file" box and click Run. 7. An irritating message pops up, as shown below.

ATT&CK Techniques

This simulated PUP infection demonstrates these ATT&CK techniques:

T1204.002: User Execution: Malicious File
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1562.001: Impair Defenses: Disable or Modify Tools

Task 2: Investigating the Incident with Velociraptor

Connecting to the Client

You should have a Linux machine with Velociraptor installed, with the Windows machine as a client.

In the Velociraptor GUI, at the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Using Autoruns

At the top center, click the Collected button.

At the top left, click the plus-sign, outlined in green in the image below.

Use the search box to find this collector, as shown below.

Windows.Sysinternals.Autoruns

Launch the collector with the default parameters.

It finds a lot of records: 1341 when I did it.

Download a CSV by clicking the button outlined in green in the image below.

IR 372.1: Run Key (10 pts)

Open the CSV with Notepad and find the Run key used to launch PUP4message.exe.

The flag is covered by a green rectangle in the image below.

IR 372.2: MD5 of EXE (5 pts)

Launch this collector:
Windows.System.Pslist
Find the MD5 hash of the EXE used to launch the process.

The flag is covered by a green rectangle in the image below.

IR 372.3: Process Memory (10 pts)

The purpose of this step is to verify that the "pup4message" process is actually creating the pop-up message.

Launch this collector:

Windows.Triage.ProcessMemory
Acquire the memory of the PUP's process. Move the DMP to Debian for safe analysis. Extract the Unicode strings containing "BAD".

To install strings, execute these commands:

auso apt update
sudo apt install binutils -y
The flag is covered by a green rectangle in the image below.

IR 372.4: Yara (5 pts)

The purpose of this step is to see if other EXE files on the target computer are also involved.

Launch this collector:

Windows.Detection.Yara.NTFS
Find all EXE files containing the Unicode string "PWNED". For Unicode, use the keyword "wide".

The flag is covered by a green rectangle in the image below.

Task 3: Remediation

Opening the Shell from Velociraptor

In the Velociraptor GUI, at the top of the left side-bar, click the Home icon.

At the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text.

At the top right, click the Shell button.

IR 372.5: Remediation (5 pts)

The purpose of this step is to remove the malware from the client.

Launch these commands, one at a time:

TASKKILL /FI "IMAGENAME eq pup4message.exe"

reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f

del c:\pup4message.exe

Click the "eye" icons to see the results of the commands.

The flag is covered by a green rectangle in the image below.

IR 372.6: Remediation (5 pts)

The purpose of this step is to remove the malware from the client.

Look at the Windows client. The pop-up message is still there! The Velociraptor shell doesn't seem to work for this purpose.

On the Windows client, in an Administrator Command Prompt, execute these commands, one at a time:

TASKKILL /FI "IMAGENAME eq pup4message.exe"

reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v PUP4 /f

del c:\pup4message.exe

Click the "eye" icons to see the results of the commands.

The flag is covered by a green rectangle in the image below.

Posted 7-30-2021