IR 374: Investigating a Two-Stage RAT with Velociraptor (35 pts)

What You Need for This Project

Purpose

To infect a Windows machine with a simple malware sample, and investigate the infection from a Linux Velociraptor server.

Task 1: Installing Sysmon on the Windows Machine

Connecting to the Client

You should have a Linux machine with Velociraptor installed, with the Windows machine as a client.

In the Velociraptor GUI, at the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Installing Sysmon

Launch this collector to install Sysmon on the client:
Windows.Sysinternals.SysmonInstall

Task 2: Installing 7-zip on the Windows Machine

In Firefox, go to

https://7-zip.org/

Download and install the 64-bit version of 7-Zip.

Task 3: Infecting the Windows Machine

This sample disables Windows Defender and Windows Firewall, downloads a second stage, and runs a Bind shell listening on port 444.

Execute the steps below on your Windows machine.

Install the Malware

1. Download this file, using Edge (NOT Firefox): https://samsclass.info/152/proj/pup5.zip
2. Right-click pup5.zip. Click "Extract All...". Click Extract. Use the password "malware".
3. In the "pup5" folder, right-click pup5.bat and click "Run as Administrator". If s box pops up saying "Windows protected your PC", click "more info" and "Run anyway". Bypass any other warnings.

Task 4: Investigating the Incident with Velociraptor

IR 374.1: Auditing Network Connections (5 pts)

Launch this collector, with no parameter changes.
Windows.Network.Netstat
The flag is the port the "shellbind" process is listening on, covered by a green rectangle in the image below.

IR 374.2: Auditing Autoruns (10 pts)

Launch this collector, with no parameter changes.
Windows.Sysinternals.Autoruns
There are more than 1000 results.

Use the buttons outlined in red in the image below to get the results in a form that allows you to search for shellbind.

The flag is the path to the "shellbind.exe" file, covered by a green rectangle in the image below.

IR 374.3: Creation Time (5 pts)

Note: you must first find the path in 374.2

Launch this collector:

Windows.System.PowerShell
In "Confgure Parameters", do a directory of the folder containing the "shellbind.exe" file.

That folder contains two files, with different timestamps. Find the more recent timestamp, outlined in red in the image below. This is the time of the attack, which will be helpful when examining logs later.

The flag is covered by a green rectangle in the image below.

IR 374.4: Prefetch (5 pts)

Launch this collector:
Windows.Forensics.Prefetch
In "Confgure Parameters", enter a "binaryRegex" of shellbind.exe

Note the LastRunTimes, in red font in the image below. This is the time of the attack, which will be helpful when examining logs later. I ran it twice, so I have two run times--you will only have one time.

The flag is covered by a green rectangle in the image below.

IR 373.5: Sysmon Logs (10 pts)

Launch this collector to collect the sysmon event logs:
Windows.EventLogs.Evtx
Use these parameters:
  • PathRegex sysmon
  • Restrict the time to the time of the event you found in the last two flags, plus or minus five minutes.
Scroll through the results to find the event shown below, when you ran the "pup5.bat" file.

Look through the events after that one until you find the event shown below, which was used to extract and decrypt the shellcode.

The flag is covered by a green rectangle in the image below.

Remediation

In the same folder containing the pup5.bat file, there is a remover you can use. Run it as Administrator to remove the malware.

Posted 9-30-21