BOTSv1 Level 4: Analyzing a Ransomware Attack (180 pts)

BOTSv1 4.1: IP Address (5 pts)

What was the most likely IP address of we8105desk on 24AUG2016?

Hints:

  • Search for we8105desk -- you find 181,012 events.
  • Examine the source field -- there are 10 values.
  • Explore stream sources with protocols used in Active Directory logins.
  • Find events on that day and look at their IP addresses.

BOTSv1 4.2: Signature ID (5 pts)

Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Hints:

  • Search for Cerber -- you find 21,596 events.
  • Examine the source field -- there are 4 values.
  • Explore the source type associated with Suricata.

BOTSv1 4.3: FQDN (15 pts)

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Hints:

  • Examine the five Suricata alerts about Cerber. View them as "raw text" in time order.
  • Find a time delay and the domain lookup events after it. Note the latest time of those events.
  • Use the "Date time range" option of Search to narrow the time range to just a few seconds before the Suricata alert. Check to make sure you can still find the Suricata alerts. You may have to adjust the time by am hour or two to compensate for time zone differences.
  • Search all events in that small time range. Examine Suricata events. Look at dns-related fields.

BOTSv1 4.4: Suspicious Domain (15 pts)

What was the first suspicious domain visited by we8105desk on 24AUG2016?

Hints:

  • Find the Suricata events on that day. There are 86,579 of them.
  • Examine the src_ip field. Restrict your query to the desired value.
  • Examine the event_type field. Restrict your query to events that load Web pages. There are 38 of them.
  • Examine the hostnames visited. There are ten of them. Investigate them with Google and find the one that's known to be malicious.

BOTSv1 4.5: VB Script (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is name of the first function defined in the VB script?

Hints:

  • Search for events with both a filename extension for VB script and an .exe extension. There are 16 of them.
  • Examine the body field. Find the malicious one.

BOTSv1 4.6: Field Length (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

Hint:

  • Find the length of the Splunk field, not the length of the script itself. This may be helpful.

BOTSv1 4.7: USB key (15 pts)

What is the name of the USB key inserted by Bob Smith?

Hints:

  • Read about the USBSTOR key here.
  • The image looks better here.

BOTSv1 4.8: Server Name (5 pts)

Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the domain name of the file server?

Hints:

  • Search for cerber's filename extension to find the time of the outbreak.
  • Search for the name of the workstation. View the hostvalues. Find a likely server name. View those events to verify that they were at the correct time.

BOTSv1 4.9: IP Address (15 pts)

Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

Hints:

  • Search for the server's name. Examine the source of those events. Look for source types that record raw network data and would therefore include IP addresses.

BOTSv1 4.10: PDFs (20 pts)

How many distinct PDFs did the ransomware encrypt on the remote file server?

Hints:

  • Search for .pdf
  • Restrict your search for the suspicious app
  • Find all unique filenames. Remove filenames outside the time range of the attack.

BOTSv1 4.11: Process ID (15 pts)

The VBscript found above launches 121214.tmp. What is the ParentProcessId of this initial launch?

Hints:

  • Search for 121214.tmp -- you find 190 events.
  • Examine the EventDescription field and focus on the one most closely related to the question.
  • Examine the earliest event.

BOTSv1 4.12: Text Files (15 pts)

The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?

Hints:

  • Find all events including.txt and find the path to Bob's Windows profile.
  • Add Bob's Windows profile path to the search. To search for a backslash, enter two backslashes.
  • Examine the file paths and remove the ones outside Bob's profile.

BOTSv1 4.13: File Name (15 pts)

The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

Hints:

  • Search for HTTP downloads from the Cerber-related domain you found in question 4.4.
  • The filename has a surprising extension. Research that filename outside Splunk to verify that it's related to Cerber.

BOTSv1 4.14: Obfuscation (10 pts)

Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?

Hints:

  • Research the file using online resources, outside Splunk, to find this.

Posted 10-30-20