400 – Indicators of Compromise
Objectives
- Demonstrate Skills Related to Created IOCs from the Threat from Challenge 303.
Background: For this challenge you will use the memory image provided identified as “Infected-Memory-Image”. You will analyze the threat in a more comprehensive manner demonstrating your ability to create indicators of compromise (IOCs) for use by incident responders.
Questions
- What is the digital hash of the malware on the system?
- What is the malware?
- Develop a tailored YARA rule that will match the threat but not generate a lot of false positives on other Windows based systems. You should provide a screenshot of the YARA rule or the text of the rule and not the rule file. It is recommended that you test the rule against an image you acquire from a Windows system as to eliminate obvious false positives (such as including lsass.exe in the rule).*These are most likely not correct.*
- Develop another IOC for the indicators observed from the threat in any other IOC format of your choice (must be an existing IOC format) *I didn't get around to doing this. I think that I will try even though I'm no longer eligible for a reward. I like writing the yara rules.*
Answers
- bddd4e2b84fa2ad61eb065e7797270ff
- Havex
- I put the answer in the description below. I tried my best with the knowledge and indicators that I have. Hopefully they are at least partially correct. I don’t have any experience with this at all.
- I’m currently researching OpenIOC. I’m submitting a partial submission right now because I’m running out of time. I am trying the Holiday Hack Challenge as well. Hopefully I have time to complete this.
Walkthrough (Show How You Got Your Answers)
1 & 2. From 303 Solution: My solution was simple. I found the name of the file that was being analyzed. The file name was bddd4e2b84fa2ad61eb065e7797270ff.exe. I first saw it in the filescan plugin file that I had made. I found it in the timeliner text file as well. That span of number and characters looked like the digital has that was given to me in the last problem. So, I uploaded it to Virus Total. Sure enough, 35 out of 55 antivirus software found it as malicious. It looks like the Havex malware. To confirm my finding, I looked at the “netscan.txt” file that I made with volatility. This is what I saw:
cat netscan.txt | grep "bddd4e2b84fa2a"
0x38c8dcf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x3a642a20 TCPv4 -:49928 172.16.192.164:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x3a89d010 TCPv4 -:49924 172.16.192.14:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x3accacf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x40942cf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x43770160 TCPv4 -:49927 172.16.192.64:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x460ad350 TCPv4 -:49925 172.16.192.114:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x59dba160 TCPv4 -:49927 172.16.192.64:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x65f1da20 TCPv4 -:49928 172.16.192.164:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x667e2cf0 TCPv4 -:49926 172.16.192.214:12401 SYN_SENT 1976 bddd4e2b84fa2a
0x7ce079f0 TCPv4 -:50258 172.16.192.214:44818 SYN_SENT 1976 bddd4e2b84fa2a
0x7d4e2ba0 TCPv4 -:50257 172.16.192.114:44818 SYN_SENT 1976 bddd4e2b84fa2a
0x7d613500 TCPv4 -:50260 172.16.192.164:44818 SYN_SENT 1976 bddd4e2b84fa2a
0x7f805cf0 TCPv4 -:50256 172.16.192.14:44818 SYN_SENT 1976 bddd4e2b84fa2a
0x7faa3180 TCPv4 -:50259 172.16.192.64:44818 SYN_SENT 1976 bddd4e2b84fa2a
So, it looks like a bunch of SYN packets are being sent out over the port 12401 and over port 44818. Port 12401 is the port utilized by the Interactive Graphical SCADA System (IGSS), which is utilized for monitoring and controlling industrial processes. Port 44818 is the port that is used for the Ethernet/IP or RSLink protocols. Both of these ports are targeted by Havex malware.
3.
//Yara rules that detect the Havex Network Scanning Module
rule Havex_Network_Scanning_Module
{
strings:
$assemblyxmlns = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">" nocase wide ascii
$trustinfoxmlns = "<trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" nocase wide ascii
$security = "<security>" nocase wide ascii
$requestedprivs = "<requestedPrivileges>" nocase wide ascii
$requestedexecutionlev = "<requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" nocase wide ascii
$endrequestedprivs = "</requestedPrivileges>" nocase wide ascii
$endsecurity = "</security>" nocase wide ascii
$endtrustinfo = "</trustInfo>" nocase wide ascii
$endassemblyxmlns = "</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" nocase wide ascii
condition:
all of them
}
rule Havex_File_Created
{
strings:
$createtracedfile = "\\AppData\\Local\\Temp\\~tracedscn.yls" nocase ascii wide
condition:
$createtracedfile
}
rule Havex_Used_DLLs
{
strings:
$mswsock = "c:\\windows\\system32\\mswsock.dll" nocase ascii wide
$dnsapi = "dnsapi.dll" nocase ascii wide
$rpcrt4 = "rpcrt4.dll" nocase ascii wide
$winrnr = "c:\\windows\\system32\\winrnr.dll" nocase ascii wide
$rasadhelp = "rasadhlp.dll" nocase ascii wide
$hnetcfg = "hnetcfg.dll" nocase ascii wide
$wshtcpip = "c:\\windows\\system32\\wshtcpip.dll" nocase ascii wide
condition:
4 of ($mswsock,$dnsapi,$rpcrt4,$winrnr,$rasadhelp,$hnetcfg,$wshtcpip)
}
rule Havex_Write_Mutex
{
strings:
$writemutex = "WriteMutex" nocase ascii wide
condition:
$writemutex
}
No comments:
Post a Comment