Jack Crook DFIR Challenge - Part 2 - ENG-USTXHOU-148

This is the second part of my breakdown of the @jackcr DFIR challenge.  You can find part one here.

If you remember from the pcap analysis, the C2 client at 58.64.132.141 was communicating with 172.16.150.20 and after decoding the Gh0st traffic we were able to discern that the localhost name was ENG-USTXHOU-148, so that's where we will pick up.

Loading the memdump.bin file into Volatility's imageinfo module confirms what we saw in the Gh0st data; this machine is running Windows XP Service Pack 3.

vol.py -f memdump.bin imageinfo

Taking a look at the output of connscan, you can see the connection to the C2 client at 58.64.132.141.  The process using that connection has a PID of 1024.

vol.py -f memdump.bin --profile=WinXPSP3x86 connscan

Output of pstree show the process with the PID 1024 is svchost.exe  so obviously we've got some trouble here.  You also see that svchost.exe is the parent process of wc.exe which we saw in part one.

vol.py -f memdump.bin --profile=WinXPSP3x86 pstree

Let's dig into svchost a little more by running the dlllist module against it.  We see there is an abnormal dll named 6to4ex.dll listed

vol.py -f memdump.bin --profile=WinXPSP3x86 dlllist -p 1024

You can dump the suspect file out using the dlldump module.

vol.py -f memdump.bin --profile=WinXPSP3x86 dlldump -p 1024 --dump-dir ./dumpout -r 6to4ex

We'll then get the md5 of the file...

...and see if VirusTotal has seen this before.

Apparently so!  Ok, so we've found our backdoor.  Running strings against the file also reveals a couple of instances of "Gh0st" to further confirm our suspicions.

So how did this machine become compromised in the first place?  I ran the entire memdump.bin file through strings and then grepped that output to look for instances of "58.64.132.141".  Adding the -C flag to your grep command will give you x lines of context before and after any occurrences detected.  There are several hits, but the most interesting one is listed below.

strings memdump.bin | grep -C 30 58.64.132.141

What you see above is the phish that the users callb, amirs, and wrightd received.  The sender address, isd@petro-markets.info, is designed to look familiar to the end users.  At the end of the email we see the trojan, Symantec-1.43-1.exe.

We were also given a timeline file and we can see both the execution of the trojan and creation of 6to4ex.dll A little further on, we see the same activity that we saw in the pcap file.

Now we have lots of indicators to go on.  I'll be making another post soon about using this information to create an IOC signature with Mandiant's IOC editor.