CyberDefenders - GhostDetect
Table of Contents
Scenario
One of the employees reported receiving an email with a suspicious-looking attachment. Suspecting that a known Threat Actor may be attempting to use phishing to gain a foothold in the organization, you need to analyze the provided file and identify the threat.
Category: Malware Analysis
Tools: CyberChef Wireshark Strings VS Code LECmd ProcMon
On this lab, we will have a malware sample which is shortcut file (.lnk) and we have limited tool to use which indicates that we will need to “run” this malware while letting procmon monitoring system activity.
Questions
Q1: In analyzing the malware's behavior after the initial intrusion, it's crucial to understand where it attempts to establish persistence or further infection. Where were the files dropped by the malware located within the system's file structure?
Since this is a shortcut (.lnk) file, we can use LECmd from Eric Zimmerman’s toolkit to parse it and extract useful metadata. The output shows suspicious behavior: the shortcut is configured to launch itself through mshta, which strongly suggests that an HTA file with embedded VBScript is being executed indirectly through the shortcut.
Command: LECmd.exe -f "C:\Users\Administrator\Desktop\Start here\Artifacts\Xuzhou_Shenyang2024.lnk"
We can use strings to extract the HTA file that was embedded within this shortcut file.
The end of the script reveals that upon executing this file with mshta, 2 files will be generated in the %TEMP% folder of the user who executed it. the first file is the js file and the second one is pdf file.
Command: strings "C:\Users\Administrator\Desktop\Start here\Artifacts\Xuzhou_Shenyang2024.lnk" > stage0.hta
I open procmon and wireshark to capture network and system activity, then execute the shortcut file which will pop up the lure pdf file.
On the procmon, I open the process tree which we can see that after shortcut file is executed, mshta is followed and open lure pdf file (on this machine Chrome act as the pdf reader so it opens on chrome)
I filtered the whole branch of the shortcut file process tree and focus on “CreateFile” operation which reveals that 2 files were dropped to Temp folder (also inside “2” folder in this case) as expected.
C:\Users\Administrator\AppData\Local\Temp
Q2: The malware's communication with external servers is key to its operation. What is the URL that was used by the malware to download a secondary payload?
As we already know that the pdf file might be the lure to make it look legitimate so we will focus on js file which we can see that the content is the same as the one we found on the VBScript embedded inside shortcut file.
By using the online deobfuscator such as Obfuscator.io Deobfuscator with the help of LLM, we can see that this script will download encrypted payload from windacarmelita.pw , decrypt it with Rabbit cipher and save it to the same temp folder under the name of mokpp9342jsOUth.dll and execute it with rundll32 by invoking specific function “NormalizeF”.
https://windacarmelita.pw/picdir/big/113-1131910-clipart.svg
Q3: Understanding the malware's defense evasion techniques is essential for developing effective detection strategies. What encryption technique is employed by the malware to conceal its activities or payloads?
Rabbit
Q4: Decrypting payloads is a common technique used by malware to evade initial analysis. What is the decryption key used to unlock the second stage of the malware?
dfshji349jg843059utli
Q5: Malware analysis often involves tracking how it interacts with the filesystem. What is the name of the file created by the malware to store decrypted data?
mokpp9342jsOUth.dll
Q6: Analyzing the malware's execution flow is crucial for understanding its impact and behavior. What function does the malware execute within the DLL to perform its malicious activities?
NormalizeF
Q7: Investigating related artifacts can provide insights into the broader campaign. What is the name of another JavaScript file that utilizes the domain identified during the investigation?
First, I generate file hash from the original js file and search it on VirusTotal - File - 290eb8511ac21a20b718152b09075acf2fd6b615d3ad22fb682ce9322c661a22, which we will pivot from the contacted domain here.
One more thing to notice here if you searched this domain while logging in on VirusTotal, then Crowdsourced context will also display and reveal that this domain was related to GHOSTWRITER activity.
On the “Relation” tab, under the “Communicating Files”. we can see that there are 3 js files but there is only one file that match the answer format.
sdfhui2kjd.js
Q8: Attribution is a critical aspect of threat intelligence. Can you identify which Advanced Persistent Threat (APT) group is likely behind this attack?
I search this domain on Google to find any resource that mention it since VirusTotal already revealed that it is related to GHOSTWRITER group which have many aliases and on my top search, there is the github raw file that contains the IOC of this group
There are 5 different references that mentioned this domain
On the CERT-UA article, they mentioned this group as UAC-0057 which is the correct answer of this question.
UAC-0057
Q9: What is the country of origin associated with the APT group identified in this investigation?
Quick google search about this threat actor group reveals that they allegedly originating from “Belarus” and that’s all we need for this question.
Belarus
https://cyberdefenders.org/blueteam-ctf-challenges/achievements/Chicken_0248/ghostdetect/