Portfolio / Write-Ups / Security Blue Team → Blue Team Labs Online → BTLO - Investigations

Blue Team Labs Online - Cov

9971e71b7cfc647036344932941911c5.png

Analysts reported that red teamers bypassed the AV’s using AMSI techniques, added exclusions to AV and maintained a foothold.

Reverse Engineering

Tags: dnSpy CyberChef OSINT T1219 T1562

Scenario The Security Operations team was working on the data generated from a recent Red Teaming Engagement. Analysts reported that red teamers bypassed the AV’s using AMSI techniques, added exclusions to AV and maintained a foothold. Log Analysis was carried by analysts. Forensics team sent 3 samples to the RE team to identify any key characteristics and deduce IoC’s.

Note: In questions, S1 means Sample1, S2 means Sample2, S3 means Sample3.

Environment Awareness

Evidence & Tool Discovery

3204416beed701dba0b855db1945502a.png

We were provided with 3 samples of this malware with different type of files from PowerShell script (ps1), PE32 executable (exe) and dynamic link library (dll) which only dnSpy and CyberChef available which indicates that we are working with .NET compiled binary.

Investigation

Q1) S1: What is the C2 IP address and port? (Format: x.x.x.x:port)

e73b6355805787031f5711e08e0f3f28.png

Lets start with sample 1 (ps1) then we could see that its a script that will create and execute stage 2 payload from this base64 string so lets decode it with base64 and extract it from zlib compression.

e64d1f6a768657417a4f387fec08d476.png

Then we will have stage 2 payload right here.

3896c0acaa591d52a06c10f45867ad49.png

Scrolling for a bit then you will see C2 url that will be contacted by this payload.

d4e1f944bb87556120db00706e6aacd9.png

Add remove null bytes so we can directly copy CyberChef output.

Answer

23.128.248.14:443

Q2) S2: What is the compiled date of the executable? (Format: DD/MM/YYYY)

f0fa8c1b5cf9c9ea65e22005e815eefd.png

Open dnSpy and let it decompile sample 2 (I was mistaken since I thought it asked for S1 but all good since all of these payload generated by the same C2 on the same date)

Answer

29/06/2023

Q3) S2: What is the C2 IP address and port? (Format: x.x.x.x:port)

df01193f23f19dab691ed9831b762a62.png You can find it on dnSpy but I wanted to try if CyberChef still works, and sure enough it is!

Answer

77.68.20.217:80

Q4) S3: What is the C2 IP address and port? (Format: x.x.x.x:port)

b61ac6a2d22d38296b5559680fd598cd.png

I tried to get anything useful with CyberChef but then look like we need to get this base64 string from dnSpy and decode it.

981553da7b33fd671d268b8430b9da6b.png

This base64 string reside in Uninstall function and we could use the same recipe as we did to S1 to extract second payload which contains C2 address and port.

d13ba56eb42a637c05862949e446bce1.png

There it is!

Answer

185.220.101.21:80

Q5) What is the C2 framework behind the generation of these samples? (Hint: Source Code) (Format: Framework Name)

4e921bde2583441be883321618beb67f.png

After taking a look at decompiled binary, we can see that its Grunt HTTP Stager

d69d49b0e23409c51a3d875ce88414e1.png

Which is a stager created by Covenant C2 framework.

Answer

Covenant

c7fe903c75749078221a0bb6bc45bf40.png https://blueteamlabs.online/achievement/share/52929/146