UniCon 2020 CTF Challenge

**UPDATE** This entry ended up winning the first-place grand prize as announced by Scythe. Check out the other excellent winners here. Many thanks to Scythe for providing such great content to the community.

Introduction

UniCon 2020 included an excellent NetWars-style CTF that involved executing payloads and observing behaviour. Spanning three levels, the exercise provided a breadth of insight into malicious payload execution and how to go about analyzing the activity using tools such as Sysmon and Wireshark. The optional take-away challenge was to further examine the ‘level3.exe’ payload and submit a report on the findings.

Lab Setup

A Windows 10 virtual machine was used with SysInternals Sysmon and Procmon installed, as well as Wireshark. The VM had the hostname set to 'SANS-SIFT' with username 'SANSDFIR'.

Sysmon and Wireshark are the primary tools needed, but Procmon can be of great help to visualize process activity. Windows Event Logs contain a wealth of information. Turning on process and command-line auditing provides process execution information and the command-line arguments used at the time of process start (EID 4688 in Security.evtx). Sysmon records this and much more (network connections, file and registry modifications) and logs to Microsft-Windows-Sysmon%4Operational.evtx. Additional tools and commands are mentioned as well; however, they were largely used to validate data and to present it in a friendlier format.

Findings – Host

Let’s first take a look at the metadata of the ‘level3.exe’ payload that we are investigating using ‘exiftool’, the ‘file’ command, and generating hash values:

Name: level3.exe
Size: 329216 bytes
Signed: No
MD5: 700b64dd134eba64309b5628775cf7af
SHA-1: 7c43c28314bc6dad24664a38ba32997d4114b0db
SHA-256: fd4f25567498032e3f4dd75a211c4729a895abadb5609345b52c469f4d99dc31
Time Stamp (Creation): 2019:09:09 09:36:00+00:00
File Format: PE32+ executable (GUI) x86-64, for MS Windows

The next step is to install and start our tools. Upon install, Sysmon will be running in the background. Wireshark and Procmon will need to start capturing just before payload execution. Once ready, we begin capture and observe the results. Starting with Procmon, there will be an overwhelming number of events which we can filter out except for those of interest. We know the Process Name is ‘level3.exe’ which can be further filtered for the ‘Process Create’ Operation:

22 events are returned that show copious usage of the Windows Command Prompt (cmd.exe) to query various system and user properties. Note the ‘/c’ switch carries out the command specified by string and then terminates:

Command Line Description
cmd /c hostname Display the system hostname.
whoami Display the domain and user name of the current user.
cmd /c net user Display a list of all user accounts for the local computer.
cmd /c dir c:\Users\ Display the volume label/serial number and a list of files and subfolders in 'Users' folder.
cmd /c net accounts Display the current password and logon restrictions for the computer and computer role (Server or Workstation).
cmd /c net localgroup Display the name of the system and the names of local groups on the computer.
cmd /c net localgroup "Users" Display the members of local group 'Users'.
cmd /c tasklist Displays a list of currently running processes and services on the system.
cmd /c systeminfo Displays detailed configuration information about the system, including operating system configuration, security information, product ID, and hardware properties.
cmd /c ipconfig /all Displays the full TCP/IP configuration for all physical and logical network adapters.
cmd /c arp -a Display current ARP cache tables for all interfaces.
cmd /c net config Display information about the configuration of the Server or Workstation service.
cmd /c net config workstation Display Workstation service and host information such as computer name, logon and workstation domain, username, and operating system version.
cmd /c netstat Display active TCP connections.
cmd /c net use Display a list of connections with detailed information about currently mapped network resources.
cmd /c net sessions Displays information about all sessions with the local computer, such as computer name, username, client type, and idle time.
cmd /c tasklist.exe Displays a list of currently running processes and services on the system.
cmd /c sc query Display information for active services only.
cmd /c sc query state= all Display information for all services (active and inactive).
cmd /c net view \\localhost Display a list the file/printer shares on the local computer.
cmd /c dir C:\Users\SANSDFIR\Documents Display the volume label/serial number and a list of files and subfolders in 'Documents' folder.*
cmd /c dir C:\Users\SANSDFIR\Downloads Display the volume label/serial number and a list of files and subfolders in 'Downloads' folder.*

*Directory listings for username (SANSDFIR) replicated by substituting %USERNAME% (cmd /c dir C:\Users\%USERNAME%\Downloads || cmd /c dir C:\Users\%USERNAME%\Documents)

We see extensive system and user fingerprinting and profiling before the program exits. These are common discovery tactics which evade defenses by ‘Living off the Land’, utilized by malware and advanced threat actors for purposes including privilege escalation and lateral movement. Aside from the initial payload, no foreign programs are introduced to the system, instead using Windows built-ins native to the operating system (also known as ‘LOLBins’) which are visible by removing the Process Name filter:

Changing the Operation filter to contain ‘TCP’ and the Command Line to contain ‘level3.exe’, network connections are visible during execution. There are numerous connections for two IP addresses, one of which is the Command-and-Control:

ocsp[.]int-x3[.]letsencrypt[.]org – port 80

madrid[.]scythedemo[.]com - 35.229(.)19.7 – port 443 – C2

Before proceeding to the network portion, let’s take a look at a few other data sources. Sysmon logged the same information and can be viewed using the Windows Event Viewer or Event Log Explorer by filtering for the following Sysmon event IDs:

Event ID 1: Process creation Snow
Event ID 3: Network connection Forest
Event ID 22: DNSEvent (DNS query) Mountains

As a bonus, if you have access to an EDR, a process tree graph is handy for visualization (and was massive for this sample):

Windows Prefetch files are extremely valuable here and can be parsed using PECMD to determine last run times and counts. We see grouped runs of the Windows binaries relative to the 'level3.exe' payload - perfect for checking any additional binaries that may have been dropped and executed:

Executable Name Last Run
LEVEL3.EXE 8/22/2020 20:21:11
HOSTNAME.EXE 8/22/2020 20:22:42
WHOAMI.EXE 8/22/2020 20:23:10
SYSTEMINFO.EXE 8/22/2020 20:26:17
ARP.EXE 8/22/2020 20:27:08
NETSTAT.EXE 8/22/2020 20:28:30
NET1.EXE 8/22/2020 20:29:22
TASKLIST.EXE 8/22/2020 20:29:47
SC.EXE 8/22/2020 20:30:40
NET.EXE 8/22/2020 20:31:08
CONHOST.EXE 8/22/2020 20:46:32
CMD.EXE 8/22/2020 20:46:32
IPCONFIG.EXE 8/22/2020 21:27:13

Lastly for usage, the System Resource Usage Monitor database can be parsed using SRUM-DUMP to give us application usage statistics. Network data such as bytes sent/received are recorded which we can use to determine payload data exfiltration and lateral movement:

Application Bytes Sent Bytes Received
\device\harddiskvolume1\users\sansdfir\desktop\level3\level3.exe 285090 192926

Findings – Network

From the endpoint analysis, the C2 domain and IP address were identified thanks to numerous beacons:

madrid[.]scythedemo[.]com - 35.229(.)19.7 – port 443 – C2

By applying a filter for the IP address in Wireshark and filtering for SYN request packets, we see regular callbacks approximately ~30 seconds apart using the I/O graph with a ~15% jitter interval. This can also be calculated by eyeballing the time difference between SYN packets:

Analysis of the traffic content is difficult due to encryption, but we can still obtain data. Using Wireshark, the C2 TLS certificate can be carved by exporting HTTP objects and viewed using ‘certutil’ or ‘openssl’. We see the issue as Let’s Encrypt and the subject (scythedemo) matching the C2 FQDN:

Name: scythedemo.com.cer
Size: 1628 bytes
MD5: c7222a647706d3a52c1ae28a28f40fa0
SHA-1: 6c64e8185418d0e6416dbaf36b5a01ded23ac968
SHA-256: 8737e4ae09ad4cd9e2ac19f9d0420569d3390600a9e3c2d5a9aa21c97f9945fa

We can also extract JA3 signatures for TLS fingerprinting. The JA3 algorithm takes a number of settings from the ‘Client Hello’ of a TLS handshake and concatenates to a string which is MD5 hashed, producing an easily-consumable fingerprint. These can be extract from a PCAP in Wireshark by using this JA3 plugin:

JA3 Digest: a0e9f5d64349fb13191bc781f81f42e1
JA3 Fingerprint: 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0

The JA3 digest for the encrypted C2 traffic (a0e9f5d64349fb13191bc781f81f42e1) can then be searched through a JA3 repository on JA3er. This hash has been reported previously as ‘Windows 10 socket initiating a TLS communication when going to a domain’ which makes sense. However, if we do a few internet searches we see it come up in a variety of malware reports – notably associated with Metasploit Meterpreter, which leads in nicely to the CTI section.

Cyber Threat Intelligence

Since we analyzed the behaviour of the ‘level3.exe’ payload and obtained an exhaustive list of indicators, it made sense to try and map them to TTPs to find a potential threat actor profile. The majority were software based, so MITRE’s ATT&CK software entries were searched for threat groups tied to ‘net’, ‘tasklist’, ‘systeminfo’, ‘ifconfig’, ‘arp’, and ‘netstat’ commands. There are also callbacks to the C2 through encrypted channels (Web Protocols, Fallback Channels). A threat group consistently observed in each category was ‘OrangeWorm’.

OrangeWorm was identified by Symantec in 2015 targeting global supply-chains within large corporations, namely in the healthcare sector. The group was observed installing backdoor Trojan ‘Kwampirs’ to carry out attacks. Looking at Symantec’s analysis and MITRE’s ATT&CK entry, characteristics of the ‘level3.exe’ payload paint a clear picture:

TTPs and indicators used by OrangeWorm located on Scythe’s GitHub repository match almost perfectly using the ATT&CK Navigator:

Having mapped the payload and threat actor, we can use these TTPs and indicators to hunt for threats in the environment.

Thank you again to Scythe for hosting such a great event. Check them out at Scythe.io.