Day 23 (Task 28) The Grinch strikes again! – Advent of Cyber 2 TryHackMe

Bad news the Grinch seems to have gotten ransomware into the Best Festival Company’s network!  We will need to do some investigation on the infected machine.  For this we will use Remmina again to login to the desktop

In a terminal type

remmina

On the window that pops up click on the 3 dots on the right, then select Preferences.

Then click on the RDP tab and selecct Poor (fastest) under the Quality settings.  Finally click the checkbox for Wallpaper.  Hit close and then enter the IP address of your target, hit enter, and click yes for accept certificate.

Now you should see a screen that says Enter RDP authentication credentials.  Enter the username of administrator and the password of sn0wF!akes!!!

Now click on the icon with the square box and the arrows to fix your resolution.

When we login there is a note on the desktop titled RansomNote this can’t be good!

Windows has a defense for this, but it doesn’t always work.  The service is called Volume Shadow Copy Service.  This is to create backups of your files throughout time so that you can easily revert back, say you made a wrong change and saved over the document or you end up getting ransomware.  Malware developers have gotten better over time though and they know to delete these copies when running ransomware campaigns.

Notice that the bitcoin address ends with 2 equal signs, I wonder if this is base64 encoded.  You can echo this into base64 -d to decode it.

echo bm9tb3JLYmVzdGZlc3RpdmFsY29tcGFueQ== | base64 -d

Task Scheduler is a tool that allows you to perform tasks at defined triggers, this could be whenever a user logs in or on specific days at specific times.  Sometimes you can abuse task scheduler to gain persistence on a machine.  You may set an executable to make a call out to your attacker machine whenever someone logs in, so that you can always get back in.  If you were to get control of a machine through a browser exploit, and the browser is closed, it’s possible you will lose your access.  Then you would have to social engineer your victim all over again, and this time they may not click the link.

Opening up scheduler we see some tasks, 2 of them are of interest, opidsfsdf and ShadowCopyVolume.  Looking at opidsfsdf it looks to open C:\Users\Adminsitrator\Desktop\opidsfsdf.exe.  There is a high chance that this is the malware.    We can also answer a majority of the questions from this picture.

The other task is around ShadowCopyVolume, maybe our data backups aren’t encrypted!

Looking at our documents it appears the .grinch file extension has been used to encrypt out documents.  Attempting to just rename the file does not appear to give us the desired results.

Let’s run vssadmin and check if we have any Shadow Copies.  Open up a terminal and run vssadmin.  There are 2 useful commands for us, List volumes and list shadows

vssadmin list volumes

vssadmin list shadows

Awesome we have a shadow copy and it’s Volume ID is different than the original.  Let’s mount the shadow copy volume. Open up Disk Management, click on the Backup volume, and then right click it and select Change Drive Letter and Paths…

Click Add, then choose the drive letter H for hacker!  Now open up file explorer and you see the Backup drive available!

Go into the H: drive then select the View tab at the top, and select Hidden Items.

This shows us a hidden folder called confidential

Even though the master-password file has a .grinch extension when we open it up in notepad we see the master password!

Now I wanted to know how good the grinch was at creating this malware, so let’s reverse engineer the malware.  Open remmina, type the IP address, and then click on the Plus at the top.

Then Under the basic tab fill out the Server as the target IP, username as administrator and the password as sn0wF!akes!!!

Now click the Share folder option and choose your desktop.  Finally click connect.

Drag and Drop the malware over to the new desktop in the File Explorer, or whatever folder you shared.

For me, I am going to use Ghidra.  This is a free tool that was developed by the NSA.  In order to move the binary off my VM on my Windows machine I set up a python server on my Linux machine, and then visited the http://LinuxIP:7777.  Then I clicked on the file and downloaded it.

cd to the directory where the binary is located on Linux.

python3 -m http.server 7777

7777 is the port number, you can use any port number for the most part. 

I recommend creating a Windows VM for this or installing Ghidra on your Linux VM.  Just to be on the safe side.

Once you have the binary on your windows machine open Ghidra and drop it in.

NOTE:  DO NOT OPEN THIS BINARY.  AT THIS POINT WE ARE UNSURE WHAT IT COULD DO.  IT MAY BE ACTUAL RANSOMWARE!!!

Double click on the file that now appears in ghidra.

When ghidra asks you if you want to analyze the binary now, select yes.  You can leave the defaults on the Analysis Options and click Analyze.

Once we open it we can see lots of different functions. Since we have function names that means this binary was not stripped during compile time. To further hide function names and other data about an executable, developers can strip out the data. This would make all the function names start with FUN in Ghidra. This should be done prior to production to avoid someone reverse engineering a program and discovering ways to exploit the program. You can still find the exploits without function names, just takes more time to start naming the various functions prior to exploitation.

Searching through these I didn’t find anything that interesting.  There was not reference to the .grinch files that we assume the malware added to all the files.  There was no reference to the password.  At this point I don’t really think the opidsfsdf.exe is the actual malware to encrypt the files, I just think the encryption was done when creating the box. 

If you have never used Ghidra before, it’s the NSA’s tool for reverse engineering.  On the left side we have functions names, program trees, and data type managers.  Normally what I am looking for is function names within the symbol tree (functions).  This binary wasn’t stripped, therefore all the function names are intact.  If you strip the binary, then the function names become FUN something (random data).  Pulling out the function names can be useful for developers to avoid hackers finding functions, especially sensitive ones like CHECK_THE_PASSWORD function.  This function may compare a password, to determine if the right one was entered.  Someone could gain access to the application by looking at the code within the executable and then entering the correct password discovered by reverse engineering the binary.

In the middle we have assembly code.  This is what the computer reads in order to execute the program.  You will notice that it’s pretty difficult to just read.  It takes practice to understand what all the instructions are, and these instructions will differ between architectures.  On the right we have pseudo C code.  This is what Ghidra tries to decompile for us, but it’s not always accurate.  This section is a best guess, but it’s very useful when trying to find exploits within programs.

THIS NEXT STEP SHOULD ONLY BE DONE IF YOU KNOW WHAT YOU ARE DOING.  CREATE A FULL BACKUP ON AN EXTERNAL DRIVE AND THEN UNPLUG THAT DEVICE WITH YOUR BACKUP ON IT, PRIOR TO ATTEMPTING THIS!!!

Now ensure that you turn off the Copy and Paste, and Drag and Drop options in your virtual machine platform.  In VMware it is under the Options setting of your machine.

Do modify these settings the VM need to be powered off, not suspended.

Ensure that you don’t have a networking card attached to your VM.

Now log into the VM and let’s create some files.  Open up notepad and save the following as fileextensions.txt

doc
docx
html
htm
odt
pdf
xls
xlsx
ods
ppt
pptx
txt

we can use a for loop to create files.  Open command prompt, cd to the Desktop, and run the following command be sure to change the path to your file.

for /F %i in (C:\Users\malware\Desktop\fileextensions.txt) DO type null > document.%i

Now download and install Wireshark and Process Monitor (https://download.sysinternals.com/files/ProcessExplroer.zip).  Open both of them up.  For Process Monitor open the zip folder and then run the executable Procmon64. and click run  Then click agree to the License Agreement.  Then download Process Explorer.  This will make it easier to to see if the malware spawns other processes. (https://download.sysinternals.com/files/ProcessExplorer.zip)  Double click procexp64, click run, and accept the license agreement.

NOTE:  BE SURE TO CLOSE EVERYTHING EXCEPT PROCESS MONITOR, PROCESS EXPLORER.

Now open up Wireshark be sure to sniff on the interface you are using.  For me it is the wireless interface (Wi-Fi).  Once you double click Wi-Fi go execute the malware to avoid getting a lot of packets to sort though.

Assuming this is a VM which I hope it is, be sure to turn off windows defender.  The first time I ran it, Windows Defender picked it up.

Finally let’s execute our malware!  I took a snapshot because I have VMware Workstation, so that I can go back to a good copy before the malware execution if needed.  I am going to right click and run as administrator to be sure it has full permissions.

So we see that the file called rundll32.exe.  It’s probably opening some DLLs that are packed within the executable.

We can filter in Process Monitor using the filer Process Name contains opidsfsdf then click on add and apply.

We can see this does a ton of different things, from querying registry keys to creating DLLs within C:\Windows\System32

Looking through the Wireshark traffic, it does not appear that the malware reaches out to any server.  I think it is just programmed to set the Windows desktop background to a black screen.  It’s interesting though because Windows defender does believe this file is malicious when it executes.

All of my packets were with settings-win.data.microsoft.com, which is some sort of reporting that windows does to talk with Microsoft servers.

All in all, it seems like this piece of malware is harmless.  TryHackMe must have renamed the files themselves when they created the room.  You can extract the files from the executable with 7zip, but there wasn’t anything really interesting in them.

Thanks for joining me on this long journey, I hope you learned a lot.  Off to our final day!