BOTSv1
Security Investigation & Threat Analysis
Question 1
What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
index=botsv1 source="stream:http" imreallynotbatman.com http_method=POST
| table c_ip, dest_ip, request, form_data
Answer:
40.80.148.42
Question 2
What company created the web vulnerability scanner used by Po1s0n1vy?
index=botsv1 source="stream:http" imreallynotbatman.com c_ip="40.80.148.42" dest_ip="192.168.250.70" http_method=POST
| stats count by http_user_agent, src_headers
Answer:
acunetix
Question 3
What content management system is imreallynotbatman.com likely using?
index=botsv1 source="stream:http" imreallynotbatman.com dest_ip="192.168.250.70"
| rex field=dest_content "name=\"generator\"\s+content=\"(?<cms_identity>[^\"]+)\""
| stats count by cms_identity
Answer:
Joomla! - Open Source Content Management
Question 4
What is the name of the file that defaced the imreallynotbatman.com website?
index=botsv1 sourcetype=fgt_utm (srcip="192.168.250.70" OR dstip="192.168.250.70") catdesc="Malicious Websites"
Answer:
poisonivy-is-coming-for-you-batman.jpeg
Question 5
What fully qualified domain name (FQDN) is associated with this attack?
index=botsv1 sourcetype=fgt_utm (srcip="192.168.250.70" OR dstip="192.168.250.70") catdesc="Malicious Websites"
Answer:
prankglassinebracket[.]jumpingcrab[.]com
Question 6
What IP address has Po1s0n1vy tied to domains pre-staged to attack Wayne Enterprises?
index=botsv1 sourcetype=fgt_utm (srcip="192.168.250.70" OR dstip="192.168.250.70") catdesc="Malicious Websites"
Answer:
23.22.63.114
Question 7
What is the email address most likely associated with Po1s0n1vy APT group?
Answer:
lillian.rose@po1s0n1vy.com
Question 8
What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
index="botsv1" imreallynotbatman.com sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| where isnotnull(password) AND isnotnull(username)
| table username, password, c_ip, dest_ip, uri
Answer:
23.22.63.114
Question 9
What is the name of the executable uploaded by Po1s0n1vy?
index="botsv1" dest_ip="192.168.250.70" sourcetype="suricata" http.http_method=POST "imreallynotbatman.com"
| rex field=fileinfo.filename "(?<executable>.*?\.(exe|ps1))"
| where isnotnull(executable)
| table _time, executable, src_ip3791.exe, /_vti_bin/shtml.exe
Correlation with Sysmon
index="botsv1" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" 3791.exe extracted_eventid=1
| table Command_Line, Image_Path, Parent_Image_PathNo record of shtml.exe found, increasing the chances of 3791.exe being malicious file
Answer:
3791.exe
Question 10
What is the MD5 hash of the executable uploaded?
index="botsv1" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" extracted_eventid=1 "3791.exe"
| table Command_Line, Image_Path, Parent_Image_Path, Hashes
Answer:
AAE3F5A29935E6ABCC2C2754D12A9AF0
Question 11
What is the SHA256 hash of the custom malware used in spear phishing?
GCPD reported that common TTPs for the Po1s0n1vy APT group, if initial compromise fails, is to send a
spear phishing email with custom malware attached. This malware is usually connected to Po1s0n1vy's
initial attack infrastructure.
Answer:
9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Malicious File name: MirandaTateScreensaver.scr.exe related to IP: 23.22.63.114
Question 12
What special hex code is associated with the customized malware?
Hint: It's not in Splunk - found in VirusTotal Community Post
Answer:
53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70
6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20
61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21
21
Question 13
Concatenate the two codes from Po1s0n1vy's staged domain WHOIS information
https://www.whoxy.com/whois-history/demo_result.php, or try a free demo of
whoxy.com WHOIS history API.
Target URL: waynecorinc.com - one of the domains linked with 23.22.63.114
Target URL: waynecorinc.com - one of the domains linked with 23.22.63.114
{
"administrative_contact": {
"full_name": "LILLIAN ROSE",
"company_name": "31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72",
"mailing_address": "66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74",
"city_name": "SPRINGFIELD",
"state_name": "MO",
"zip_code": "65803",
"email_address": "lillian.rose@po1s0n1vy.com"
}
}
Answer:
31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79
61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74
Question 14
What was the first brute-force password used?
index="botsv1" imreallynotbatman.com sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| where isnotnull(password) AND isnotnull(username)
| table _time, username, password, c_ip, dest_ip, uri
Answer:
12345678
Question 15
One password is James Brodsky's favorite Coldplay song (six characters)
index="botsv1" "imreallynotbatman.com" sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| where isnotnull(password) AND len(password) == 6
| fields _time, username, password, c_ip, dest_ip
| append [ search sourcetype="coldplay" | fields songName ]
| eventstats values(songName) as all_songs
| mvexpand all_songs
| where lower(password) == lower(all_songs)
| table _time, c_ip, dest_ip, username, password, all_songs| Time | Source IP | Dest IP | Username | Password | Song Name |
|---|---|---|---|---|---|
| 2016-08-10 17:45:26.973 | 23.22.63.114 | 192.168.250.70 | admin | orange | Orange |
| 2016-08-10 17:45:30.867 | 23.22.63.114 | 192.168.250.70 | admin | yellow | Yellow |
Answer:
Yellow
Question 16
What was the correct password for admin access to the CMS?
index="botsv1" "imreallynotbatman.com" sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| where username="admin"
| table _time, c_ip, dest_ip, username, password, http_user_agent| Time | Source IP | Dest IP | Username | Password | User Agent |
|---|---|---|---|---|---|
| 2016-08-10 17:48:05.858 | 40.80.148.42 | 192.168.250.70 | admin | batman | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
| 2016-08-10 17:46:51.394 | 23.22.63.114 | 192.168.250.70 | admin | rock | Python-urllib/2.7 |
Answer:
batman
Question 17
What was the average password length in the brute forcing attempt?
index="botsv1" "imreallynotbatman.com" sourcetype="stream:http" http_method=POST
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| eval average_password = len(password)
| stats avg(average_password) as average_lenght
Answer:
6
(6.2595238095238095)
Question 18
How many seconds elapsed between password identification and compromised login?
index="botsv1" "imreallynotbatman.com" sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| search username="admin" AND password="batman"
| sort 0 _time
| delta _time as elapsedTime
| where elapsedTime > 0
| eval elapsedTime = round(elapsedTime, 2)
| stats values(elapsedTime) as elapsedTime
Answer:
92.17
Question 19
How many unique passwords were attempted in the brute force attack?
index="botsv1" "imreallynotbatman.com" sourcetype="stream:http" http_method=POST
| rex field=form_data "username=(?<username>[^&]+)"
| rex field=form_data "(passwd|password)=(?<password>[^&]+)"
| search username="admin" http_user_agent="Python-urllib/2.7"
| stats dc(password) as uniquePasswordCount
Answer:
412
Question 200
What was the most likely IP address of we8105desk on 24AUG2016?
index=botsv1 we8105desk earliest="08/24/2016:00:00:00" latest="08/24/2016:23:59:59"
source="WinEventLog:Security" "EventCode=4624"
Security_ID="WAYNECORPINC\\WE8105DESK$"
| stats count by Source_Network_Address, Account_Name| Source Network Address | Account Name | Count |
|---|---|---|
| 192.168.250.100 | - | 22 |
| 192.168.250.100 | WE8105DESK$ | 22 |
Answer:
192.168.250.100
Question 201
Which Suricata signature for Cerber malware alerted the fewest times?
index=botsv1 sourcetype="suricata" signature
| stats count by alert.signature, alert.signature_id| Signature | Signature ID | Count |
|---|---|---|
| ETPRO TROJAN Ransomware/Cerber Checkin 2 | 2816763 | 1 |
| ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response | 2816764 | 2 |
| ETPRO TROJAN Ransomware/Cerber Onion Domain Lookup | 2820156 | 2 |
index=botsv1 sourcetype="suricata" alert.signature="ETPRO TROJAN Ransomware/Cerber Checkin 2"
| table alert.action, alert.category, alert.signature, alert.signature_id, src_ip, dest_ip
Answer:
2816763
Question 202
What FQDN does Cerber ransomware direct users to at the end of encryption?
index=botsv1 source="stream:dns" (src_ip="192.168.250.100") "query_type{}"=A
| stats count by query{}| Query | Dest IP | Count |
|---|---|---|
| cerberhhyed5frqa.xmfir0.win | 192.168.250.20 | 2 |
| dns.msftncsi.com | 192.168.250.20 | 2 |
| ipinfo.io | 192.168.250.20 | 2 |
| solidaritedeproximite.org | 192.168.250.20 | 2 |
Answer:
cerberhhyed5frqa.xmfir0.win
Question 203
What was the first suspicious domain visited by we8105desk on 24AUG2016?
index=botsv1 source="stream:dns" (src_ip="192.168.250.100") "query_type{}"=A
NOT (query{}="*microsoft*" OR query{}="*waynecorpinc*" OR
query{}="*wpad*" OR query{}="*bing*" OR query{}="*isatap")
| table _time, query{}, dest_ip| Time | Query | Dest IP |
|---|---|---|
| 2016-08-24 12:34:39.352 | dns.msftncsi.com | 192.168.250.20 |
| 2016-08-24 12:48:12.267 | solidaritedeproximite.org | 192.168.250.20 |
| 2016-08-24 12:49:24.308 | ipinfo.io | 192.168.250.20 |
| 2016-08-24 13:15:12.668 | cerberhhyed5frqa.xmfir0.win | 192.168.250.20 |
Cerber malware was detected at 2016-08-24 12:49:24.542
Answer:
solidaritedeproximite.org
Question 204
What is the character length of the VB script field value from the initial Cerber infection?
index=botsv1 sourcetype="WinEventLog" EventCode=4688 "*.vbs*" host=we8105desk
| eval commadLen=len(Process_Command_Line)
| table Process_Command_Line, commadLen| Process Command Line | Length |
|---|---|
| cmd.exe /V /C set "GSI=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm RWRL" "FuNCtioN GNbiPp(Pt5SZ1)" "EYnt=45" ... | 4426 |
| "C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\Desktop\# DECRYPT MY FILES #.vbs" | 100 |
| "C:\Windows\System32\WScript.exe" "C:\Users\bob.smith.WAYNECORPINC\AppData\Roaming\20429.vbs" | 93 |
Alternative source: WinEventLog:Microsoft-Windows-Sysmon/Operational
Answer:
4490
Question 205
What is the name of the USB key inserted by Bob Smith?
USB Detection Process:
Phase 1: The moment a USB is inserted, the PnP (Plug & Play) manager "discovers" the hardware and creates a new key under USBSTOR to define the device's class (Mass Storage).
Phase 2: Once the device type is known, Windows creates a subkey using the device's Unique Serial Number. If the device has no serial, Windows generates a "ParentIdPrefix".
Phase 3: Finally, Windows assigns a "FriendlyName" to the device so the user sees a recognizable name in File Explorer.
Phase 1: The moment a USB is inserted, the PnP (Plug & Play) manager "discovers" the hardware and creates a new key under USBSTOR to define the device's class (Mass Storage).
Phase 2: Once the device type is known, Windows creates a subkey using the device's Unique Serial Number. If the device has no serial, Windows generates a "ParentIdPrefix".
Phase 3: Finally, Windows assigns a "FriendlyName" to the device so the user sees a recognizable name in File Explorer.
index=botsv1 sourcetype="winregistry" key_path="*USBSTOR*"
registry_value_name="FriendlyName"
| stats count by registry_value_data, host
| rename registry_value_data as "USB_Device_Name"| USB Device Name | Host | Count |
|---|---|---|
| MIRANDA_PRI | we8105desk | 2 |
Answer:
MIRANDA_PRI
Question 206
What is the IP address of the file server connected during the ransomware outbreak?
index=botsv1 source="stream:smb" src_ip="192.168.250.100" dest_port=445
| stats count by dest_ip| Destination IP | Count |
|---|---|
| 192.168.250.20 | 38815 |
Answer:
192.168.250.20
Question 207
How many distinct PDFs did the ransomware encrypt on the remote file server?
index=botsv1 source="WinEventLog:Security" Source_Address="192.168.250.100" "*.pdf*"
| stats dc(Relative_Target_Name) as total_encrypted_file
No indication of file encryption but here all events are related to file deletion on remote file server
Answer:
257
Question 208
What is the ParentProcessId of the initial 121214.tmp launch?
index=botsv1 source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
"*121214.tmp*" "*.vbs*"
Answer:
3968
Question 209
How many .txt files does Cerber encrypt in Bob Smith's Windows profile?
index=botsv1 sourcetype="xmlwineventlog" host=we8105desk extracted_eventid=2
TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC*.txt"
| stats dc(TargetFileName) as Total_encrypted_txt_file
Answer:
406
Question 210
What is the name of the file containing the Cerber ransomware cryptor code?
index=botsv1 sourcetype=fgt_utm srcip="192.168.250.100" msg="File is infected."
Answer:
mhtr.jpg
Question 211
What obfuscation technique does the ransomware's encryptor file likely use?
Answer:
Steganography