Cyberdefenders: Redline
The scenario
As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System “NIDS”. Your investigation will involve identifying the specific malware family employed in the attack, along with its characteristics. Additionally, your task is to identify and mitigate any traces or footprints left by the attacker.
Walkthrough
Determining Profile
To analyze the file with volatility, you need to get the correct profile.
The correct profile is Win10x64_19041.
vol.py -f /home/remnux/cyberdefenders/redline/MemoryDump.mem imageinfo
What is the name of the suspicious process?
After looking at the processes with pstree, the name oneext.exe looks suspicious.
A short google research also says, that oneext.exe could be malicious.
The second reason this process blinks like a christmas tree is the child process of rundll32.exe. Using this applicaiton is a common living-of-the-land technqiue.
vol.py -f /home/remnux/cyberdefenders/redline/MemoryDump.mem --profile=Win10x64_19041 pstree
Answer: oneext.exe
What is the child process name of the suspicious process?
Already answered in the previous chapter.
Answer: rundll32.exe
What is the memory protection applied to the suspicious process memory region?
The plugin malfind finds the suspicious memory area and it's protection.
vol.py -f /home/remnux/cyberdefenders/redline/MemoryDump.mem --profile=Win10x64_19041 malfind -p 5896
Answer: PAGE_EXECUTE_READWRITE
What is the name of the process responsible for the VPN connection?
In the results of pstree was a process called tun2socks.exe, which sounds like a process for VPN or proxy. A research gives the information, that Outline is a VPN application. So the parent process is a VPN application.
Answer: Outline.exe
What is the attacker’s IP address?
Dump the processes of interest with memdump or procdump and analyze the strings. In this case volatility2 had problems with procdump so I used memdump.
vol.py -f /home/remnux/cyberdefenders/redline/MemoryDump.mem --profile=Win10x64_19041 memdump -p 5896 -D /home/remnux/cyberdefenders/redline/memdumps/
strings -n 6 5896.dmp | grep http > strings_5896.txt
Answer: 77.91.124.20
Based on the previous artifacts. What is the name of the malware family?
A research of the found ip address and process name gives you indications about Redline Stealer.
Answer: Redline Stealer
What is the full URL of the PHP file that the attacker visited?
See chapter What is the attacker’s IP address?
Answer: http://77.91.124.20/store/games/index.php
What is the full path of the malicious executable?
With strings you can also find the local path.
strings -n 6 5896.dmp | grep -F C:
Answer: C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe
