Solution for the ECSM HackMe challenge

Date of publication: 28/10/2014, CERT Polska

PL_ECSM_logo_2014

In participation with the ECSM initiative we have announced a HackMe challenge. This challenge proved not to be too difficult for our readers and the five fastest Polish winners are:

    1. Mateusz Rek
    2. albercik
    3. Michał Celiński-Mysław
    4. Piotr Kaźmierczak
    5. Łukasz Odzioba

Congratulations! Below is the solution for the challenge. While they are probably many other viable solutions, this one uses only free and accessible software.

What did Tomek do?

Most probably Tomek did fall into one of the more popular social engineering attacks. The connection to

<span class="text">http://gogle.test/search?q=male+koty</span>

was made probably by clicking on some link in the spam message, which Tomek was known to do. This page contained an

<span class="text">iframe</span>

which led to the

<span class="text">http://192.168.56.200:8080/kitten</span>

URL. This URL contained an

<span class="text">applet</span>

element, which run the

<span class="text">Exploit</span>

class from the

<span class="text">Exploit.jar</span>

file.

ecsm_hackme_stream

J

Some of you may have noticed that this file was created using the Metasploit Framework and the CVE-2012-4681 vulnerability in the Java browser plugin. After the exploitation phase a PE file was downloaded from the

<span class="text">http://adbe.test/flash.flv</span>

URL. This PE file was packed using a UPX packer. Unpacking can be simply done by running the

<span class="text">upx -d file.exe</span>

command.

What did dropper do?

Let’s try running dropper on a virtual machine. We will be using SysInternals Suite to analyze this malware, specifically Process Monitor (ProcMon.exe) tool. Screenshot below shows what happens when you run the dropper. It tries to read a registry key that shows a path to the

<span class="text">MilCAD.exe</span>

file. You have to create an empty directory (e.g.

<span class="text">C:\Program Files\MilCAD</span>

) and put it as a registry key value.
ecsm_hackme_milcad

This did not change too much, dropper still seems not to run at all. We have to fire up a dissembler, like the free version of IDA 5.0. The string that stands out the most is

<span class="text">Tomek</span>

. This is in line with the employee that was targeted in this attack. Let’s follow that string to the place where it is used in the PE file. Screenshot below is the actual part of the code where the string is used to check whether the current user account name is

<span class="text">Tomek</span>

and if the system date is set to the 8th of October, 2014 (this is a date extracted from the PCAP file).

ecsm_hackme_tomek

If both of this conditions are fulfilled, dropper sleeps for over a minute and goes on to other instructions. After creating the specified user account and changing the system date to 8th of October, 2014, dropper run longer and makes a request to the

<span class="text">http://micrsoft.test/windowsupdate</span>

URL. This is consistent with the traffic dump, as can be seen on a screenshot below.

ecsm_hackme_windowsupdate

In order to redirect the request to our HTTP server, we only need to change the IP – domain mapping using the following entry in the

<span class="text">%SystemRoot%\system32\drivers\etc\hosts</span>

file.

ADRES_IP_SERWERA micrsoft.test

You also have to upload the

<span class="text">windowsupdate</span>

file extracted from the given PCAP file. After the dropper is started again it should download the correct file and write some data to two different files, as presented on the screenshot below.

ecsm_hackme_ads

If the file system is different than NTFS, you will see the same output as on the screenshot above. This effect is caused by fact that dropper uses the NTFS feature called Alternate Data Stream. If the file is NTFS than we can go to the path visible above, but we will only see the empty

<span class="text">nukes.dll</span>

file. In order to see the ADS content, we can use the NirSoft AlternateStreamView. It is very simple to use: just select the diurectory in which the

<span class="text">nukes.dll</span>

file is and select

<span class="text">Export Selected Streams To...</span>

along with the empty export directory. This is where all the ADS data will be written.

You now have the plaintext version of the library that was on the Tomek’s computer.

What did the DLL file do?

This downloaded DLL was loaded into the process memory and run from the dropper process. It was also packed with UPX and you can see a couple of different exported functions after the unpacking, as pictured below.

ecsm_hackme_dll_export

Process Monitor logs show that dropper tried to access the

<span class="text">C:\Users\Tomek\Documents\ACAD\weapon.trb</span>

file and we can assume that this was the extracted file. If you want to make sure that this indeed is the extracted file, you can analyze the dropper and DLL code in IDA. Additionally, the DLL file uses the same Alternate Data Stream technique as the dropper in order to encrypt the file before sending it.

ecsm_hackme_file

Since we already have the filename, all that is left is the file contents. If the cipher used to encrypt the file is a stream cipher than sending the encrypted file should decrypt it. If you try to save the encrypted file extracted from the PCAP as

<span class="text">C:\Users\Tomek\Documents\ACAD\weapon.trb</span>

and run the dropper again, it should try to send the decrypted version of the file. All that is left is installing the FTP server and redirecting the connection as we did with the HTTP server above. Just remember to accept connection that authenticate using the data from the screenshot presented below.

ecsm_hackme_ftp
The uploaded FTP file is indeed the solution (as you can see by opening it) and indeed a strem cipher was used by the malware.

Solution

The correct solution was:

    • SHA256:
      <span class="text">fc1e152ad4fce16b490009ae0bd2994f72d911e3ca7e153f162322a66a0dbe90</span>
    • Filename:
      <span class="text">weapon.trb</span>

      (also paths

      <span class="text">C:\Users\Tomek\Moje Dokumenty\ACAD\weapon.trb</span>

      and similar were accepted in the Polish version of the challenge)

Congratulations to the winners and we hope that you had fun solving this challenge!