How to extract CNC ...
 
Notifications
Clear all

How to extract CNC data from exe file

10 Posts
2 Users
0 Likes
2,607 Views
(@barburon)
Posts: 11
Active Member
Topic starter
 

Hello all, new here - thanks for having me )

I'm learning Cyber Security and took a forensics oriented semester.
We got a task, and I would like very much if any of the experts here could shed some light on the issue.

We were given a malicious exe file and asked to provide the following information

1. Dropper
2. Flag
3. CNC flag
4. CNC IP

Please, if someone can point me to what I should look for / software to use i'll be grateful.
I'v Opened the file with PE explorer / hex editor but didn't find any useful info.

Thank you very much,
Looking forward for your reply,

Tal

 
Posted : 29/09/2019 12:32 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Setup a virtual machine - install and start ProcessHacker + Wireshark + RegShot - fire up the malware and see which processes are started, reg keys written and IPs contacted. That is all. The lazy way for students is www.hybrid-analysis.com

regards, Robin

 
Posted : 29/09/2019 12:56 pm
(@barburon)
Posts: 11
Active Member
Topic starter
 

Thank you so much, Robin.

I'll try it right now )

 
Posted : 29/09/2019 1:26 pm
(@barburon)
Posts: 11
Active Member
Topic starter
 

Hi,

Got some news! I'v managed to get the "Dropper" (the malicious file name) and "CNC IP" fields correct.
But (!), I don't have any idea on how to get the "Flag" and "CNC flag" values..any idea what those could be?

Thank you again )

 
Posted : 29/09/2019 7:06 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I don't have any idea on how to get the "Flag" and "CNC flag" values..any idea what those could be?

TCP Flags I would say.
https://www.keycdn.com/support/tcp-flags

You can see them in Wireshark or any other network sniffer. In this case I would expect nothing fancy and only normal handshake and TCP flags for a typical download of files.

regards, Robin

 
Posted : 29/09/2019 7:12 pm
(@barburon)
Posts: 11
Active Member
Topic starter
 

edited

I'v managed to find the flag, by typing "type %TEMP%\WhatAmI.exe" - it actually was a string.

Now, for the last part - the "CNC flag", any idea?

Uri

 
Posted : 29/09/2019 7:35 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Today malware has 2 or more stages, lets take a current example I was working on last week…

1. Initial infection via email. Script is executed and the lpatop infected with Emotet.
2. Emotet establishes persistence and then Emotet downloads Trickbot.
3. Trickbot then downloads RYUK and RYUK encrypts servers and workstations under Windows and spreads around the domain.

You have something similar here. This download of more malware in a 2nd or 3rd stage is essential for the crime of RaaS- Ransomware as a Service. Crime gang A established persistence and a foothold on a network and then sells it to other groups which abuse the access to encrypt files and demand money.

And, before you go to bed I have something for you
"Oh you tracked me.. well you deserve a flag 'Fl3gg4d' " - that is inside WhatAmI.exe which is essentially a txt and not a exe file with an MZ header. You are not able to download files from hybrid-analysis, but I am -)
So you now know that your teacher means flags to "capture the flag" and not TCP flags btw.

good night, Robin

 
Posted : 29/09/2019 7:53 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Now, for the last part - the "CNC flag", any idea?

Uri

Yes. There are 2 CNC hosts which have a webs server running on port 80. Inspect what you can find on these servers to find the flag on them. You have the stage one binary, you have the 2nd stage flag and now it is time to continue on what you can find out about the attacker himself and his infrastructure.

again good night.

 
Posted : 29/09/2019 7:59 pm
(@barburon)
Posts: 11
Active Member
Topic starter
 

Robin, Thank you so much for your comprehensive and educational reply.
As you can see above, I accessed whatami.exe on my VM and got the flag ) but thanks for the effort!!

Please do have a Good Night,

Tal

 
Posted : 29/09/2019 8:00 pm
(@barburon)
Posts: 11
Active Member
Topic starter
 

Hi,

I sent you a PM, though it keep on showing in Outbox..no idea why..hope you saw it |

Tal

 
Posted : 30/09/2019 8:41 am
Share: