Salaheldin

March 14, 2019

Catch the Malware

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Alabaster Snowball at 2nd floor go right into corridor until end then left continue forward until the end then go left until you reach the door on your right Go through you will find him , and the Snort terminal left to Alabaster Snowball.

kc18_elves_elf_21.png

Help, all of our computers have been encrypted by ransomware!

I came here to help but got locked in ‘cause I dropped my “Alabaster Snowball” badge in a rush.

I started analyzing the ransomware on my host operating system, ran it by accident, and now my files are encrypted!

Unfortunately, the password database I keep on my computer was encrypted, so now I don’t have access to any of our systems.

If only there were some way I could create some kind of traffic filter that could alert anytime ransomware was found!


solution-icon.png

1- Let’s see ls to list the files and directories , write the command in terminal :

ls

2-Let’s open more_info.txt for additional information , write the command in terminal :

cat more_info.txt

18-terminal-2.jpg


3- There are three methods to analysis pcap in this challenge (tshark, tcpdump) on terminal analysis and ( wireshark ) for offline analysis let’s try each one :

Method 1 | Analysis using tshark tool :

  • Using tshark to dump and analyze network traffic open the file /home/elf/snort.log.pcap which is a full capture of DNS traffic for the last 30 seconds :
    tshark -r snort.log.pcap

18-terminal-3.jpg

You can find more about tshark here : https://hackertarget.com/tshark-tutorial-and-filter-examples/

  • Let’s remove unwanted data for clearer view to analysis:
    tshark -r snort.log.pcap -T fields -e dns.qry.name | sort
    -T set the format of the output when viewing decoded packet data with fields option is to show the values of fields specified
    with the
    -e dns.qry.name filed this will show us the DNS query, then sort command is used to sort the results.

18-terminal-4.jpg

You will notice repeated code with different domain name : 77616E6E61636F6F6B69652E6D696E2E707331

Also huge number of dns queries using this query name and there are numbered queries looks like message/file was divided into several parts because TXT record length is no longer than 255 characters.


Method 2 | Analysis using tcpdump tool :

  • Using tcpdump to analyze network traffic snort.log.pcap :
    tcpdump -r snort.log.pcap

18-terminal-5.jpg

You can find more about tcpdump here http://www.tcpdump.org/

  • Let’s remove unwanted data for clearer view to analysis, write the following command in terminal :
    tcpdump -r snort.log.pcap -n | cut -d “ “ -f 8 | sort
    -n flag Turn off the default tcpdump action to lookup and translate hostnames.
    cut Utility for cutting sections from each line then output the result.
    -d option cut based on a delimiter , here the delimiter set to a space.
    -f option pull out the fields of interest by specify the field that should be cut , here we need here we need to look at dns query name field which is field number 8 then sort command is used to sort the results.

18-terminal-6.jpg

Same notes from tshark tool results .


Method 3 | Offline analysis using Wireshark Software :

  • First grab pcaps for offline analysis, Go to http://snortsensor1.kringlecastle.com/
  • Enter the credentials from more_info.txt file :
    Username | elf
    Password | onashelf
  • Download all pcaps for offline analysis .
  • Open the pcaps in wireshark to view traffic for any leads , We know that Wannacookie malware is communicates over DNS to get data this will need a huge dns requests/responses , Sort the result by destination address :

18-terminal-7.jpg

You will notice repeated code with different domain name : 77616E6E61636F6F6B69652E6D696E2E707331

Also huge number of dns queries using this query name and there are numbered queries looks like message/file was divided into several parts because TXT record length is no longer than 255 characters.

  • Complete inspection of all pcap files to confirm this conclusion.
  • Extract this code by selecting any connection contains the code > bottom panel > Select query >Queries :

18-terminal-8.jpg


4- Notice that this code we just found looks like it’s HEX characters , let’s try any Online hex decoder to convert the code to readable format to see if it’s true:
77616E6E61636F6F6B69652E6D696E2E707331 > wannacookie.min.ps1

bingo ! Looks like the malware requesting PowerShell file ( .ps1)
You can use this online converter https://gchq.github.io/CyberChef/


5- Now let’s shape our snort rule to block any connection contains this code , snort rule should look like the following example :

18-terminal-9.jpg

Our snort rule will be :

alert udp any 53 <> any any ( msg:”Wannacookie Ransomware connection “; content:”77616E6E61636F6F6B69652E6D696E2E707331”; priority:1; sid:9000000; )

With this rules we are alert on any connection in/out using UDP protocol on port 53 because DNS listens for requests on port 53 on local or on malware server , Also any connection contains the code 77616E6E61636F6F6B69652E6D696E2E707331 we just found

Set priority to 1 to highest alert and Set sid for each rule to uniquely identify Snort rules

You can use this online snort code creator http://snorpy.com/

18-terminal-10.jpg


6- Now let’s go to back snort terminal to test this rule, Write the following command to edit the rules file :

nano /etc/snort/rules/local.rules

7- Go down to empty new line by pressing down arrow button on your keyboard

8- Write the snort rules we just created or you can copy and paste it into terminal

18-terminal-11.jpg

then save the file after editing by press ctrl and x > write y > Enter


9- If rules was wrong you will get this message:

18-terminal-12.jpg

Also can test your snort rule by running:

snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf

If there are any errors , you will get the error at the end :

18-terminal-13.jpg


10- If rules is correct you will get this message :

18-terminal-14.jpg


kc18_elves_elf_21.png

Thank you so much! Snort IDS is alerting on each new ransomware infection in our network.