TeamSpy CyberDefenders Walkthrough

a1l4m
9 min readJul 17, 2023

TeamViewer, Memory, GrrCon, Windows.

Scenario:

An employee reported that his machine started to act strangely after receiving a suspicious email with a document file. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. As a soc analyst, analyze the dumps and help the IR team figure out what happened!

Background image

File1: ecorpoffice

What is the PID the malicious file is running under?

Well just searching with the MalFind plugin, I have found a process looks Hella suspicious vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 malfind

the sus process.

I have submitted the PID, and it was right.

What is the C2 server IP address?

after using memdump for this process “1364” then grep for the IP addresses with this regex grep -E -o "([0-9]{1,3}\\.){3}[0-9]{1,3}” you will find it, or just use netscan plugin and grep for the malicious process vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 netscan | grep -i “SkypeC2AutoUpd”

What is the TeamViewer version abused by the malicious file?

Well, this one is odd, as I got the version from the verinfo plugin and also from virus total, but it seems it’s wrong.

verinfo output.

I struggled with this one, then I decided to see what the hint says.

After seeing the hint, he said to search for tvrv inside the dump file that we obtained earlier, after doing that I got the answer.

What password did the malicious file use to enable remote access to the system?

Let me explain something first:

TeamViewer: If you going to connect via team viewer to a specific machine you need to get two things ID, Password.

TeamViewer remote control page

So, the question asks for the password that the attacker specified to the machine so he can connect to it remotely.

I tried to see if there are logs for the application, and see where this password is logged exactly inside the files, but I was not able to dump these files sadly :’(

There is a Plugin called editbox

This plugin extracts text from the edit, combo, and list boxes of GUI applications that run on Windows.

Includes, but is not limited to:

  • Notepad window.
  • Run dialog.
  • Username and server name fields of Remote Desktop Connection
  • Address bar and search bar of Internet Explorer.
  • Search bar of Windows Media Player.
  • Username field of Create New Account wizard.
  • Password of Change Password dialog.

After using the plugin with command vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 editbox

editbox output.

You will notice the password in the bottom.

What was the sender’s email address that delivered the phishing email?

When it comes to emails and there is process called outllook.exe running, you don’t to think much but to dump the process vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 memdump -p 2692 -D .

You will get this file 2692.dmp , grep for email addresses with this handsome regex strings 2692.dmp | grep -Eo '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}’

emails in the dump file

it’s not Phillip, as at first, we noticed that he is the victim, so most probably it’s KARENMILES@T-ONLINE.DE which is right.

What is the MD5 hash of the malicious document?

Okay, so first because it’s obvious that is phishing, I tried to search for all the documents that is in the outlook dump, to see if there is one that looks suspicious.

doc files

I have got those I tried to dump them, but u know it’s in Phillip downloads folder which is doesn’t exist in this dump.

So, I have dumped the outlook files using vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 filescan | grep -i '\\.pst$’ to search for pst files.

outlook artifacts

Note: A PST file is a personal storage table, which is a file format Microsoft programs use to store items like calendar events, contacts, and email messages.

So, I have extracted the second one to see Phillip emails: vol2 -f win7ecorpoffice2010-36b02ed3.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007d4d9450 -u -D .

You can open them using any OST viewer, but if there is an attachment you will not be to extract unless you got a premium subscription.

A friend told me about this pff-tools , to extract all the emails, contacts, attachments etc.… pffexport file.None.0xfffffa80042dcf10.dat, I used this command then going through the inbox and viewing every message. You will get this document 1_bank_statement_088452.doc, using this command md5sum 1_bank_statement_088452.doc you will get the hash.

What is the bitcoin wallet address that ransomware was demanded?

After reading the other messages you will notice that the attacker mailed the victim with this email and left the bitcoin walled address so he can pay him

ransom mail from the attacker

What is the ID given to the system by the malicious file for remote access?

Checking the output of this plugin again editbox you will find it right there.

ID and password for TeamViewer.

Bottom there

What is the IPv4 address the actor last connected to the system with the remote access tool?

Kinda cheated here just to minimize my search results :”

I have used this grep to search for an IP that starts with 2 digits and ends with 3

strings 2692.dmp| grep -Eo '\\b[0-9]{2}\\.[0-9]+\\.[0-9]+\\.[0-9]{3}\\b' | sort | uniq

IPs.

You will get those, the answer is 31.6.35.122 :)

What Public Function in the word document returns the full command string that is eventually run on the system?

When I got the malicious document, I uploaded it to virus Toal, and seeing the community page I have found this analysis.

docgurad comment on virus total

I have gone there to see the behavior of this malware. What I got form it, is that the document contains macros which is a JS code inside the document, that will let the attacker execute commands on the system, then I took a look at the other tabs, and I have found this under suspicious code tab.

Malicious JS code.

Notice this long string, it looks suspicious as hell, So I guessed this is the command that will be run on the system and just submitted the function name as the answer which is UsoJar

But I think I was lucky to find this analysis, so I have searched for how we can extract macros from documents, and I got my hands on this tool oletools

You can install it using pip3 install oletools

using this command olevba -c /path/to/document you will get the JS code.

File >>>>> ecorpwin7

What is the MD5 hash of the malicious document?

Okay, after seeing the process in this dump I have found outlook again, let’s see if this process made any commands on the system. vol2 -f ecorpwin7-e73257c4.vmem --profile Win7SP1x64 malfind

outlook always got something man.

Indeed, so my guess it’s phishing attack again, so after dumping outlook artifacts again.

As I have explained at first, we will search for pst files then dump it using the plugin dumpfiles with the offset of the file, after that we going to use pffexport file.dat.

I have found this message that got sent from lloydchung@allsafecybersec.com to scott.knowles@e-corp.biz, with an attachment that he says it’s part of the leak that happened.

Phishing Email.

with attachment of this file 1_Important_ECORP_Lawsuit_Washington_Leak.rtf, and Scott did reply to him saying that this one is legit. Really!! Common Scott you better than that.

So, after browsing the file it’s empty, I have tried to see if I can dump it from the system. And yes, with this command vol2 -f ecorpwin7-e73257c4.vmem --profile Win7SP1x64 filescan | grep -i "Washington_Leak.rtf”, I found it

malicious rtf file.

Then dump the file, using this command vol2 -f ecorpwin7-e73257c4.vmem --profile Win7SP1x64 dumpfiles -Q 0x000000007d6b3850 --dump-dir=. , you will get a dat file, upload it to virus total

Virus total results

And it appears that this is our malicious document, and Scott was wrong when he said it seems legit :”

getting the hash, it was wrong lol, but there was a lot of NULL bytes at the end of the file, I just removed them and calculated the hash again, and it was right.

What is the common name of the malicious file that gets loaded?

Well, I tried olevba to analyze the rtf but it said use rtfobj instead for that

after using rtfobj I got nothing sadly, also I tried to get anything from that file on virus total, hybrid-analysis, google but no luck.

I moved to the next question that says there is C2 server, so I got an idea to dump that process that is connecting to the C2, then seeing if there is something that i can get from that. Apparently, nothing.

I used my hint it says check cmdline plugin and search for test.dll.

test.dll

I searched for it on the system then dumped it. And I have checked this dll file on virus total.

Virus Toal results.

It is malicious, okay the question asks for the common name of the malicious file, I checked the names in the details tab, but it was wrong, then I googled with the family name of the malware to see.

quick google search.

So, it’s either Hodur or PlugX, submitting PlugX it was the right one.

I have to mention that rundll32.exe that contains ‘test.dll’ is running under svchost.exe which is a malicious process.

process tree output.

So, I should have checked this before seeing the hint.

What password does the attacker use to stage the compressed file for exfil?

I have tried to search for .zip, .rar, password insidecmd.exe,svchost.exe dump but couldn’t find the compressed file.

Also dumped the PowerShell event viewer to see the commands but also it was empty.

PowerShell artifacts.

Okay time to check for conhost.exe which also related to PowerShell.

Conhost.exe is a useful and necessary operating system process that helps to support the CMD and PowerShell terminal in Windows.

Okay, you can get what you are looking for with all the process dump that i got above with just searching for .rar or password, but the point is with strings I was using it wrong so, you need to add -el :’) with it.

searching with ‘\.rar$’

What is the IP address of the c2 server for the malicious file?

Remote HTTP from a local process is suspicious. PORT 80

Listing all the connections with vol2 -f ecorpwin7-e73257c4.vmem --profile Win7SP1x64 netscan | grep “80”

C2 Server

svhost.exe it’s a local process connected to an external server.

What is the email address that sent the phishing email?

At first, when we were searching in the messages, we found that the guy from allsafesec was tricking scott to download the malicious document.

phishing mail from the attacker
sender email address.

What is the name of the deb package the attacker staged to infect the E Coin Servers?

After dumping the svchost process with memdump plugin then searching for any .deb files with this search filter \.deb$ you will get this.

deb package got download.

He downloaded the file using wget

Beautiful journey innit :”

Cya geeks.

--

--