Red Stealer Blue Team Lab

해당 문제는 CyberDefenders의 Red Stealer문제에 대한 풀이입니다.

---

1. Challenge description

You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague's computer, and it's suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection.

Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data that is beneficial to other SOC members, including the Incident Response team, in order to efficiently respond to this suspicious behavior.

 

Q1.
Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What's the identified malware's category?

이 질문은 virus total을 통해 알 수 있었다.

Q2.
Clear identification of the malware file name facilitates better communication among the SOC team. What's the file name associated with this malware?

virus total에서 details 부분을 보면 답을 알 수 있었다.

Q3.
Knowing the exact time the malware was first seen can help prioritize actions. If the malware is newly detected, it may warrant more urgent containment and eradication efforts compared to older, well-known threats. Can you provide the UTC timestamp of first submission of this malware on VirusTotal?

이것 또한 details에서 확인 할 수 있다.

Q4.
Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware's data collection from the system before exfiltration?

virus total에서 behavior 부분을 보면 답을 알 수 있었다.

Q5.
Following execution, what domain name resolution is performed by the malware?

똑같이 virus total에 behavior을 확인하면 된다.

Q6.
Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?

이것도 behavior을 확인하면 된다.

Q7.
If a hosting service is frequently used for malicious activities, security teams can implement a strict filtering rules for all traffic to and from the IPS belonging to that hosting provider. What hosting service does the identified IP belong to?

해당 질문에서 hosting 업체를 찾는것이 너무 어려웠다. virus total에서 ip는 확인했지만 domain hosting이 kisa whois에도 나오질 않고 해외 whois에도 안나오고 해서 domain checker로 확인했다.

Q8.
YARA rules are designed to identify specific malware patterns and behaviors. What's the name of the YARA rule created by "Varp0s" that detects the identified malware?

해당 질문은 너무 억울하다.

malware bazaar 를 통해 알아보았고 검색결과가 안나왔다.

다른 곳도 나 뒤져보았지만 정답을 알 수 없어

write up을 보았는데 malware bazaar에서 문제에서 준 해시를 검색해서 찾는 것이였다.

아까 시도했을 때도 안나왔고 다른 방법으로 시도해도 안나왔다...

Q9.
Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address?

해당 질문에서 고비를 겪었다는데 나는 threatfox를 이용해 쉽게 풀었다.

10.
By identifying the malware's imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?

먼저 구글에서 권한 상승을 위한 DLL이 무엇이 있는지 찾았고 virus total에서 details를 보면 찾을 수 있었다.