Unit 42

In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.

How many Event logs are there with Event ID 11?

The first thing I did was create a Python script to parse the Sysmon logs into a readable XML format.

After doing this, I opened up my terminal and did a grep count search for all instances of Event ID 11.

grep -c "EventID.*11" output_file.xml

The result was 56.

What is the malicious process that infected the victim’s system?

When a process is created in memory, an event with ID 1 is recorded with details such as the command line, hashes, process path, etc.

First, I used the grep command to search for all instances where Event ID 1 occurred in the XML file:

grep -i -A 20 '<EventID[^>]*>1</EventID>' output_file.xml

Next, I refined the results to extract and inspect any file paths or executable names using the grep command:

grep -i -A 20 '<EventID[^>]*>1</EventID>' output_file.xml | grep -i '<Data Name="Image">.*</Data>'

This will capture the <Data Name="Image"> tag that usually contains file execution paths.

Following this method allowed me to effectively locate instances of Event ID 1 and analyze the files being executed. By inspecting the file paths, I could identify any suspicious behavior, such as files with double extensions.

Preventivo24.02.14.exe.exe, looks to be the culprit. Attackers often use double extensions to bypass antivirus scanners or to trick people into downloading what they think is a harmless file. Although, this could also be a script kiddie mistake.

Which Cloud drive was used to distribute the malware?

Event ID 22 can be used to look for any DNS Queries made by the system. This will help in knowing which Cloud drive was used.

I used grep again to look for instances of Event ID 22, and the lines that came after it so that I could look for any indications of a cloud service being used.

grep -i -A 20 '<EventID[^>]*>22</EventID>' output_file.xml

From this, I learned the attacker used dropbox to distribute the malware.

For many of the files it wrote to disk, the initial malicious file used a defense evasion technique called Time Stomping. What was the timestamp changed to for the PDF file?

Event ID 2 records any file creation time changes on any files on the system.

So the first step is to do a grep search for Event ID 2.

grep -i -A 20 '<EventID[^>]*>2</EventID>' output_file.xml

Here we can see that the original time the PDF file was created was at 2024-02-14, but it is then changed at the end to 2024-01-14 08:10:06, an entire month later.

The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.

Since Event ID 11 is the code for file creation, I did a grep on that as well as once.cmd:

grep -i -A 20 '<EventID[^>]*>11</EventID>' output_file.xml | grep -i 'once.cmd'

The result was C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd

Installed in the Games directory!

The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?

A quick search for all of the Event ID 22 instances should help.

grep -i -A 20 '<EventID[^>]*>22</EventID>' output_file.xml

At the very bottom of the output, I was able to see that after the malicious file was created it attempted to reach “example.com”:

<Data Name="QueryName">www.example.com</Data>

Which IP address did the malicious process try to reach out to?

Event ID 3 records the IP address, port, and the process attempting to make an outbound connection.

grep -i -A 30 '<EventID[^>]*>3</EventID>' output_file.xml

From this information, we can see that the Destination IP address is: 93.184.216.34 and the port it is using is 80 (for HTTP).

The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?

UltraVNC is an open-source remote-desktop software utility. A backdoored variant of this software would mean the attacker has remote access to the victim’s machine. This is far from ideal.

Filtering for Event ID 5 would be the most logical step to take in this case. This event reports when a process terminates. Including the Image name in the grep search will help narrow down the results, for readability.

grep -i -A 20 '<EventID[^>]*>5</EventID>' output_file.xml

At the bottom, we can see <Data Name = "UTC Time">2024-02-14 03:41:58. This is the indicator for when the malicious process terminated itself. Generally speaking, these types of viruses do not stick around for very long on the system itself. They are created in a way that allows them to quickly extract information and then get out of the system, sometimes leaving no trace.

In this scenario, the virus was most likely a Trojan masquerading as a video game, or something in that realm. From the logs, it looks like a typical infostealer that connects to a C2 Server, relaying information back to the attacker.

The best way to respond to this type of threat is to isolate the infected system, and to block the C2 Server IP address. To prevent this from happening again, it is strongly advisable not to download unknown files off the internet. If you must, check the file with a third-party sandbox tool like AnyRun or VirusTotal.