lOMoARcPSD|20718617

CA v1.0 Skills Assessment-1

cyber security (Royal Melbourne Institute of Technology)

Studocu is not sponsored or endorsed by any college or university

Downloaded by Muhammad Alvito ([email protected])
 lOMoARcPSD|20718617

CyberOps Associates v1.0 - Skills Assessment

Introduction
You have been hired as a junior security analyst. As part of your training, you were tasked to determine any
malicious activity associated with the Pushdo trojan.
You will have access to the internet to learn more about the events. You can use websites, such as VirusTotal,
to upload and verify threat existence.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluate event alerts using Squil and Kibana.
o Use Google search as a tool to obtain intelligence on a potential exploit.
o Use VirusTotal to upload and verify threat existence.

Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.

Required Resources
 Host computer with at least 8GB of RAM and 45GB of free disk space
 Latest version of Oracle VirtualBox
 Security Onion virtual machine requires 4GB of RAM using 25GB disk space
 Internet access

Instructions

Part 1: Gather the Basic Information

In this part, you will review the alerts listed in Security Onion VM and gather basic information for the
interested time frame.

Step 1: Verify the status of services

a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.
c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password
cyberops.

Step 2: Gather basic information.

Questions:

a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.
2017-06-27 from 13:38:34 to 13:44:32

b. List the alerts noted during this time frame associated with the trojan.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com

Downloaded by Muhammad Alvito ([email protected])

 lOMoARcPSD|20718617

CyberOps Associates v1.0 - Skills Assessment

ET CURRENT_EVENTS WinHttpRequest Downloading EXE

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Terse alphanumeric executable downloader high
likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS
lookup)
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET TROJAN Pushdo.S CnC response
ET POLICY TLS possible TOR SSL traffic

c. List the internal IP addresses and external IP addresses involved.

Internal IP address:
 192.168.1.96
External IP addresses:
 143.95.151.192
 119.28.70.207
 145.131.10.21
 62.210.140.158
 119.28.70.207
 208.67.222.222
 208.83.223.34
 198.1.85.250

Part 2: Learn about the Exploit

In this part, you will learn more about the exploit.

Step 1: Infected host

Questions:

a. Based on the alerts, what is the IP and MAC addresses of the infected computer? Based on the MAC
address, what is the vendor of the NIC chipset? (Hint: NetworkMiner or internet search)
IP: 192.168.1.96
MAC: 00-15-C5-DE-C7-3B
NIC Vendor: Dell Inc.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com

Downloaded by Muhammad Alvito ([email protected])

 lOMoARcPSD|20718617

CyberOps Associates v1.0 - Skills Assessment

b. Based on the alerts, when (date and time in UTC) and how was the PC infected? (Hint: Enter the
command date in the terminal to determine the time zone for the displayed time)

2017-06-27 13:38:32 UTC

The gerv.gun malware was executed through the Pushdo trojan.

How did the malware infect the PC? Use an internet search as necessary.

The user in the 192.168.1.96 PC accessed a malicious domain, and the

Pushdo trojan was used to install the malware.
Pushdo is a “downloader” trojan, meaning its purpose is to download and
install additional malicious software. When executed, Pushdo reports back
to one of several control server IP addresses embedded in it code. The
server listens on TCP port 80, and pretends to be an Apache webserver. If
the HTTP request contains the correct parameters, one or more executabl
es will be delivered via HTTP. The malware to be downloaded by Pushdo
depends on the value following the”s-underscore” part of the URL. Pushdo
keeps track of the IP address of the victim, whether or not that person is an
administator on the computer, their primary hard drive serial number
(obtained by SMART_RCV_DRIVE_DATA IO control code), whether the
filesystem is NTFS, how many times the victim system ha s executeda
Pushdo variant, and the Windows OS version as returned by the
GetVersionEx API call.

Step 2: Examine the exploit.

Questions:

a. Based on the alerts associated with HTTP GET request, what files were downloaded? List the malicious
domains observed and the files downloaded.
gerv.gun – matied.com/gerv.gun
trow.exe – lounge-haarstudio.nl/oud/trow.exe
wp.exe – vantagepointtechnologies.com/wp.exe

Use any available tools in Security Onion VM, determine and record the SHA256 hash for the
downloaded files that probably infected the computer?
gerv.gun = 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272
trow.exe = 94a0a09ee6a21526ac34d41eabf4ba603e9a30c26e6a1dc072ff45749dfb1fe1
wp.exe = 79d503165d32176842fe386d96c04fb70f6ce1c8a485837957849297e625ea48

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com

Downloaded by Muhammad Alvito ([email protected])

 lOMoARcPSD|20718617

CyberOps Associates v1.0 - Skills Assessment

b. Navigate to www.virustotal.com input the SHA256 hash to determine if these were detected as malicious
files. Record your findings, such as file type and size, other names, and target machine. You can also
include any information that is provided by the community posted in VirusTotal.
gerv.gun:
 58 engines detected this file
 File type: Win32 EXE
 File size: 236.00 KB (241664 bytes)
 Names:
 gerv.gun
 test
 tmp523799.697
 tmp246975.343
 tmp213582.420
 extract-1498570714.111294-HTTP-FG0jno3bJLiIzR4hrh.exe
 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272.bin
 vector.tui
 Target Machine: Intel 386 or later processors and compatible processors
trow.exe:
 63 engines detected this file
 File type: Win32 EXE
 File size: 323.00 KB (330752 bytes)
 Names:
 Pedals
 Pedals.exe
 trow.exe
 test3
 2017-06-28_18-18-14.exe
 bma2beo4.exe
 Target Machine: Intel 386 or later processors and compatible processors
wp.exe:
 55 engines detected this file
 File type: Win32 EXE
 File size: 300.50 KB (307712 bytes)
 Names:
 wp.exe
 test2
 test_3
 4da48f6423d5f7d75de281a674c2e620.virobj
 wp.exe.x-msdownload
 Target Machine: Intel 386 or later processors and compatible processors

c. Examine other alerts associated with the infected host during this timeframe and record your findings

ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) –

infection started when the user of the 192.168.1.96 host performed a DNS
lookup through a malicious domain – destination IP: 208.67.222.222

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com

Downloaded by Muhammad Alvito ([email protected])

 lOMoARcPSD|20718617

CyberOps Associates v1.0 - Skills Assessment

Step 3: Report Your Findings

Summarizes your findings based on the information you have gathered from the previous parts, summarize
your findings.

The host with IP 192.168.1.96, a PC running Windows, accessed a malicious

domain for a DNS query, and was infected with the Pushdo trojan. The
Pushdo trojan pretends to be an Apache webserver, listening on port 80. After
infection, the Pushdo trojan downloads various malware. In the examined PC,
three malwares were downloaded and installed – gerv.gun, trow.exe and
wp.exe. These files were checked in virustotal.com, using their SHA256 hash,
and verified as malware by most source.

End of document

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com

Downloaded by Muhammad Alvito ([email protected])