From the title of this lab, we have a hint that this malware is likely a information stealer (infostealer) of some sort.
Infostealers are typically designed to steal sensitive information such as user credentials, browser cookies, confidential documents, etc.
Although, some infostealers will have more sophisticated capabilities to perform keylogging or stage payloads.
At the company, our network team noticed a big increase in the network activity on one of our computers in the last few days. After looking into it, We found out that an employee had downloaded an untrusted software, but they weren't sure what it was doing. We need you to investigate carefully and find out what it do.
Question 1
Malicious software frequently employs diverse methods to hide its presence and avoid detection. What packing tool was utilized to obfuscate this malware?
For this question, we can use Detect It Easy (DIE) to quickly identify whether the malware is packed and if so what is used for packing.
Answer
UPX
Question 2
Since the malware author used multiple techniques to hide its functions, where does the malware place the second stage?
We will have to do some dynamic analysis to find out.
Once ProcMon has been started, we can execute telestealer.exe and go through what the malicious process is doing behind the scenes. By looking at the process tree in ProcMon, we can see that PowerShell was spawned under the malicious process.
The full command is powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Administrator\AppData\Roaming\Dropper\script.ps1"
Answer
C:\Users\Administrator\AppData\Roaming\Dropper\
Question 3
Looking into how the malware persist on the machine, what's the path of the registry key it uses to do this?
Within ProcMon, we can look at the registry items which telestealer.exe interacted with. In this case, we will specifically look for RegSetValue events.
We've noticed unusual network traffic in recent days since the discovery of the malware. We need to determine what data it might have sent out. What's the path of the exfiltrated data?
As we now know the malware runs a PowerShell script, we can look further into the script and uncover the answer. It appears that this malware is collecting every file on the Desktop and archiving them into a zip file to be exfiltrated.
Answer
C:\Users\Administrator\Desktop
Question 5
You've verified that the malware is gathering sensitive data from compromised machines. It mainly uses a separate communication channel to send out the data. What is the full domain the malware use to exfiltrate the data?
Using Wireshark, we can look for unusual DNS requests or HTTP requests when the malware is running to determine related outbound connections. In this case, it appears the malware is attempting to establish connections with Telegram.
Answer
api.telegram.org
Question 6
Once the channel is recognized, the next step is to determine who is receiving the exfiltrated data. Utilizing Python and the hosts file, can you determine the username of the recipient?
Unfortunately, this lab does not have an internet connection. Hence, we will be setting up our own HTTP web server to listening for HTTP requests. In order to do so, we will have to update our local DNS records in C:\Windows\System32\drivers\etc\hosts to resolve api.telegram.org to our loopback address.
Then, we will start up our own web server by using the following command in Command Prompt: python -m http.server 80.
Once we run the malware again, we will be able to grab the HTTP requests that are being sent to api.telegram.org.
A quick look at Telegram's API documentation will reveal that the recipient name (a bot in this case) will be listed as https://api.telegram.org/bot<token>/METHOD_NAME. The question is a bit confusing as it isn't actually a username. Instead, it's the telegram bot's name.
