Download Subtitles for XLMRat Lab - Cyberdefenders Video

Everyone, I hope everyone is doing great. So today we'll do a quick lab by Cyber Defenders which is called the XLM rat lab. This lab is intended to test our network forensics skills. So we'll be given a pickup file to analyze and deduce what can we get best and extract the things to answer the questions. All right. So let's start by reading the scenario. Obviously, I already did the lab, but let's do it together for the sake of practice. The scenario says, "A compromised machine has been flagged due to suspicious network traffic. Your task is to analyze the pickup file to determine the attack method. Identify any malicious payloads and trace the timeline of events. Focus on how the attacker gained the access, what tools or techniques were used, and how the malware operated postcom. All right. So of course obviously after you download the pickup file you'll be given with the password here for the file. I've already downloaded it. So you can sign it in downloads. All right let's paste the password and right. All right. So here's the pick a file and so let's start by answering the questions. All right. Uh the question says the first question say the attacker successfully executed a command to download the first stage of the malware. What's the URL from which the first malware stage was installed? All right. So since we have a URL involved so we'll look for HTTP uh packets to look for any kind of malicious URLs. All right. HTTP. All right. So here we got four packets. Okay. XLM text. Okay. Let's look at the first one hypertext. Okay. As you can see we have this one request URL XLM.txt. The second packet we have um a 200 response code for the http 45.126.xmlm. Okay. And we have the third one which is an image GPG file. And we have a full request. All right. So this seems suspicious. So we can follow the HTTP stream or TCP stream. Um sorry, follow TCB stream. All right. So as you can see here, this is the client and this this is the client and this is the service. Service accepted 200. Okay. And we can see here some malicious kind of uh hex uh strings. All right. Okay. Okay. And we can see here some kind of a malicious um PowerShell scripts. All right. So we can assume that this is indeed the malicious URL or host. So which is of course under uh yeah this is the IP. This is the port. All right. So we can find the URL. So it's the third packet. So just to recap this is the yeah this is the URL of the third packet that we have found which is 45.126.209 MDN.gb. Okay so this is the answer because we indeed found the malicious uh payload or malware. Okay this is it. So what's the hosting provider owns? Which hosting provider owns the associated IP address? All right. We can easily just copy the IP address and we can go to any website like uh abuse IP or you can go to geoloccation IP. All right, there's a lot of ways to know the IP service provider or general information about the IP. All right, so let's paste to the IP. As you can see here, we have some general information, city, country, the domain. So the internet service provider ISP is related to reliable site.net LLC. All right. So this is indeed the answer service provider. So as you can see here down scroll down it's indeed reliable.net. All right. Coming to the third question. I don't want to see I don't want you to see the answer for the sake of practice but let's answer. Okay. By analyzing the malicious Oh my bad. Okay. By analyzing the malicious scripts, two payloads were identified. A loader and a secondary executable. What's the SH 256 of the malware executable? All right. So, um as you can see when we came to the third bucket, okay, which is indeed this one and we followed the TCP stream. Of course, as you can see, this is the first payload hex string. If you go down, down, there's possibly another one because we have a loader and an executable. But as you can see, it's in the hex, right? All right. Down, down, down. So, this all belongs to the first executable and the second will belong to the loader. So you see just can speed up the process by all right so as you can see here we have another string hex string p so we'll copy the first one all right and we'll try to decode it using sites like um cyber chief but first let me copy it. All right. Still here. Copy. All right. And then you go to sites like Cyper Chief. All right. And try to decode it. So this is the file. All right. And what you can see from hex. All right. From hex. And all right. As you can see this is the hex. Um, we can I don't think there's an option for SH 256 because they're looking for 256. So, what we can do, we just find the MD5, right? After we find the MD5, of course, this is the MD5 uh uh, you know, version. First, let me try something. There's no difference, but just in case. All right. bake. All right. So, this is the MD5 hash for the executable. What we can do, we can go to virus total and we can extract the we can extract the shot 56 from the as you can see this is the executable details the shot 56 EB7. Okay. So, this is the shot 256 for the executable. Okay. So indeed this is indeed the answer as you can see one EB7B7. Okay sorry. All right. So all right uh question number four says what's the malware family based on Alibaba which is the Alibaba vendor. So as you can see here when we are back in virus total can go to detections and take a look at Ali cloud. We're looking for Alibaba right. So yeah uh Alibaba Ali cloud a synrat. All right. So here it says it's labeled Alibaba. Yeah Alibaba. It's labeled as a synrat. All right. So this is the name of the malware family that this executable is related to. So and indeed as you can see the answer here is a synchro. Okay. Question number five says what's the timestamps of the malware creation? So all the all this kind of information you can find from uh you know the details of uh you know visal can go here history creation time 2023 10:30. So this is indeed the answer. Okay even the the time and minutes are mentioned. Question number six says which LOL bin which is living offline binaries is leveraged for sales process execution in the script provided and provide the full path. All right. So lobin are usually abused by attackers because they are legitimate services that running on the windows. So what we can do sorry I closed the I closed the okay back to our package. So back to our uh you know packet packet number three which is related to the malware and we'll go to the payload DCB stream. So as you can see this is the payload as you can see you know we we found some malicious PowerShell script in the beginning. So as you can see here you know reflection assembly okay partial script you know it's trying some hide execution policy by so we're looking for something related to loins you know which are the legitimate window service that are abused by attackers like run DLL right uh but you can see okay All right. All right. So here you can see here get type get made execute. As you can see here we can see that this is kind of obfuscation which are used by attackers to you know evade detection. So yeah as you can see you're using the net framework. Okay the rig is f.xe. All right. So this is the lin that is being abused by attackers. All right. So so this this kind of uh this is just used for aiscation. So the answer is will be actually this whole this whole line will be the answer. So we just need to remove the the square signs a hash trick. All right. So as you can see the answer is indeed Windows Microsoft net framework reg.x. Yeah. So yeah as you can see the attack use to um you know event detection and if you secure the code. Question number seven says the script is designed to drop several files. All right. List the name of the files dropped by the script. So as you can see we have like I think more than one more than one file right. So if we go back to the payload. All right. As you can see we can see things like what kind we should understand you know what kind of uh activities does you know this payload does or this Mario does. As you can see write all text user public content. So it's trying to drop this file this PowerShell PS1 content PS1. All right. Another one content. PS1 we have here IO file write all text content.bat battle file. So we have a PS1 file a PowerShell and a bat file. Okay. What else? Okay. Content.bat. All right. Okay. We have also a VBS file. Okay. Write all text content content. VBS. All right. So as you can see run scripts every two minutes. Okay. So this is it created schedule task uh for persistence. Okay. All right. So contact VBS. All right. So this is like we found three uh files that he that the malware drops when it gets executed. So indeed the answer is what we have mentioned content.vps VPS and the PS1 file and the bat file. So, I hope this live, you know, was informational and good for the sake of practice. I hope you enjoyed. See you on the next video.