Ransomémoire 3/3 - Doppelgänger

Resolution

First, we look into the process doppelgänging technique, which is a process injection technique. We learn from MITRE that this technique involves launching a legitimate executable and then replacing it with a malicious one.

The base address of the process will therefore be different from other processes coming from the same executable. Looking at the NetGraph of VolWeb, we see that there are very few connections, and most public IPs can quickly be excluded as legitimate in sandbox reports.

We will focus on the Brave processes because that would be the best place to hide a C2 stream.

Checking the base addresses, we discover that the Brave 6808 process is the only process with a base address at 15335424 instead of 140695088398336 for all other processes.

We will use strings to see if we can get more information.

$ strings fcsc.dmp | grep "192.168.1.106" -C 2
build   -ldflags="-s -w -X \"main.build=4d0e944d6b52f2715a2d75e5373a60f045921488\" -X
-X \"main.protocol=https\" -X
\"main.url=https://192.168.1.106:443/\"
-X \"main.host=mal.server.notlocal\" -X \"main.psk=WyGRb98LKLQfZiO32\" -X \"main.sleep=30s\" -X \"main.proxy=\" -X \"main.useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36\" -X \"main.headers=\" -X \"main.skew=3000\" -X \"main.padding=4096\" -X \"main.killdate=0\" -X \"main.maxretry=7\" -X \"main.parrot=\" -H=windowsgui -buildid="
build   CGO_ENABLED=0

These parameters look like a C2 configuration. Searching for main.psk in grep.app, we find that it is the agent for the C2 Merlin.

Flag

FCSC{6808:192.168.1.106:443}