search

Unit42

hashtag
UltraVNC Backdoor Analysis

This CTF focused on analyzing Windows Sysmon logs based on Palo Alto’s Unit42 research into a backdoored UltraVNC campaign. Using EvtxECmd to parse EVTX files and loading the CSV into ELK and Splunk allowed for quick searching and filtering of event data.

hashtag
Setup

MDwikiericzimmerman.github.iochevron-right

Command to convert EVTX to CSV:

hashtag
Questions & Answers

Q: How many Event logs are there with Event ID 11? A: 56 (Event ID 11 indicates file creation.)

Q: What is the malicious process that infected the victim's system? A: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe (Event ID 1 captured process creation with command-line details.)

Q: Which Cloud drive was used to distribute the malware? A: Dropbox

Q: What was the timestamp changed to for the PDF file? A: 2024-01-14 08:10:06 (Time stomping used for defense evasion.)

Q: Where was "once.cmd" created on disk? A: C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd (Identified in Event ID 11 logs in Splunk: index="unit42" sourcetype="csv" once.cmd)

Q: What domain name did it try to connect to? A: www.example.com (Possible connectivity check or C2 beacon.)

Q: Which IP address did the malicious process try to reach out to? A: 93.184.216.34

Q: When did the process terminate itself? A: 2024-02-14 03:41:58 (Located using EventID=5 which logs process termination.)

PreviousSherlocksNextMachines

Last updated