For full text search please use the '?' prefix. e.g. ? Onboarding

Suspicious USB Stick

Scenario

One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?

Reading Material:
https://zeltser.com/analyzing-malicious-documents/
https://en.wikipedia.org/wiki/List_of_file_signatures
https://eternal-todo.com/tools/peepdf-pdf-analysis-tool.

Solution

  1. What file is the autorun.inf running? (3 points)

    Opening the file autorun.inf gives us the following text:

    [autorun]
open=README.pdf
icon=autorun.ico

    Answer: README.pdf

  2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points)

    Uploading the PDF to VirusTotal yields the following results:

    VirusTotal Scan

    Answer: False

  3. Does the file have the correct magic number? (2 points)

    Running file on the PDF shows that it reads as a PDF document:

    $ file README.pdf
README.pdf: PDF document, version 1.7

    To confirm, we can also check with exiftool:

    $ exiftool README.pdf
ExifTool Version Number         : 11.88
File Name                       : README.pdf
Directory                       : .
File Size                       : 133 kB
File Modification Date/Time     : 2021:02:25 07:40:42-05:00
File Access Date/Time           : 2023:01:10 16:20:43-05:00
File Inode Change Date/Time     : 2023:01:10 16:19:17-05:00
File Permissions                : rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : No
Page Count                      : 1
Language                        : en-US
Tagged PDF                      : Yes
XMP Toolkit                     : Image::ExifTool 12.10
Creator                         : StarMan
Create Date                     : 2021:02:10 23:54:49-08:00
Creator Tool                    : Microsoft Word
Modify Date                     : 2021:02:10 23:54:49-08:00
Document ID                     : uuid:E474A333-0514-4AD8-8E31-5AC06A59A3B5
Instance ID                     : uuid:E474A333-0514-4AD8-8E31-5AC06A59A3B5

    Answer: True

  4. What OS type can the file exploit? (Linux, MacOS, Windows, etc) (5 points)

    When we check the "Behavior" tab on VirusTotal, we can see that all the paths and registry keys are aimed at a Windows machine:

    VirusTotal Behavior

    Answer: Windows

  5. A Windows executable is mentioned in the pdf file, what is it? (3 points)

    There are a lot of executables mentioned on the "Behaviors" tab, including the following:

  • RdrCEF.exe

  • Reader_sl.exe

  • acrord32.exe

  • svchost.exe

  • AcroRd32.exe

  • AdobeARM.exe

    But none of these are the answer. My next go-to for malicious files is Hybrid Analysis, which came through with the answer. They found it in a way that we can replicate:

    $ strings README.pdf | grep exe
<</S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\windows\\system32)/P(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\README.pdf" (cd "Desktop"))&(if exist "My Documents\\README.pdf" (cd "My Documents"))&(if exist "Documents\\README.pdf" (cd "Documents"))&(if exist "Escritorio\\README.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\\README.pdf" (cd "Mis Documentos"))&(start README.pdf)

    Answer: cmd.exe

  1. How many suspicious /OpenAction elements does the file have? (5 points)

    We can find this with the same method as above:

    $ strings README.pdf | grep OpenAction | wc
      1      21     162

    Answer: 1

Tags

  1. retired (Private)
  2. 20 points (Private)
  3. medium (Private)