CyberOps Associate Skills Assessment Answers – CA v1.0 Skills Exam

CyberOps Associates v1.0 – Skills Assessment

Introduction

You have been hired as a junior security analyst. As part of your training, you were tasked to determine any malicious activity associated with the Pushdo trojan.

You will have access to the internet to learn more about the events. You can use websites, such as VirusTotal, to upload and verify threat existence.

The tasks below are designed to provide some guidance through the analysis process.

You will practice and be assessed on the following skills:

  • Evaluate event alerts using Squil and Kibana.
  • Use Google search as a tool to obtain intelligence on a potential exploit.
  • Use VirusTotal to upload and verify threat existence.

Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with permission. We are grateful for the use of this material.

Required Resources

  • Host computer with at least 8GB of RAM and 45GB of free disk space
  • Latest version of Oracle VirtualBox
  • Security Onion virtual machine requires 4GB of RAM using 25GB disk space
  • Internet access

Instructions

Part 1: Gather the Basic Information

In this part, you will review the alerts listed in Security Onion VM and gather basic information for the interested time frame.

Step 1: Verify the status of services

a. Log into Security Onion VM using with the username analyst and password cyberops.

b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.

Right click Desktop backgroud, go to Open Terminal

analyst@SecOnion:~$ sudo so-status
Status: securityonion
  * sguil server                                                       [  OK  ]
Status: seconion-import
  * pcap_agent (sguil)                                                 [  OK  ]
  * snort_agent-1 (sguil)                                              [  OK  ]
  * barnyard2-1 (spooler, unified2 format)                             [  OK  ]
Status: Elastic stack
  * so-elasticsearch                                                   [  OK  ]
  * so-logstash                                                        [  OK  ]
  * so-kibana                                                          [  OK  ]
  * so-freqserver                                                      [  OK  ]

c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password cyberops.
Open Sguil using the shortcut on the Desktop. Login with the username analyst and password cyberops. Click Select All to select the interfaces and then Start SGUIL.
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 16

Step 2: Gather basic information.

a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.
2017-06-27 from 13:38:34 to 13:44:32
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 17
b. List the alerts noted during this time frame associated with the trojan.

ET CURRENT_EVENTS WinHttpRequest Downloading EXE
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET TROJAN Pushdo.S CnC response
ET POLICY TLS possible TOR SSL traffic

c. List the internal IP addresses and external IP addresses involved.

Internal IP address:

  • 192.168.1.96

External IP addresses:

  • 143.95.151.192
  • 119.28.70.207
  • 145.131.10.21
  • 62.210.140.158
  • 119.28.70.207
  • 208.67.222.222
  • 208.83.223.34
  • 198.1.85.250

Part 2: Learn about the Exploit

In this part, you will learn more about the exploit.

Step 1: Infected host

a. Based on the alerts, what is the IP and MAC addresses of the infected computer? Based on the MAC address, what is the vendor of the NIC chipset? (Hint: NetworkMiner or internet search)
IP: 192.168.1.96
MAC: 00-15-C5-DE-C7-3B
NIC Vendor: Dell Inc.

Explanation: Right-click Alert ID: 5410 –> Select NetworkMiner.
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 18
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 19

b. Based on the alerts, when (date and time in UTC) and how was the PC infected? (Hint: Enter the command date in the terminal to determine the time zone for the displayed time)
2017-06-27 13:38:32 UTC
The gerv.gun malware was executed through the Pushdo trojan.

On NetworkMiner windows, click Files tab to determine date and time in UTC:
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 20

How did the malware infect the PC? Use an internet search as necessary.

The user in the 192.168.1.96 PC accessed a malicious domain, and the Pushdo trojan was used to install the malware.
Pushdo is a “downloader” trojan, meaning its purpose is to download and install additional malicious software. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. If the HTTP request contains the correct parameters, one or more executabl es will be delivered via HTTP. The malware to be downloaded by Pushdo depends on the value following the”s-underscore” part of the URL

CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 21

Pushdo keeps track of the IP address of the victim, whether or not that person is an administator on the computer, their primary hard drive serial number (obtained by SMART_RCV_DRIVE_DATA IO control code), whether the filesystem is NTFS, how many times the victim system ha s executeda Pushdo variant, and the Windows OS version as returned by the GetVersionEx API call.

Step 2: Examine the exploit.

a. Based on the alerts associated with HTTP GET request, what files were downloaded? List the malicious domains observed and the files downloaded.

gerv.gun – matied.com/gerv.gun
trow.exe – lounge-haarstudio.nl/oud/trow.exe
wp.exe – vantagepointtechnologies.com/wp.exe

Explanation: Right-click Alert ID: 5410 –> Select Transcript
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 22
Right-click Alert ID: 5420 –> Select Transcript
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 23
Right-click Alert ID: 5421 –> Select Transcript
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 24

Use any available tools in Security Onion VM, determine and record the SHA256 hash for the downloaded files that probably infected the computer?

gerv.gun = 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272
trow.exe = 94a0a09ee6a21526ac34d41eabf4ba603e9a30c26e6a1dc072ff45749dfb1fe1
wp.exe = 79d503165d32176842fe386d96c04fb70f6ce1c8a485837957849297e625ea48

Explanation: Use NetworkMiner tool:
Right-click Alert ID: 5410 –> Select NetworkMiner –> Click Files tab –> Right click first line –> Select Calculate MD5 / SHA1 / SHA256 hash
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 25

Do the same for Alert ID: 5420 and 5421 to determine SHA256 hash for the files: trow.exe and wp.exe

b. Navigate to www.virustotal.com input the SHA256 hash to determine if these were detected as malicious files. Record your findings, such as file type and size, other names, and target machine. You can also include any information that is provided by the community posted in VirusTotal.

gerv.gun:

  • 58 engines detected this file
  • File type: Win32 EXE
  • File size: 236.00 KB (241664 bytes)
  • Names:
    • gerv.gun
    • test
    • tmp523799.697
    • tmp246975.343
    • tmp213582.420
    • extract-1498570714.111294-HTTP-FG0jno3bJLiIzR4hrh.exe
    • 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272.bin
    • vector.tui
  • Target Machine: Intel 386 or later processors and compatible processors

trow.exe:

  • 63 engines detected this file
  • File type: Win32 EXE
  • File size: 323.00 KB (330752 bytes)
  • Names:
    • Pedals
    • Pedals.exe
    • trow.exe
    • test3
    • 2017-06-28_18-18-14.exe
    • bma2beo4.exe
  • Target Machine: Intel 386 or later processors and compatible processors

wp.exe:

  • 55 engines detected this file
  • File type: Win32 EXE
  • File size: 300.50 KB (307712 bytes)
  • Names:
    • wp.exe
    • test2
    • test_3
    • 4da48f6423d5f7d75de281a674c2e620.virobj
    • wp.exe.x-msdownload
  • Target Machine: Intel 386 or later processors and compatible processors

Explanation:Open Chromium Web Browser –> access to www.virustotal.com –> Click Search –> Enter Hash
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 26
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 27
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 28
CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 29

c. Examine other alerts associated with the infected host during this timeframe and record your findings

ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) – infection started when the user of the 192.168.1.96 host performed a DNS lookup through a malicious domain – destination IP: 208.67.222.222

CyberOps Associate Skills Assessment Answers - CA v1.0 Skills Exam 30

Step 3: Report Your Findings

Summarizes your findings based on the information you have gathered from the previous parts, summarize your findings.

The host with IP 192.168.1.96, a PC running Windows, accessed a malicious domain for a DNS query, and was infected with the Pushdo trojan. The Pushdo trojan pretends to be an Apache webserver, listening on port 80. After infection, the Pushdo trojan downloads various malware. In the examined PC, three malwares were downloaded and installed – gerv.gun, trow.exe and wp.exe. These files were checked in virustotal.com, using their SHA256 hash, and verified as malware by most source.

Download .ova files:

Subscribe
Notify of
guest

28 Comments
Inline Feedbacks
View all comments
Laura
Laura
2 years ago

Hi , Currently completing this but could you explain how we know the attack began at 13.38 even tho the malicious domain wasnt accesed til after this time ?Many thanks

Rajesh soni
Rajesh soni
3 years ago

Hi,
can anyone please share the answer sheet for the reference on this email, [email protected]. I’m struggling to answer the question in report and supporting findings. Any help is much appreciated. thanks

Marcos Renato Rocha de Medeiros
Marcos Renato Rocha de Medeiros
3 years ago

I think you’re trying on the wrong date because even in the earliest print-screen, the date is 2017-06-27. And if you make a query with that date on Sguil you’ll notes that the event correlated to pushdo trojan occurs between 13:38 e 13:45

Capturars.PNG
GXS
GXS
3 years ago

HI.
Any Idea when will you update it with complete answers and findings?

Ganges Khan
Ganges Khan
3 years ago

Please help we have the same exam tomorrow!

Gng
Gng
3 years ago

Can someone please send me your answer for comparison? My email is [email protected]

Hmod
Hmod
3 years ago

When the instructor mode will publish?

Mark
Mark
3 years ago

Do you know when it will be published? More or less than 2 weeks?

John
John
3 years ago
Reply to  Mark

Hello mark did you finish it?

Mark
Mark
3 years ago
Reply to  John

Yeah but I’m not sure about my results

John
John
3 years ago
Reply to  Mark

Can you plz share your answer to [email protected] ? please

Mark
Mark
3 years ago
Reply to  John

I will tomorrow(I took 100)

John
John
3 years ago
Reply to  Mark

Thank you, waiting for your email.

Mark
Mark
3 years ago
Reply to  John

I have sent it

greenpuzzle
greenpuzzle
3 years ago
Reply to  Mark

Hello! Could you send it to me as well, please? <[email protected]> Thanks in advance!

John
John
3 years ago
Reply to  Mark

I think you made a mistake in email id, still now I didn’t get it. Can you please resend it again.

joe
joe
3 years ago
Reply to  Mark

can you please send me your result to [email protected]?

Jonifer Vas
Jonifer Vas
3 years ago
Reply to  Mark

Hi can you send it to me also need help THANK YOU! to [email protected]

Greg
Greg
3 years ago
Reply to  Mark

Hi Mark! Can you send it to me too? [email protected] Thank you!

Marcos Renato Rocha de Medeiros
Marcos Renato Rocha de Medeiros
3 years ago
Reply to  Mark

Hi Mark, can you send me too? it has been very hard to do it alone. [email protected]

Gabriela
Gabriela
2 years ago
Reply to  Mark

Hello Mark, there is a new version of the document and I am having trouble with the activity, can i send you the activity document and help me with the answers, please?

joe
joe
3 years ago
Reply to  Mark

can you please send me your result to [email protected]

Gng
Gng
3 years ago
Reply to  Mark

Hello Mark, you can send to me your answer? My email is [email protected], thanks a lot!

John
John
3 years ago
Reply to  Mark

Hello Mark,
I am still waiting for your email. I really need it. Can you please send me the answer at [email protected]

Bodofo
Bodofo
3 years ago
Reply to  Mark

Hi Mark! Can u share with me? [email protected]

Mike Peterson
Mike Peterson
2 years ago
Reply to  Mark

Hi Mark,

Our teacher made some changes to the exam.
Instead of

a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.

She changed it to

a.    Identify time frame of the latest trojan attack, including the date and approximate time.

I choose

Date 2020-02-21 01:12:03

Source IP 91.211.88.122
Dest IP 172.17.8.174

Event message ET Trojan Abuse.CH SSL ….

I used query:

WHERE event.signature like ‘%trojan%’

Is this correct? Can you provide me with your feedback?

Thanks,

Mike

CaptureT2.PNG
28
0
Would love your thoughts, please comment.x
()
x