CyberOps Associates v1.
0 - Skills Assessment
Introduction
You have been hired as a junior security analyst. As part of your training, you were tasked to determine any
malicious activity associated with the Pushdo trojan.
You will have access to the internet to learn more about the events. You can use websites, such as VirusTotal,
to upload and verify threat existence.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluate event alerts using Squil and Kibana.
o Use Google search as a tool to obtain intelligence on a potential exploit.
o Use VirusTotal to upload and verify threat existence.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.
Required Resources
Host computer with at least 8GB of RAM and 45GB of free disk space
Latest version of Oracle VirtualBox
Security Onion virtual machine requires 4GB of RAM using 25GB disk space
Internet access
Instructions
Part 1: Gather the Basic Information
In this part, you will review the alerts listed in Security Onion VM and gather basic information for the
interested time frame.
Step 1: Verify the status of services
a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.
Hasil verifikasi pada Terminal sebagai berikut:
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password
cyberops.
Step 2: Gather basic information.
Questions:
a. Identify time frame of the Pushdo trojan attack, including the date and approximate time.
Tanggal 2017-06-27 pada jam 13:38:34 hingga 13:44:32 UTC
b. List the alerts noted during this time frame associated with the trojan.
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being
hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET TROJAN Pushdo.S CnC response
ET POLICY TLS possible TOR SSL traffic
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
our ans
c. List the internal IP addresses and external IP addresses involved.
Internal IP addresses:
192.168.1.96
External IP addresses:
143.95.151.192
119.28.70.207
145.131.10.21
62.210.140.158
119.28.70.207
208.67.222.222
208.83.223.34
198.1.85.250
Type your anss here
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
Part 2: Learn about the Exploit
In this part, you will learn more about the exploit.
Step 1: Infected host
Questions:
a. Based on the alerts, what is the IP and MAC addresses of the infected computer? Based on the MAC
address, what is the vendor of the NIC chipset? (Hint: NetworkMiner or internet search)
IP address: 192.168.1.96
MAC address: 00-15-C5-DE-C7-3B
NIC Vendor: Dell Inc.
e.
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
b. Based on the alerts, when (date and time in UTC) and how was the PC infected? (Hint: Enter the
command date in the terminal to determine the time zone for the displayed time)
PC terinfeksi malware pada tanggal 2017-06-27 jam 13:38:32 UTC (Universal Time Coordinated)
Type your answers
he re.
How did the malware infect the PC? Use an internet search as necessary.
User yang berada pada PC dengan alamat IP 192.168.1.96 mengakses malicious domain kemudian
Pushdo Trojan digunakan untuk meng-install malware. Pushdo adalah trojan “downloader” yang mana
bertujuan untuk men-download dan meng-install software malicious tambahan. Ketika dieksekusi,
Pushdo melaporkan kembali kepada satu dari beberapa alamat IP server control yang tertempel pada
kode-nya. Server menunggu (listen) pada TCP port 80, dan berpura-pura sebagai webserver Apache.
Apabila request HTTP mengandung parameter yang tepat, satu atau lebih program executables akan
dikirim via HTTP. Sementara itu, malware yang di-download oleh Pushdo tergantung pada nilai yang
diikuti dengan bagian “s-underscore” pada URL (Uniform Resource Locator).
Pushdo melacak alamat IP korban, siapapun walaupun bukan orang sebagai administrator pada PC,
serial number hard drive utama (primary) yang diperoleh dari kode control SMART_RCV_DRIVE_DATA
IO), yang mana filesystem-nya adalah NTFS, berapa kali system korban mengeksekusi varian Pushdo,
dan versi OS Windows akan dikembalikan oleh pemanggilan API GetVersionEx.
Step 2: Examine the exploit.
Questions:
a. Based on the alerts associated with HTTP GET request, what files were downloaded? List the malicious
domains observed and the files downloaded.
gerv.gun -> matied.com/gerv,gun
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
trow.exe -> lounge-haarstudio.nl/trow,exe
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
wp.exe -> vantagepointtechnologies.com/wp.exe
answers here.
Use any available tools in Security Onion VM, determine and record the SHA256 hash for the
downloaded files that probably infected the computer?
gerv.gun = 0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
trow.exe = 94a0a09ee6a21526ac34d41eabf4ba603e9a30c26e6a1dc072ff45749dfb1fe1
wp.exe = 79d503165d32176842fe386d96c04fb70f6ce1c8a485837957849297e625ea48
Type your answers here.
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
b. Navigate to www.virustotal.com input the SHA256 hash to determine if these were detected as malicious
files. Record your findings, such as file type and size, other names, and target machine. You can also
include any information that is provided by the community posted in VirusTotal.
gerv.gun:
58 engines detected this file
File type: Win32 EXE
File size: 236.00 KB (241664 bytes)
Names:
gerv.gun
test
tmp523799.697
tmp246975.343
tmp213582.420
extract-1498570714.111294-HTTP-FG0jno3bJLiIzR4hrh.exe
0931537889c35226d00ed26962ecacb140521394279eb2ade7e9d2afcf1a7272.bin.vector.tui
Target Machine: Intel 386 or later processors and compatible processors
trow.exe:
61 engines detected this file
File type: Win32 EXE
File size: 323.00 KB (330752 bytes)
Names:
Pedals
Pedals.exe
trow.exe
test3
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
2017-06-28_18-18-14.exe
bma2beo4.exe
Target Machine: Intel 386 or later processors and compatible processors
wp.exe:
56 engines detected this file
File type: Win32 EXE
File size: 300.50 KB (307712 bytes)
Names:
wp.exe
test2
test_3
4da48f6423d5f7d75de281a674c2e620.virobj
wp.exe.x-msdownload
Target Machine: Intel 386 or later processors and compatible processors
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
Type your answers here.
c. Examine other alerts associated with the infected host during this timeframe and record your findings
ET POLICY External IP Lookup Domain (myip.opendns .com pada DNS lookup) -> infeksi dimulai ketika
user pada PC 192.168.1.96 melakukan DNS lookup melalui malicious domain dengan alamat IP tujuan
208.67.222.222
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 12 www.netacad.com
�CyberOps Associates v1.0 - Skills Assessment
Step 3: Report Your Findings
Summarizes your findings based on the information you have gathered from the previous parts, summarize
your findings.
Hasil analisis menunjukkan bahwa host dengan alamat IP 192.168.1.96, sebuah PC yang menjalankan OS
Windows, mengakses sebuah malicious domain untuk sebuah query DNS, dan telah terinfeksi dengan
Pushdo Trojan. Pushdo Trojan berpura-pura untuk menjadi webserver Apache, yang menunggu (listening)
pada port 80 HTTP. Setelah proses infeksi, Pushdo Trojan men-download beraneka ragam malware. Pada
PC yang terinfeksi tersebut, terdapat tiga malware yang di-download dan di-install yaitu gerv.gun, trow.exe,
dan wp.exe. File-file tersebut dilakukan pengecekan pada situs virustotal.com, dengan menggunakan hash
SHA256, diketahui bahwa file tersebut diverifikasi sebagai malware pada banyak sumber.
Type your answers here.
End of document
2020 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 12 www.netacad.com
