I want to share some tips for approaching the Lockpick3.0 challenge.
Sherlock Scenario on Lockpick3.0
The threat actors of the Lockpick variant of Ransomware seem to have increased their skillset. Thankfully on this occasion they only hit a development, non-production server. We require your assistance performing some reverse engineering of the payload in addition to some analysis of some relevant artifacts. Interestingly, we can’t find evidence of remote access so there is likely an insider threat. Good luck! Please note on the day of release this is being utilized for a workshop, however, it will still be available (and free).
Artefacts for Lockpick3.0 challenge
Upon unzipping the file, we discover three items:
- ubuntu-client – identified as malware.
- ubuntu-client-Snapshot2.vmem – a memory dump from the developer server.
- ubuntu-client-Snapshot2.vmsn – a snapshot capturing the developer server’s state.
Resolution for all questions on Lockpick3.0 Sherlock challenge
Task 1 Please confirm the file hash of the malware ? (MD5)
After executing the md5sum ubuntu-client
command, I obtained the MD5 hash, which was confirmed to be correct.
Answer: a2444b61b65be96fc2e65924dee8febd
Task 2 Please confirm the XOR string utilized by the attacker for obfuscation?
Before starting the memory dump analysis with Volatility3, I opted to run the strings
command first. By using strings ubuntu-client-Snapshot2.vmem | grep ubuntu-client
, I could pinpoint the command the attacker used to execute the malicious software. The instances of this command were consistent and relatively few.
Answer: xGonnaGiveIt2Ya
Task 3 What is the API endpoint utilized to retrieve the key?
Before proceeding with dynamic analysis, I first tried to gather information about the binary using the strings command. I was looking for clues that might indicate the complete string necessary for performing the XOR operation. Although I didn’t find anything suitable, I did identify two endpoints: /connect
and /upload/
.
From the results, I gathered that the attacker first performs the XOR operation to retrieve the address and then combines it with the endpoint I found. I then decided to run ubuntu-client
in GDB, but my initial attempt failed due to the absence of the libcrypto.so.1.1
library.
I couldn’t find a corresponding package for the libcrypto.so.1.1
library in the apt
package manager, so I searched for a method to build it myself. Using the following commands, I successfully downloaded and compiled the missing library:
wget -c https://www.openssl.org/source/openssl-1.1.1s.tar.gz && \
tar xf openssl-1.1.1s.tar.gz && \
cd openssl-1.1.1s/ && \
./config --prefix="/usr/local/openssl" && \
make
Next, I used the LD_LIBRARY_PATH
environment variable to specify where GDB should look for the missing dependencies. By running
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:openssl-1.1.1s gdb ubuntu-client
, I was able to execute the program. For the malware analysis, I utilized a GDB extension called PEDA, which greatly simplifies software analysis. Within GDB, I ran the info functions
command to list the functions used by the malicious software. One function that caught my attention was curl_easy_setopt@plt
, indicating it was loaded from an external library. According to the documentation, curl_easy_setopt
is used to establish a cURL connection. I then set a breakpoint on this function’s invocation using the command b curl_easy_setopt
and began debugging with run xGonnaGiveIt2Ya
.
Answer: https://plankton-app-3qigq.ondigitalocean.app/connect
Task 4 What is the API endpoint utilized for the upload of files?
Answer: https://plankton-app-3qigq.ondigitalocean.app/upload/
Task 5 What is the name of the service created by the malware?
This task took me the longest to complete. Initially, I felt confused about why Volatility3 and the other Volatility tools did not process the provided memory dumps correctly. Later, I realized I needed to use additional symbols not included by default in Volatility 3. I began by identifying the kernel version used by the machine that created the dump. I ran the command python3 vol.py -f ../ubuntu-client-Snapshot2.vmem banners and found that Ubuntu used kernel version 5.4.0-163-generic.
After spending some time searching through files without success, I decided to look for a .service
file related to the execution of the command ubuntu-client xGonnaGiveIt2Ya
.
Answer: ubuntu_running.service
Task 6 What is the technique ID utilized by the attacker for persistence?
Here’s a revision of the sentence to eliminate passive voice:
This task was straightforward; I entered some keywords and clicked on the second link, which took me to the needed answer.
Answer: T1543.002
No responses yet