Revil - blackmail Virus Emergency Response

The load name is AnalysisSession1 Of Mandiant After analyzing the file , I navigate to “ Analyze the data > user ” To identify the different users present on the infected host . Here I can see the full name of the employee ：

2. What is the operating system of the infected host ？

To find the operating system of the infected host , We can navigate to “ Analyze the data > system information ” And view the operating system information ：

3. What is the name of the malicious executable opened by the user ？

According to the title of the room and the description of the challenge , The infected host appears to have been REvil Ransomware infection . I did some research on the Internet , I found the Secureworks This article of ：

REvil/Sodinokibi Blackmail Software

author ： Anti threat unit research group REvil（ Also known as Sodinokibi） Extortion software in 4 month 17 It was first discovered on the th ......

www.secureworks.com

Read through this article , I have learned that , As part of ransomware delivery , Threat actors use strategic networks to invade (SWC) By destroying Italy WinRAR Website and replace with malware instances WinRAR Install the executable to deliver REvil .SWC This leads to an unsuspecting WinRAR Infection of the customer system .

stay Redline in , I navigate to “ Analyze the data > file system ”, Found the... Opened by the user WinRAR Malicious executable ：

4. The integrity that users access when downloading malicious binaries URL What is it? ？（ Also includes binaries ）

stay Redline in , I navigate to “ Analyze the data > File download history ” And find out what to use to download malicious binaries file Source URL：

5. The binary MD5 What is the hash value ？

To find malice WinRAR Binary files MD5 Hash , We can navigate to Redline Medium “ Analyze the data > file system ”, Then double click. WinRAR Entry for more details , For example, its file hash ：

6. How many kilobytes is the size of the binary file ？

To find malice WinRAR File size of binary file , We can navigate to Redline Medium “ Analyze the data > file system ”, Then double click. WinRAR Entry for more details , For example, file size ：

7. What is the extension for renaming user files ？

According to the above SecureWorks article ,REvil Check Software\recfg Whether there is... In the registry key rnd_ext value . This value contains the... Generated at run time Attach to encrypted file Of Random extension . If this registry value does not exist , The malware will generate a small letter (az) And number (0–9) A random string of components , The length range is 5 To 10 Characters （ contain ）, And begin with a period （ for example ,.9781xsd4）.

stay Redline in , I navigate to “ Analyze the data > file system ” And see a random file extension , Similar to the above description and example ：

8. What is the number of files renamed and changed to this extension ？

To confirm rename and change to problem 7 Number of files with extensions determined in , I navigate to “ Analyze the data > Timeline ” And filter the extension in the summary column ：

9. What is the full path of the wallpaper changed by the attacker , Include image name ？

Reference resources SecureWorks, If the encryption process is successful ,REvil Will change the desktop background , Make the victim aware of the threat .REvil Use a random file name to save the image to the host %Temp% Directory , The file name consists of a length of 3 To 13 Characters of lowercase letters and numbers , And add “ .bmp ” Extension （ for example ,C:\Users\ <user> \AppData\ Local \Temp\cd2sxy.bmp）.

stay Redline in , I navigate to “ Analyze the data > Timeline ”, Then filter any with .bmp File with extension . I found one with SecureWorks The description provided matches the file ：

10. The attacker left a note for the user on the desktop ; Provide a comment name with an extension .

stay Redline in , I navigate to “ Analyze the data > file system ”, Discover the notes left by the attacker on the user's desktop ：

11. The attacker is C:\Users\John Coleman\Favorites\ I created a “Links for United States” Folder , And left a file there . Provide file name .

stay Redline in , I navigate to “ Analyze the data > file system ”, stay “ C:\Users\John Coleman\Favorites\ ” The file left by the attacker was found under ：

12. Create a on the user's desktop 0 Hidden file of bytes . Provide the name of the hidden file .

stay Redline in , I navigate to “ Analyze the data > file system ” And search for a 0 Byte file ：

13. The user downloaded a decryptor , Hope to decrypt all files , But failed . Provides the... For decrypting files MD5 Hash value .

stay Redline in , I navigate to “ Analyze the data > file system ” And see a name “decryp.tor.exe” The file of . I double-click the entry and see MD5 Hash ：

14. In the ransomware description , The attacker has provided a... That can be accessed through a normal browser URL, To decrypt one of the encrypted files for free . The user tried to access it . Provide complete URL route .

Read through SecureWorks article , The ransom note instructs the victim to use Unique URL To decrypt their files . The website provides trial decryption to prove that the victim can decrypt the file , As shown in the figure below ：

Look at the image , I can see “ Decryptor ” The word is used as the only URL Part of . stay Redline in , I navigate to “ Analyze the data > Browse URL Historical record ” And filter keywords “ Decryptor ”：

15. What are the three names associated with malware that infects this host ？（ Enter names in alphabetical order ）

I already know that the host has been REvil Blackmail attacks