Lab 1:

Is your PC
hacked?

Diya .
Huyen Ho
Leslie Macalingdong

1 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Table of Contents
Malware Infestation:.........................................................3
Tracing the Data using Digital Forensics:..........................7
Gathering more evidence using Online tools:.................14
Conclusion:.....................................................................20
Recommendations to Fix and Keep Safe:........................20

2 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Malware Infestation:
In this exercise, we utilized a technique known as a Backdoor for simulating
a malware attack. Our platform of choice was the Kali Linux machine, a
popular choice for penetration testing and ethical hacking.
We employed Metasploit, specifically its command-line interface msfconsole,
to create a backdoor. Metasploit is a powerful penetration testing framework
that makes discovering, exploiting, and sharing vulnerabilities quick and
relatively painless.
Our first step was to generate a binary code by using a reverse HTTP
payload. Following that, we used a tool called Four-Eye to create a shellcode.
This shellcode was designed to be injected into a target machine, effectively
creating a backdoor.

3 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Next, we set up a payload using the reverse HTTP method in msfconsole.
This method allows the attacker’s machine to establish a connection with the
target machine, essentially reversing the typical connection process.

4 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
To execute the command, we set up an HTTP server on another terminal.
This allowed the target machine to connect to the attacker’s IP address and
HTTP port, and download the infected file.

Proof from target machine:

In summary, Metasploit’s msfconsole is a versatile tool in the realm of

cybersecurity, allowing for the creation of backdoors, the injection of
5 ICT: Computer Forensics
© 2017, Southern Alberta Institute of Technology
shellcodes, and the execution of reverse HTTP payloads. It’s a key
component in penetration testing and ethical hacking exercises, providing
valuable insights into potential vulnerabilities and exploits.

6 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Tracing the Data using Digital Forensics:
Here’ some trace of malicious activity:
1. In the Task Manager, we identified a process named shellcode.exe
under the “Details” tab. Upon inspecting the properties of this
particular process, it was observed that it possesses certain privileges.
This image here indeed serves as evidence. It shows the Task
Manager’s “Details” tab with shellcode.exe highlighted. Additionally,
the properties window for shellcode.exe is open, displaying the
“Security” tab. This tab reveals the permissions for SYSTEM and
Administrators, which include Full control, Modify, Read & Execute,
Read, and Write. Both SYSTEM and Administrators have all these
permissions allowed, indicating that shellcode.exe has significant
privileges on the system.

7 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
2. Virus and Threat settings:

Upon executing the infected file in our Windows Virtual Machine, we

observed an alert in the Virus & Threat Protection settings. The system
identified a severe threat named “Trojan:Win64/CobaltStrike.BE!MTB”.
This threat was detected on May 17, 2024, at 10:06 PM.

The status of the threat was marked as “Quarantined”, indicating that

the system had successfully isolated the threat to prevent it from
causing harm to the device. The details provided by the system
described the program as dangerous because it executes commands
from an attacker. The infected file, located at “C:\Users\Diya\
Downloads\shellcode.exe”, was the source of this threat.

This incident underscores the importance of robust threat detection

and response mechanisms in safeguarding systems against malware
attacks. It also highlights the potential risks associated with executing
unknown or suspicious files. As always, it’s crucial to exercise caution
and utilize reliable security tools to protect your systems.

8 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
3. In our next step, we utilized the Sysinternals Suite, a collection of
system utilities designed to provide detailed information about various
aspects of the Windows operating system. Instead of using the
Autoruns utility, we opted for Process Explorer.

a. Upon launching Process Explorer, we discovered shellcode.exe

listed as an active process. This provided us with our third piece of
evidence regarding the presence of shellcode.exe.
The properties dialog box for shellcode.exe was open, showing
various tabs such as Image, Performance, Environment, Job, TCP/IP,
Security, Strings, and Threads. The Image tab was currently
selected and provided detailed information about the shellcode.exe
process including its path (C:\Users\sys\Downloads\shellcode.exe),
parent (firefox.exe), command line used to start it, current
directory, environment variables associated with it, and other
details like user name and description.

9 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
b. This tool provides a more detailed view of the processes running on
a system, including network activity.

The screenshot here provided shows Process Explorer with

shellcode.exe listed as an active process. More importantly, under the
“TCP/IP” tab, we can see network activity associated with this process.
The local address is listed as “desktop-fuspn4a”, and the remote
address is an IP address “100.1.2.2:2000”. The state of this connection
is listed as “ESTABLISHED”.

This information provides us with another piece of evidence about

shellcode.exe. It not only confirms that shellcode.exe is an active
process on the system but also shows that it’s communicating over the
network with a specific IP address. This could indicate that
shellcode.exe is part of a network-based attack command-and-control
activity.

10 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
c. In the final piece of evidence, we utilized the Sysinternals Suite to
examine the security settings of shellcode.exe. The screenshot you
provided shows the properties of shellcode.exe with the “Security”
tab open. This tab lists various security settings related to
shellcode.exe, including Group or user names like ‘SYSTEM’,
‘Administrators’, ‘Users’, and their associated Permissions like ‘Full
Control’, ‘Read & Execute’, etc. Each entry specifies whether the
permission is allowed or denied.

11 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
4. In the final phase of our investigation, we utilized Wireshark, a
renowned network protocol analyzer. This tool allowed us to capture
and interactively browse the traffic running on a computer network.
During the Wireshark capture, we noticed an unusual link in the
information field. When we applied this packet as a filter, we found the
exact link from which the target machine downloaded the infected
executable file. This was found under the HTTP (Hypertext Transfer
Protocol) section in the left pane. Moreover, we were able to identify
the IP address of the attacker’s machine and the IP address they chose
to use. This information is crucial as it provides insight into the origin
of the attack and the potential location of the attacker.

In the next step, we plan to use various online tools to further analyze
the malicious file. These tools will help us understand the nature of the
file, its behavior, and the potential risks associated with it.

12 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Gathering more evidence using Online tools:
1. Docguard.io :
In our continued investigation, we utilized an online tool called
DocGuard.io. This tool is designed to analyze and provide detailed
information about potentially malicious files.
The screenshot here shows the results of the analysis for
shellcode.exe. The tool identified various details about the file, such as
its name, hash values, and other metadata like submission time and
machine type. It also categorized the file as “Unknown”, indicating that
it couldn’t definitively classify the file based on its database.

This analysis provides us with valuable insights into the nature of

shellcode.exe. It confirms that the file exhibits characteristics typically
associated with malicious files. However, the “Unknown” classification
suggests that further analysis may be necessary to fully understand
the potential risks associated with this file.

13 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
2. Intezer Analyze:
a. We utilized an online tool known as Intezer Analyze. This tool
specializes in malware analysis and threat detection by dissecting
the binary code of suspicious files and comparing it with known
malicious and benign software.

b. The picture here shows the results of the analysis for shellcode.exe
using the online tool Intezer Analyze. The tool has identified two
strings within the file:

 shellcode with subtext GNU C 9.0 (Linux) 2.23.20130314

std=gnu99 -march=native
 macro:6F8A54... followed by truncated text, indicating it is likely
a signature or identifier for a piece of malware, and ends with -
O2 -g -fno-strict-aliasing -fno-PIE

These strings are significant as they provide insights into the

composition and behavior of the shellcode.exe file. The first string
suggests that the file was compiled using the GNU C compiler on a
Linux system, while the second string appears to be a unique
identifier associated with the file.
It confirms that the file is indeed malicious and exhibits behavior
typically associated with harmful software.

14 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
c. Two strings of Admin Tool:

d. All Strings found:

15 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
3. VirusTotal:
In the final stage of our investigation, we utilized an online tool known
as VirusTotal. This tool specializes in malware detection and analysis by
scanning files and URLs through various antivirus engines and website
scanners.

Found the details of the file:

16 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Here are header and sections of the executable file:

17 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology
Conclusion:
The investigation confirmed that the target machine was compromised by
shellcode.exe, a malicious file exhibiting typical backdoor behavior. The
process analysis, threat detection, network activity, and further online
analysis all corroborated this finding.

Recommendations to Fix and Keep Safe:

To address this, immediate actions should be taken, such as isolating the
infected machine by disconnecting it from the network to prevent further
damage or data exfiltration, removing malicious files using reputable
antivirus software, and restoring the system from a known good backup if
possible.
Preventive measures include keeping the operating system and all software
up-to-date to patch known vulnerabilities, using comprehensive antivirus and
anti-malware solutions that are always up-to-date, implementing firewalls
and intrusion detection/prevention systems to monitor and control network
traffic, educating users about the risks of downloading and executing
unknown files and the importance of security best practices, and regularly
auditing system and network activity for any signs of suspicious behavior. By
following these steps, the risk of future infections can be mitigated, and a
secure computing environment can be maintained.

18 ICT: Computer Forensics

© 2017, Southern Alberta Institute of Technology