Cerbero Labs

🚩 Memory Challenge 18: Reminiscent We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on Hack The Box (app.hackthebox.com/challenges/Rem…), so credit goes to them for creating it. The scenario is as follows: "Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag." We tried to find the flag by decoding the malicious PowerShell stages, but since we couldn't download the payload from the final IP, we simply performed a string search and found the flag. Easy peasy.

🚩 Memory Challenge 17: Recollection We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/recollection-c…), so credit goes to them for highlighting it and to Hack The Box (app.hackthebox.com/sherlocks/Reco…) for creating it in the first place. The scenario is as follows: "A junior member of our security team has been performing research and testing on what we believe to be an old and insecure operating system. We believe it may have been compromised & have managed to retrieve a memory dump of the asset. We want to confirm what actions were carried out by the attacker and if any other assets in our environment might be affected. Please answer the questions below." We answer all the questions posed by the challenge; the imphash can be found by searching the malware's hash on VirusTotal.

📦🚀 Memory Analysis 0.9 is out! 🪟 GUI artifact extraction 🖥️ Desktop & window reconstruction 📋 Clipboard extraction (incl. Windows 11) Full details: blog.cerbero.io/memory-analysi…

🚩 Memory Challenge 16: MemLabs Lab 1 - Beginner's Luck We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/memlabs/), so credit goes to them for highlighting it and to MemLabs (github.com/stuxnet999/Mem…) for creating it in the first place. The description is as follows: "My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash. Note: This challenge is composed of 3 flags." We retrieve the first and third flags. The second flag requires extracting the raw image data from the mspaint process, and we leave it as an exercise for the reader.

📦🚀 Memory Analysis 0.8.0 is out! 📟 Console information extraction 🔔 Kernel callback support 🐞 Plus assorted fixes & improvements Full details: blog.cerbero.io/memory-analysi…

🚩 Memory Challenge 15: Hijacked We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on Hack The Box (app.hackthebox.com/sherlocks/Hija…), so credit goes to them for creating it. The scenario is as follows: "Happy Grunwald, the CEO of Forela, decided to expand the company's business in Lahore, Pakistan, and brought along his IT Administrator, Alonzo Spire, to help set up the new office and ensure the company's IT infrastructure was running smoothly. However, they faced some challenges due to the language barrier and unreliable power supply in the area. Despite these challenges, they worked closely with local vendors to set up the new office, and Alonzo ensured the IT infrastructure was secure and reliable. They also made an effort to learn about the local culture and customs, which helped them build relationships with the locals. After a few days, Happy received a call from the UK security team, informing him that his workstation had been compromised, despite having received security awareness training and not opening any suspicious emails or links. A memory dump was retrieved and provided to you as the forensic analyst. Your task is to analyze the memory artefact and provide insight into the threat actor who compromised the workstation." The challenge is fairly extensive and includes several questions, most of which we address. As a bonus, we extract the malicious stager directly from memory without relying on the provided "First.zip" archive, which we use only for confirmation. We also identify and open an injected executable.

📦 A new version of the InnoSetup Format package is now available. It adds support for Inno Setup 6.7.0, which was released just a few hours ago. You can download the update directly from within Cerbero Suite. If you're not yet familiar with Cerbero Store, it's our package store for optional components, allowing us to update specific features of Cerbero Suite in a granular way: cerbero.io/suite/

@Mortal_ol Thank you! We do offer personal licenses: cerbero.io/product/suite-…

@cprofiler 这是一个不错的软件，有机会能用上它嘛？

🚩 Memory Challenge 14: RogueOne We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/rogueone-chall…), so credit goes to them for highlighting it and to Hack The Box (app.hackthebox.com/sherlocks/Rogu…) for creating it in the first place. The scenario is as follows: "Your SIEM system generated multiple alerts in less than a minute, indicating potential C2 communication from Simon Stark’s workstation. Despite Simon not noticing anything unusual, the IT team had him share screenshots of his task manager to check for any unusual processes. No suspicious processes were found, yet alerts about C2 communications persisted. The SOC manager then directed the immediate containment of the workstation and a memory dump for analysis. As a memory forensics expert, you are tasked with assisting the SOC team at Forela to investigate and resolve this urgent incident." We identify the malicious process, the remote address of the C2 server, and the time the connection was created. As a bonus, we also identify a PE injected into the malicious process and load it into our workspace.

🚩 Memory Challenge 13: TeamSpy We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/teamspy-challe…), so credit goes to them for highlighting it and to CyberDefenders (cyberdefenders.org/blueteam-ctf-c…) for creating it in the first place. The scenario is as follows: "An employee reported that his machine started to act strangely after receiving a suspicious email with a document file. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. As a soc analyst, analyze the dumps and help the IR team figure out what happened!" We address some of the questions raised by the challenge. We identify the suspicious process, determine the TeamViewer version and then extract the TeamViewer password from the process's user-mode memory. We then carve the Outlook PST file from memory and examine it directly in our workspace. From there, we identify the involved email addresses, the BTC wallet and the VBA function that returns the string executed on the system. As a bonus, we deobfuscate that string and recover the IP address used to download the malicious payload.

🚩 Memory Challenge 12: BlackEnergy We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/blackenergy-ch…), so credit goes to them for highlighting it and to CyberDefenders (cyberdefenders.org/blueteam-ctf-c…) for creating it in the first place. The scenario is as follows: "A multinational corporation has been hit by a cyber attack that has led to the theft of sensitive data. The attack was carried out using a variant of the BlackEnergy v2 malware that has never been seen before. The company's security team has acquired a memory dump of the infected machine, and they want you, as a soc analyst, to analyze the dump to understand the attack scope and impact." The challenge consists of several questions. We address the most important ones by identifying the most suspicious (exited) process, locating the process that contains the injected code, finding an unusual referenced file, and identifying the injected DLL loaded by the same process. As a bonus, we load the injected PE directly into our analysis workspace and determine the malware's name via a YARA signature.

📦 The Native Ghidra UI package now works with the latest Ghidra 12.0.

🚩 Memory Challenge 11: BOughT We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on Hack The Box (app.hackthebox.com/sherlocks/BOug…), so credit goes to them for creating it. The scenario is as follows: "A non-technical client recently purchased a used computer for personal use from a stranger they encountered online. Since acquiring the computer, the client has been using it without making any changes, specifically not installing or uninstalling any software. However, they have begun experiencing issues related to internet connectivity. This includes receiving error messages such as "Server Not Found" and encountering difficulties with video streaming. Despite these problems, checks with the Windows Network Troubleshooter indicate no issues with the internet connection itself. The client has provided a memory image and disk artifacts for investigation to determine if there are any underlying issues causing these problems." The challenge includes several questions. We begin by identifying the suspicious process and examining the mutex it creates. To confirm that the mutex is associated with the malware, we decompile the application directly within the memory dump, analyze its anti-debugging technique, and observe one of the files it opens on disk. Using the AD1 Format package (cerbero.io/packages/ad1fo…), we can access the disk artifacts to inspect the config.ini file accessed by the malware and extract the FQDN of the target website.

📦🚀 Memory Analysis 0.7.6 is out! 🕵️ Code injection detection 🔗 Scan for unlinked modules 🔍 Process pool scan for broken dumps 📁 Extract file object data from lists 📦 Rebuild & analyze mapped executables 🐞 Plus assorted fixes & improvements Full details: blog.cerbero.io/memory-analysi…

🚩 Memory Challenge 10: Mellitus We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/mellitus-chall…), so credit goes to them for highlighting it and to Hack The Box (app.hackthebox.com/sherlocks/Mell…) for creating it in the first place. The scenario is as follows: "You've been a SOC analyst for the last 4 years but you've been honing your incident response skills! It’s about time you bite the bullet and go for your dream job as an Incident Responder as that’s the path you’d like your career to follow. Currently you are going through the interview process for a medium size incident response internal team and the cocky interviewing responder has given you a tough technical challenge to test your memory forensics aptitude. Can you get all the questions right and secure the job?" The challenge contains multiple questions. We identified the suspicious process, how it was downloaded, the attacker's IP, the FTP login attempts and the last visited webpage from the history of Google Chrome.

📦 We released the XST Format package, which adds support for Microsoft Outlook PST and OST email data formats. The package makes it possible to explore every part of an email container, including messages, folder structures, metadata and attachments.

🚩 Memory Challenge 9: BankingTroubles We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/bankingtrouble…), so credit goes to them for highlighting it and to CyberDefenders (cyberdefenders.org/blueteam-ctf-c…) for creating it in the first place. The scenario is as follows: "Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account. The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system. Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you as a security blue team analyst to analyze the virtual memory and provide answers to the questions." The challenge contains multiple questions, but the most interesting one asks you to extract the final payload from the shellcode embedded in the PDF's JavaScript.

📦 Version 3 of our state-of-the-art InnoSetup Format package is now available and includes support for the latest releases of InnoSetup and the recently introduced full encryption mode. In addition to the format itself and file extraction, make sure to install the IFPS Format package to inspect the code of setup scripts.

🚩 Memory Challenge 8: MemLabs Lab 4 - Obsession We're testing our Memory Analysis package (currently in beta: cerbero.io/packages/memor…) against various challenges available online. We found this challenge on the Memory Forensic site (memoryforensic.com/memlabs/), so credit goes to them for highlighting it and to MemLabs (github.com/stuxnet999/Mem…) for creating it in the first place. The description is as follows: "My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. Note: This challenge is composed of only 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}" Although this challenge is rated as medium difficulty, it took us only a minute to solve, thanks to the file scan action.

📦 We released the AD1 Format package, which adds basic support for AccessData Custom Content Image files. AD1 images are logical evidence containers created by FTK Imager and other AccessData tools, used to store selected files or folders from a system rather than a full physical disk image.