Forensics

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside.

Forensics

💢 We will cover the topics

System Forensic
Volatility Framework

Task 1 Volatility forensics

This is a memory dump of the infected system download the file.

md5 hash of uncompressed file is ba44c4b977d28132faeb5fb8b06debce

Download the victim.zip

No answer needed

Whats is the OS of this Dump? (Just write OS name in small)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
kali@kali:~/CTFs/tryhackme/Forensics/Task 1$ vol.py -f victim.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/CTFs/tryhackme/Forensics/Task 1/victim.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028420a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002843d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-05-02 18:11:45 UTC+0000
     Image local date and time : 2019-05-02 11:11:45 -0700

windows

Whats is the PID of SearchIndexer ?

1
2
3
kali@kali:~/CTFs/tryhackme/Forensics/Task 1$ vol.py -f victim.raw --profile=Win7SP1x64 pslist | grep SearchIndexer
Volatility Foundation Volatility Framework 2.6.1
0xfffffa8003367060 SearchIndexer.         2180    504     11      629      0      0 2019-05-02 18:03:32 UTC+0000

2180

What is the last directory accessed by the user? (Just write last folder name as it is?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kali@kali:~/CTFs/tryhackme/Forensics/Task 1$ vol.py -f victim.raw --profil=Win7SP1x64 shellbags
Volatility Foundation Volatility Framework 2.6.1
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \??\C:\Users\victim\AppData\Local\Microsoft\Windows\UsrClass.dat 
Key: Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0
Last updated: 2019-04-27 10:48:33 UTC+0000
Value   Mru   File Name      Modified Date                  Create Date                    Access Date                    File Attr                 Path
------- ----- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ----
0       0     deleted_files  2019-04-27 10:30:26 UTC+0000   2019-04-27 10:38:24 UTC+0000   2019-04-27 10:38:24 UTC+0000   NI, DIR                   Z:\logs\deleted_files
***************************************************************************

deleted_files

Task 2 Task2

Dig little more…

There are many suspicious open port, which is it ?(protocol:port)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
kali@kali:~/CTFs/tryhackme/Forensics/Task 2$ vol.py -f victim.raw --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x5c201ca0         UDPv4    0.0.0.0:5005                   *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5c201ca0         UDPv6    :::5005                        *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5c49cbb0         UDPv4    0.0.0.0:59471                  *:*                                   1368     svchost.exe    2019-05-02 18:03:06 UTC+0000
0x5c4a31c0         UDPv4    0.0.0.0:59472                  *:*                                   1368     svchost.exe    2019-05-02 18:03:06 UTC+0000
0x5c4a31c0         UDPv6    :::59472                       *:*                                   1368     svchost.exe    2019-05-02 18:03:06 UTC+0000
0x5c4ac630         UDPv4    0.0.0.0:3702                   *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c4ac630         UDPv6    :::3702                        *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c519b30         UDPv4    0.0.0.0:3702                   *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c537ec0         UDPv4    0.0.0.0:3702                   *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c690360         UDPv4    0.0.0.0:0                      *:*                                   1004     svchost.exe    2019-05-02 18:02:56 UTC+0000
0x5c690360         UDPv6    :::0                           *:*                                   1004     svchost.exe    2019-05-02 18:02:56 UTC+0000
0x5c6918e0         UDPv4    0.0.0.0:5355                   *:*                                   1004     svchost.exe    2019-05-02 18:02:56 UTC+0000
0x5c6918e0         UDPv6    :::5355                        *:*                                   1004     svchost.exe    2019-05-02 18:02:56 UTC+0000
0x5c692940         UDPv4    0.0.0.0:5005                   *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5c692ae0         UDPv4    0.0.0.0:5355                   *:*                                   1004     svchost.exe    2019-05-02 18:02:56 UTC+0000
0x5c7bac70         UDPv4    0.0.0.0:5004                   *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5c7bac70         UDPv6    :::5004                        *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5c7f9600         UDPv4    0.0.0.0:3702                   *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c7f9600         UDPv6    :::3702                        *:*                                   1368     svchost.exe    2019-05-02 18:03:14 UTC+0000
0x5c44e1b0         TCPv4    0.0.0.0:5357                   0.0.0.0:0            LISTENING        4        System         
0x5c44e1b0         TCPv6    :::5357                        :::0                 LISTENING        4        System         
0x5c528010         TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System         
0x5c528010         TCPv6    :::445                         :::0                 LISTENING        4        System         
0x5c534c60         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        504      services.exe   
0x5c534c60         TCPv6    :::49156                       :::0                 LISTENING        504      services.exe   
0x5c535010         TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        504      services.exe   
0x5c6de720         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        920      svchost.exe    
0x5c6de720         TCPv6    :::49154                       :::0                 LISTENING        920      svchost.exe    
0x5c6e0df0         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        920      svchost.exe    
0x5c717460         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        512      lsass.exe      
0x5ca3ecc0         UDPv6    ::1:1900                       *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5ca452c0         UDPv6    fe80::6998:27e6:5653:fc35:1900 *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5ca4c2c0         UDPv6    fe80::1503:ac56:439f:bb6c:1900 *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5ca517c0         UDPv4    0.0.0.0:5004                   *:*                                   2464     wmpnetwk.exe   2019-05-02 18:05:14 UTC+0000
0x5ca5a7c0         UDPv4    127.0.0.1:1900                 *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5ca5d7c0         UDPv4    169.254.252.53:1900            *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5ca655a0         UDPv4    127.0.0.1:61556                *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5caa6250         UDPv4    192.168.35.2:138               *:*                                   4        System         2019-05-03 06:32:31 UTC+0000
0x5cab3010         UDPv4    192.168.35.2:137               *:*                                   4        System         2019-05-03 06:32:31 UTC+0000
0x5cab65a0         UDPv4    169.254.252.53:137             *:*                                   4        System         2019-05-03 06:32:40 UTC+0000
0x5caefec0         UDPv4    169.254.252.53:138             *:*                                   4        System         2019-05-03 06:32:40 UTC+0000
0x5c932da0         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        752      svchost.exe    
0x5c948330         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        752      svchost.exe    
0x5c948330         TCPv6    :::135                         :::0                 LISTENING        752      svchost.exe    
0x5c9541a0         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        416      wininit.exe    
0x5c9541a0         TCPv6    :::49152                       :::0                 LISTENING        416      wininit.exe    
0x5c954900         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        416      wininit.exe    
0x5c996bd0         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        852      svchost.exe    
0x5c996bd0         TCPv6    :::49153                       :::0                 LISTENING        852      svchost.exe    
0x5c99c180         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        852      svchost.exe    
0x5cab60e0         TCPv4    192.168.35.2:139               0.0.0.0:0            LISTENING        4        System         
0x5cab95d0         TCPv4    169.254.252.53:139             0.0.0.0:0            LISTENING        4        System         
0x5cabcdd0         TCPv4    0.0.0.0:554                    0.0.0.0:0            LISTENING        2464     wmpnetwk.exe   
0x5cdd2950         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        512      lsass.exe      
0x5cdd2950         TCPv6    :::49155                       :::0                 LISTENING        512      lsass.exe      
0x5c949290         TCPv6    -:0                            c801:b602:80fa:ffff:c801:b602:80fa:ffff:0 CLOSED           1        ?????????????? 
0x5cad94a0         TCPv6    -:49158                        ::1:2869             CLOSED           2464     wmpnetwk.exe   
0x5d5e8960         TCPv4    0.0.0.0:10243                  0.0.0.0:0            LISTENING        4        System         
0x5d5e8960         TCPv6    :::10243                       :::0                 LISTENING        4        System         
0x5d5f79c0         TCPv4    0.0.0.0:554                    0.0.0.0:0            LISTENING        2464     wmpnetwk.exe   
0x5d5f79c0         TCPv6    :::554                         :::0                 LISTENING        2464     wmpnetwk.exe   
0x5de66420         UDPv4    0.0.0.0:0                      *:*                                   688      VBoxService.ex 2019-05-02 18:11:42 UTC+0000
0x5e00dbe0         UDPv6    fe80::1503:ac56:439f:bb6c:546  *:*                                   852      svchost.exe    2019-05-02 18:10:03 UTC+0000
0x5e0e43b0         UDPv4    0.0.0.0:68                     *:*                                   852      svchost.exe    2019-05-02 18:09:56 UTC+0000
0x5e11d1b0         UDPv6    fe80::6998:27e6:5653:fc35:546  *:*                                   852      svchost.exe    2019-05-02 18:10:03 UTC+0000
0x5e2a6010         UDPv6    ::1:61555                      *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5e37e680         UDPv4    192.168.35.2:1900              *:*                                   1368     svchost.exe    2019-05-02 18:05:13 UTC+0000
0x5e354410         TCPv4    0.0.0.0:2869                   0.0.0.0:0            LISTENING        4        System         
0x5e354410         TCPv6    :::2869                        :::0                 LISTENING        4        System         
0x5e362010         TCPv6    -:2869                         ::1:49158            CLOSED           4        System 

udp:5005

Vads tag and execute protection are strong indicators of malicious processes, can you find which are they? (Pid1;Pid2;Pid3…)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
kali@kali:~/CTFs/tryhackme/Forensics/Task 2$ vol.py -f victim.raw --profile=Win7SP1x64 malfind
Volatility Foundation Volatility Framework 2.6.1
Process: explorer.exe Pid: 1860 Address: 0x3ee0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x0000000003ee0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000003ee0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000003ee0020  00 00 ee 03 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000003ee0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x0000000003ee0000 0000             ADD [EAX], AL
0x0000000003ee0002 0000             ADD [EAX], AL
0x0000000003ee0004 0000             ADD [EAX], AL
0x0000000003ee0006 0000             ADD [EAX], AL
0x0000000003ee0008 0000             ADD [EAX], AL
0x0000000003ee000a 0000             ADD [EAX], AL
0x0000000003ee000c 0000             ADD [EAX], AL
0x0000000003ee000e 0000             ADD [EAX], AL
0x0000000003ee0010 0000             ADD [EAX], AL
0x0000000003ee0012 0000             ADD [EAX], AL
0x0000000003ee0014 0000             ADD [EAX], AL
0x0000000003ee0016 0000             ADD [EAX], AL
0x0000000003ee0018 0000             ADD [EAX], AL
0x0000000003ee001a 0000             ADD [EAX], AL
0x0000000003ee001c 0000             ADD [EAX], AL
0x0000000003ee001e 0000             ADD [EAX], AL
0x0000000003ee0020 0000             ADD [EAX], AL
0x0000000003ee0022 ee               OUT DX, AL
0x0000000003ee0023 0300             ADD EAX, [EAX]
0x0000000003ee0025 0000             ADD [EAX], AL
0x0000000003ee0027 0000             ADD [EAX], AL
0x0000000003ee0029 0000             ADD [EAX], AL
0x0000000003ee002b 0000             ADD [EAX], AL
0x0000000003ee002d 0000             ADD [EAX], AL
0x0000000003ee002f 0000             ADD [EAX], AL
0x0000000003ee0031 0000             ADD [EAX], AL
0x0000000003ee0033 0000             ADD [EAX], AL
0x0000000003ee0035 0000             ADD [EAX], AL
0x0000000003ee0037 0000             ADD [EAX], AL
0x0000000003ee0039 0000             ADD [EAX], AL
0x0000000003ee003b 0000             ADD [EAX], AL
0x0000000003ee003d 0000             ADD [EAX], AL
0x0000000003ee003f 00               DB 0x0

Process: explorer.exe Pid: 1860 Address: 0x3f90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, PrivateMemory: 1, Protection: 6

0x0000000003f90000  00 00 00 00 00 00 00 00 4b 5b b2 8d 2d d2 00 01   ........K[..-...
0x0000000003f90010  ee ff ee ff 00 00 00 00 28 01 f9 03 00 00 00 00   ........(.......
0x0000000003f90020  28 01 f9 03 00 00 00 00 00 00 f9 03 00 00 00 00   (...............
0x0000000003f90030  00 00 f9 03 00 00 00 00 80 00 00 00 00 00 00 00   ................

0x0000000003f90000 0000             ADD [EAX], AL
0x0000000003f90002 0000             ADD [EAX], AL
0x0000000003f90004 0000             ADD [EAX], AL
0x0000000003f90006 0000             ADD [EAX], AL
0x0000000003f90008 4b               DEC EBX
0x0000000003f90009 5b               POP EBX
0x0000000003f9000a b28d             MOV DL, 0x8d
0x0000000003f9000c 2dd20001ee       SUB EAX, 0xee0100d2
0x0000000003f90011 ff               DB 0xff
0x0000000003f90012 ee               OUT DX, AL
0x0000000003f90013 ff00             INC DWORD [EAX]
0x0000000003f90015 0000             ADD [EAX], AL
0x0000000003f90017 0028             ADD [EAX], CH
0x0000000003f90019 01f9             ADD ECX, EDI
0x0000000003f9001b 0300             ADD EAX, [EAX]
0x0000000003f9001d 0000             ADD [EAX], AL
0x0000000003f9001f 0028             ADD [EAX], CH
0x0000000003f90021 01f9             ADD ECX, EDI
0x0000000003f90023 0300             ADD EAX, [EAX]
0x0000000003f90025 0000             ADD [EAX], AL
0x0000000003f90027 0000             ADD [EAX], AL
0x0000000003f90029 00f9             ADD CL, BH
0x0000000003f9002b 0300             ADD EAX, [EAX]
0x0000000003f9002d 0000             ADD [EAX], AL
0x0000000003f9002f 0000             ADD [EAX], AL
0x0000000003f90031 00f9             ADD CL, BH
0x0000000003f90033 0300             ADD EAX, [EAX]
0x0000000003f90035 0000             ADD [EAX], AL
0x0000000003f90037 008000000000     ADD [EAX+0x0], AL
0x0000000003f9003d 0000             ADD [EAX], AL
0x0000000003f9003f 00               DB 0x0

Process: svchost.exe Pid: 1820 Address: 0x24f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 128, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00000000024f0000  20 00 00 00 e0 ff 07 00 0c 00 00 00 01 00 05 00   ................
0x00000000024f0010  00 42 00 50 00 30 00 70 00 60 00 00 00 00 00 00   .B.P.0.p.`......
0x00000000024f0020  48 8b 45 28 c7 00 00 00 00 00 c7 40 04 00 00 00   H.E(.......@....
0x00000000024f0030  00 48 8b 45 28 48 8d 40 08 48 89 c2 48 8b 45 20   .H.E(H.@.H..H.E.

0x00000000024f0000 2000             AND [EAX], AL
0x00000000024f0002 0000             ADD [EAX], AL
0x00000000024f0004 e0ff             LOOPNZ 0x24f0005
0x00000000024f0006 07               POP ES
0x00000000024f0007 000c00           ADD [EAX+EAX], CL
0x00000000024f000a 0000             ADD [EAX], AL
0x00000000024f000c 0100             ADD [EAX], EAX
0x00000000024f000e 0500004200       ADD EAX, 0x420000
0x00000000024f0013 50               PUSH EAX
0x00000000024f0014 0030             ADD [EAX], DH
0x00000000024f0016 007000           ADD [EAX+0x0], DH
0x00000000024f0019 60               PUSHA
0x00000000024f001a 0000             ADD [EAX], AL
0x00000000024f001c 0000             ADD [EAX], AL
0x00000000024f001e 0000             ADD [EAX], AL
0x00000000024f0020 48               DEC EAX
0x00000000024f0021 8b4528           MOV EAX, [EBP+0x28]
0x00000000024f0024 c70000000000     MOV DWORD [EAX], 0x0
0x00000000024f002a c7400400000000   MOV DWORD [EAX+0x4], 0x0
0x00000000024f0031 48               DEC EAX
0x00000000024f0032 8b4528           MOV EAX, [EBP+0x28]
0x00000000024f0035 48               DEC EAX
0x00000000024f0036 8d4008           LEA EAX, [EAX+0x8]
0x00000000024f0039 48               DEC EAX
0x00000000024f003a 89c2             MOV EDX, EAX
0x00000000024f003c 48               DEC EAX
0x00000000024f003d 8b4520           MOV EAX, [EBP+0x20]

Process: svchost.exe Pid: 1820 Address: 0x4d90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 256, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x0000000004d90000  20 00 00 00 e0 ff 0f 00 0c 00 00 00 01 00 05 00   ................
0x0000000004d90010  00 42 00 50 00 30 00 70 00 60 00 00 00 00 00 00   .B.P.0.p.`......
0x0000000004d90020  ba fc ff ff ff 03 55 20 03 55 5c b9 04 00 1a 00   ......U..U\.....
0x0000000004d90030  4c 8b c5 ff 95 e0 37 00 00 8b 4d 24 89 08 48 8d   L.....7...M$..H.

0x0000000004d90000 2000             AND [EAX], AL
0x0000000004d90002 0000             ADD [EAX], AL
0x0000000004d90004 e0ff             LOOPNZ 0x4d90005
0x0000000004d90006 0f000c00         STR WORD [EAX+EAX]
0x0000000004d9000a 0000             ADD [EAX], AL
0x0000000004d9000c 0100             ADD [EAX], EAX
0x0000000004d9000e 0500004200       ADD EAX, 0x420000
0x0000000004d90013 50               PUSH EAX
0x0000000004d90014 0030             ADD [EAX], DH
0x0000000004d90016 007000           ADD [EAX+0x0], DH
0x0000000004d90019 60               PUSHA
0x0000000004d9001a 0000             ADD [EAX], AL
0x0000000004d9001c 0000             ADD [EAX], AL
0x0000000004d9001e 0000             ADD [EAX], AL
0x0000000004d90020 bafcffffff       MOV EDX, 0xfffffffc
0x0000000004d90025 035520           ADD EDX, [EBP+0x20]
0x0000000004d90028 03555c           ADD EDX, [EBP+0x5c]
0x0000000004d9002b b904001a00       MOV ECX, 0x1a0004
0x0000000004d90030 4c               DEC ESP
0x0000000004d90031 8bc5             MOV EAX, EBP
0x0000000004d90033 ff95e0370000     CALL DWORD [EBP+0x37e0]
0x0000000004d90039 8b4d24           MOV ECX, [EBP+0x24]
0x0000000004d9003c 8908             MOV [EAX], ECX
0x0000000004d9003e 48               DEC EAX
0x0000000004d9003f 8d               DB 0x8d

Process: wmpnetwk.exe Pid: 2464 Address: 0x280000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 16, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x0000000000280000  41 ba 80 00 00 00 48 b8 38 a1 e6 ff fe 07 00 00   A.....H.8.......
0x0000000000280010  48 ff 20 90 41 ba 81 00 00 00 48 b8 38 a1 e6 ff   H...A.....H.8...
0x0000000000280020  fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8   ....H...A.....H.
0x0000000000280030  38 a1 e6 ff fe 07 00 00 48 ff 20 90 41 ba 83 00   8.......H...A...

0x0000000000280000 41               INC ECX
0x0000000000280001 ba80000000       MOV EDX, 0x80
0x0000000000280006 48               DEC EAX
0x0000000000280007 b838a1e6ff       MOV EAX, 0xffe6a138
0x000000000028000c fe07             INC BYTE [EDI]
0x000000000028000e 0000             ADD [EAX], AL
0x0000000000280010 48               DEC EAX
0x0000000000280011 ff20             JMP DWORD [EAX]
0x0000000000280013 90               NOP
0x0000000000280014 41               INC ECX
0x0000000000280015 ba81000000       MOV EDX, 0x81
0x000000000028001a 48               DEC EAX
0x000000000028001b b838a1e6ff       MOV EAX, 0xffe6a138
0x0000000000280020 fe07             INC BYTE [EDI]
0x0000000000280022 0000             ADD [EAX], AL
0x0000000000280024 48               DEC EAX
0x0000000000280025 ff20             JMP DWORD [EAX]
0x0000000000280027 90               NOP
0x0000000000280028 41               INC ECX
0x0000000000280029 ba82000000       MOV EDX, 0x82
0x000000000028002e 48               DEC EAX
0x000000000028002f b838a1e6ff       MOV EAX, 0xffe6a138
0x0000000000280034 fe07             INC BYTE [EDI]
0x0000000000280036 0000             ADD [EAX], AL
0x0000000000280038 48               DEC EAX
0x0000000000280039 ff20             JMP DWORD [EAX]
0x000000000028003b 90               NOP
0x000000000028003c 41               INC ECX
0x000000000028003d ba               DB 0xba
0x000000000028003e 83               DB 0x83
0x000000000028003f 00               DB 0x0

1860;1820;2464

Task 3 IOC SAGA

In lats task you have identified malicious processes, so lets dig into them and find some IOC’s. you just need to find them and fill the blanks (You may search them on VirusTotal for more details :)

'www.go****.ru' (write full url without any quotation marks)

1
2
3
4
5
6
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep 'www.go.....ru'
www.google.ru
www.go4win.ru
www.gocaps.ru
www.goporn.ru
      <URL>http://www.google.ru/</URL>

www.goporn.ru

'www.i****.com' (write full url without any quotation marks)

1
2
3
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep 'www.i.....com'
http://www.iciba.com/search?s=%si
www.ikaka.com

www.ikaka.com

'www.ic******.com'

1
2
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep 'www.ic.......com'
www.icsalabs.com

www.icsalabs.com

202.***.233.*** (Write full IP)

1
2
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep '202.....233....'
202.107.233.211

202.107.233.211

***.200.**.164 (Write full IP)

1
2
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep '....200....164'
phttp://209.200.12.164/drm/provider_license_v7.php

209.200.12.164

209.190.***.***

1
2
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ strings victim.raw | grep '209.190........'
`http://209.190.122.186/drm/license-savenow.asp

209.190.122.186

What is an unique environmental variable of PID 2464

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kali@kali:~/CTFs/tryhackme/Forensics/Task 3$ vol.py -f victim.raw --profile=Win7SP1x64 envars | grep 2464
Volatility Foundation Volatility Framework 2.6.1
    2464 wmpnetwk.exe         0x00000000002c47a0 ALLUSERSPROFILE                C:\ProgramData
    2464 wmpnetwk.exe         0x00000000002c47a0 APPDATA                        C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
    2464 wmpnetwk.exe         0x00000000002c47a0 CommonProgramFiles             C:\Program Files\Common Files
    2464 wmpnetwk.exe         0x00000000002c47a0 CommonProgramFiles(x86)        C:\Program Files (x86)\Common Files
    2464 wmpnetwk.exe         0x00000000002c47a0 CommonProgramW6432             C:\Program Files\Common Files
    2464 wmpnetwk.exe         0x00000000002c47a0 COMPUTERNAME                   VICTIM-PC
    2464 wmpnetwk.exe         0x00000000002c47a0 ComSpec                        C:\Windows\system32\cmd.exe
    2464 wmpnetwk.exe         0x00000000002c47a0 FP_NO_HOST_CHECK               NO
    2464 wmpnetwk.exe         0x00000000002c47a0 LOCALAPPDATA                   C:\Windows\ServiceProfiles\NetworkService\AppData\Local
    2464 wmpnetwk.exe         0x00000000002c47a0 NUMBER_OF_PROCESSORS           1
    2464 wmpnetwk.exe         0x00000000002c47a0 OANOCACHE                      1
    2464 wmpnetwk.exe         0x00000000002c47a0 OS                             Windows_NT
    2464 wmpnetwk.exe         0x00000000002c47a0 Path                           C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
    2464 wmpnetwk.exe         0x00000000002c47a0 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    2464 wmpnetwk.exe         0x00000000002c47a0 PROCESSOR_ARCHITECTURE         AMD64
    2464 wmpnetwk.exe         0x00000000002c47a0 PROCESSOR_IDENTIFIER           Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
    2464 wmpnetwk.exe         0x00000000002c47a0 PROCESSOR_LEVEL                6
    2464 wmpnetwk.exe         0x00000000002c47a0 PROCESSOR_REVISION             2a07
    2464 wmpnetwk.exe         0x00000000002c47a0 ProgramData                    C:\ProgramData
    2464 wmpnetwk.exe         0x00000000002c47a0 ProgramFiles                   C:\Program Files
    2464 wmpnetwk.exe         0x00000000002c47a0 ProgramFiles(x86)              C:\Program Files (x86)
    2464 wmpnetwk.exe         0x00000000002c47a0 ProgramW6432                   C:\Program Files
    2464 wmpnetwk.exe         0x00000000002c47a0 PSModulePath                   C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
    2464 wmpnetwk.exe         0x00000000002c47a0 PUBLIC                         C:\Users\Public
    2464 wmpnetwk.exe         0x00000000002c47a0 SystemDrive                    C:
    2464 wmpnetwk.exe         0x00000000002c47a0 SystemRoot                     C:\Windows
    2464 wmpnetwk.exe         0x00000000002c47a0 TEMP                           C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
    2464 wmpnetwk.exe         0x00000000002c47a0 TMP                            C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
    2464 wmpnetwk.exe         0x00000000002c47a0 USERDOMAIN                     WORKGROUP
    2464 wmpnetwk.exe         0x00000000002c47a0 USERNAME                       VICTIM-PC$
    2464 wmpnetwk.exe         0x00000000002c47a0 USERPROFILE                    C:\Windows\ServiceProfiles\NetworkService
    2464 wmpnetwk.exe         0x00000000002c47a0 windir                         C:\Windows
    2464 wmpnetwk.exe         0x00000000002c47a0 windows_tracing_flags          3
    2464 wmpnetwk.exe         0x00000000002c47a0 windows_tracing_logfile        C:\BVTBin\Tests\installpackage\csilogfile.log

OANOCACHE

💢 We will cover the topics#

Task 1 Volatility forensics#

Task 2 Task2#

Task 3 IOC SAGA#

💢 We will cover the topics

Task 1 Volatility forensics

Task 2 Task2

Task 3 IOC SAGA