You have been hired as a digital forensics investigator to investigate a potential security breach at a company. The company has recently noticed unusual network activity and suspects that there may be a malicious process running on one of their computers. Your task is identifying the malicious process and gathering information about its activity.
My Recommendations
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c82-NintendoHunt.zipSHA1SUM: 10a91fab515c69d18decef394a3b200524471e6f
It is recommended to use volatility2. You can install from source or with packet manager depending on OS. The thing is, volatility2 is very slow, but it’s still way more complete than volatility3. I often use volatility3 to determine the profile.
vol3 -f memdump.mem windows.info.Infowhich gives us the information really quickly:
vol.py --info | grep 1713 #Win10x64_17134 - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11) #Win10x86_17134 - A Profile for Windows 10 x86 (10.0.17134.1 / 2018-04-11)From the scan above, we know that the machine is 64 bit, so the first profile is the correct one.
Walkthrough
With time, I find myself using volatility2 less and less, I only use it if Volatility3 really fails at doing something. Although the site recommends volatilty2, I personally think it’s way too slow and should be used only for certain plugins/features the python3 version doesn’t have. Specifically since the file is over 5 GB!
1. What is the process ID of the currently running malicious process?
Using the good old pslist plugin to get an overview.
vol3 -f memdump.mem windows.pslist.PsList
There are a lot, lot lot of processes, but this is definitely not normal:
svchost.exe is a system process, and it definitely shouldn’t be called svchost.exe.exe. On top of that, it shares the same parent PID as many other processes. We can filter again for pid 4824:
vol3 -f memdump.mem windows.pslist.PsList | grep 4824
PID 4824 is Explorer, so that is definitely not normal. All the the processes running under it have stopped running before the acquisition. We can filter again for the ones that were still runinng:
vol3 -f memdump.mem windows.pslist.PsList | grep 4824 | grep -F 'N/A'
Five processes. This time, we can narrow it down to be sure by dumping the executables.
vol3 -f memdump.mem windows.pslist.PsList --pid 6268 --dump
vol3 -f memdump.mem windows.pslist.PsList --pid 3372 --dump
vol3 -f memdump.mem windows.pslist.PsList --pid 2200 --dump
vol3 -f memdump.mem windows.pslist.PsList --pid 3884 --dump
vol3 -f memdump.mem windows.pslist.PsList --pid 8560 --dump
mkdir dmps
mv *dmp dmps/
md5sum dmps/*
None of the hashes are returned in virustotal, except the last one, and it’s flagged as not malicious and supposedly being sublime_text.exe. However a sandbox report marks it as highly suspicious, so this must be the evil process indeed.
Answer: 8560
2. What is the md5 hash hidden in the malicious process memory?
What we dumped previously, was the executable. To dump the actual memory and its pages, we need to use another command:
vol3 -f memdump.mem windows.memmap.Memmap --pid 8560 --dump
strings -a -el pid.8560.dmp > pid.8560.dmp.txt
strings pid.8560.dmp >> pid.8560.dmp.txt
HONESTLY I hate these type of questions, because I think without context they have no purpose but to waste time :(. Anyways, after a super frustrating search, here’s what I found:
echo 'M2ExOTY5N2YyOTA5NWJjMjg5YTk2ZTQ1MDQ2Nzk2ODA=' | base64 -d
#3a19697f29095bc289a96e4504679680
Answer: 3a19697f29095bc289a96e4504679680
3. What is the process name of the malicious process parent?
We figured this out at the beginning, it’s explorer.
Answer: explorer.exe
4. What is the MAC address of this machine's default gateway?
We need to look into the Registry. I HATE checking the registry in volatility, so I usually dump the hives and check them with regripper.
vol3 -f memdump.mem windows.registry.hivelist.HiveList --dump
rip.pl -r registry.SOFTWARE.0xd38985eb3000.hive -p networklist
echo '00-50-56-FE-D8-07' | tr '-' ':'
Answer: 00:50:56:FE:D8:07
5. What is the name of the file that is hidden in the alternative data stream?
Let’s use the filescan plugin, and search for potential files ending with ‘:’ (which is an idicator of an alternative data stream).
vol3 -f memdump.mem windows.filescan.FileScan > filescan.txt
cat filescan.txt | grep -F ':'
#nothing
strings memdump.mem | grep -F ':' | grep -F '.txt' > matches
strings -a -el memdump.mem | grep -F ':' | grep -F '.txt' >> matches
Scroll scroll scrool and .. multiple strings for for ‘\Device\HarddiskVolume3\Users\CTF\Desktop\test.txt:yes.txt’
Answer: yes.txt
6. What is the full path of the browser cache created when the user visited "www.13cubed.com" ?
Well, this is relatively easy. Usually, browsers will create directories of the website name for cache/cookies. We can use the output of the filescan plugin and grep for 13cubed:
cat filescan.txt | grep 13cubed
#芰謍펉㩐譾펉TF\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IQDBNKYD\13cubed_logo[1].png
So there’s some sort of decoding issue happening. From the filescan plugin, I saw that the username is CTF. So the answer must start with Users\CTF. BUT, that’s the wrong answer lol, too good to be true.
Obviously, the question was asking for something more specific – what path was created when the user visited the site. This means that it’s asking for when the user first visited the site. This data is kept in the MFT table:
vol3 -f memdump.mem windows.mftscan.MFTScan > mft.txt
cat mft.txt | grep -i 13cubed
Aaaaaand this is another time volatility3 proves to be not up to its predecessor. The plugin returns the filename only, no full paths. We’re gonna have to take the L and use vol2 🙁
vol.py -f memdump.mem --profile=Win10x64_17134 mftparser > mft.txt
cat mft.txt | grep -i 13cubed
The first one has an earlier modification/creation date than the second one:
Answer: C:\Users\CTF\AppData\Local\Packages\MICROS~1.MIC\AC\#!001\MICROS~1\Cache\AHF2COV9\13cubed[1].htm
