You have given a memory image for a compromised machine. Analyze the image and figure out attack details.
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c60-banking.zip
SHA1: 417688b34f7baae1c141002c0f5da56471496e07
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/Emotet && cd Documents/CyberDefenders/Emotet
Volatility is all you need to solve this category:
vol.py -h
If this doesn’t work, then install it following these instructions.
Information
Category Name: DeepDive
Files : c60-banking.zip 550.6 MB
– banking-malware.vmem 2.15 GB
Walkthrough
1. What profile should you use for this memory sample?
Using the imageinfo plugin:
vol.py -f banking-malware.vmem imageinfo
It returns multiple profiles. We can try each one with a random plugin (like pslist) until it works. In this case, it’s Win7SP1x64_24000.
Answer: Win7SP1x64_24000
2. What is the KDBG virtual address of the memory sample?
The KDBG virtual address can be found from the imageinfo plugin:
Answer: 0xf80002bef120
3. There is a malicious process running, but it's hidden. What's its name?
To see a list of hidden processes, we can use the plugin psxview. It will tell us which processes appear in pslist/psscan.
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 psxview
Only one process doesn’t appear in both: vds_ps.exe
Answer: vds_ps.exe
4. What is the physical offset of the malicious process?
In the answer, above, the Physical offset appears right before the process name.
Answer: 0x000000007d336950
5. What is the full path (including executable name) of the hidden executable?
Using the filescan plugin and saving the output to a file, in case we may need it after. Then, grepping for the executable’s name:
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 filescan > filescan.txt
cat filescan.txt | grep 'vds_ps.exe'
There is only one path matching.
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 handles | grep 'vds_ps.exe'
If we use the handles plugin, we can see that this same path (without the executable’s name) is in handles for pids 4, 424, 508 and 960:
Answer: C:\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe
6. Which malware is this?
Given the challenge’s name, it’s pretty obvious it’s an emotet. What we can do is dump the executable and submit its md5 hash to Virus Total:
mkdir malware
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 dumpfiles -n --dump-dir=malware/ -Q 0x000000007d0035d0
md5sum malware/*
The second hash is flagged by 63 vendors on Virus Total. The file is indeed an emotet file:
Answer: emotet
7. The malicious process had two PEs injected into its memory.
What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC
Since the process is unlinked, we need to use the offset option with the malfind plugin. I am grepping directly for Pid because it will do a cleaner output:
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 malfind --offset=0x000000007d336950 | grep Pid
This returns three addresses:
To find the starting and ending offsets of the Vads, we can use vadinfo:
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo --offset=0x000000007d336950 -a 0x220000
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo --offset=0x000000007d336950 -a 0x2a10000
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo --offset=0x000000007d336950 -a 0x2a80000
Then, to calculate the total size, we just need to substract the Starting offset from the Ending offset:
printf "0x%X\n" $((0x000000000023ffff - 0x0000000000220000))
#returns 0x1FFFF
printf "0x%X\n" $((0x0000000002a2cfff - 0x0000000002a10000))
#returns 0x1CFFF
printf "0x%X\n" $((0x0000000002ab6fff - 0x0000000002a80000))
#returns 0x36FFF
python3 -c 'print(0x1FFFF);print(0x1CFFF),print(0x36FFF)'
#returns 131071 118783 225279
The largest vad is the at 0x2a80000, with a size of 0x36FFF (225279).
Answer: 0x36FFF
8. This process was unlinked from the ActiveProcessLinks list.
Follow its forward link. Which process does it lead to? Answer with its name and extension
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 psxview
I have no idea how to find a forward link, but apparently the Forward Link is the next process by PID. In this case, the PID after 2448 is 2616, which is SearchIndexer.exe:
Answer: SearchIndexer.exe
9. What is the pooltag of the malicious process in ascii?
(HINT: use volshell)
Using volshell:
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 volshell
#In the shell:
dt("_POOL_HEADER",0x000000007d336950-0x60, space=addrspace().base)
Now we just need to convert the value:
import binascii
hex(1416573010)
binascii.unhexlify('546f3052')[::-1]
Answer: R0ot
10. What is the physical address of the hidden executable's pooltag?
(HINT: use volshell)
vol.py -f banking-malware.vmem --profile=Win7SP1x64_24000 volshell
#In the shell:
dt("_POOL_HEADER", 0x000000007d336950, space=addrspace().base)
The Physical Address of the Pool Header is 0x7D336950. The PoolTag is 0x4 down. We can calculate the sum of the values to get the physical address of the pooltag:
0x4 + 0x7D336950 = 0x7D336954
Answer: 0x7D336954
TLDR
– This is a difficult memory forensics challenge, as it requires a deep understanding (IMO) of memory pages & their structure.
– Volshell is very useful in multiple contexts, to learn more I recommend to read the volatility2 documentation.
