One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
Information
Category Name: DumpMe
Files : c47-Imposter.zip 1.2 GB
– Triage-Memory.mem 5.37 GB
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
md5 /path/to/c47-Imposter.zip
SHA1: 70f1bafca632f7518cb0a0ee126246b040247b37
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/DumpMe && cd Documents/CyberDefenders/DumpMe
Volatility is all you need to solve this category:
vol.py -h
If this doesn’t work, then install it following these instructions.
Walkthrough
1. What is the SHA1 hash of Triage-Memory.mem (memory dump)?
sha1sum Triage-Memory.mem
Answer: c95e8cc8c946f95a109ea8e47a6800de10a27abd
2. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
vol.py -f Triage-Memory.mem imageinfo
Usually, the first one works:
Answer: Win7SP1x64
3. What was the process ID of notepad.exe?
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pslist | grep "notepad.exe"
By redirecting the output to grep, there is no need to look through al processes, given the above, the Process ID (PID) is 3032.
Answer: 3032
4. Name the child process of wscript.exe.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pstree
We can see that wscript.exe has a child process: UWkpjFjDzM.exe, which in turn also has a child process: cmd.exe
Answer: UWkpjFjDzM.exe
5. What was the IP address of the machine at the time the RAM dump was created?
In question 1, the imageinfo plugin displayed the date and time of the image – 2019-03-22 05:46:00 UTC+0000. To find the IP address of the machine, we can use the netscan plugin:
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Answer: 10.0.0.101
6. Based on the answer regarding the infected PID, can you determine the IP of the attacker?
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Using the same plug-in as before, there is an IP address on the 4444 Listening port, which is Metasploit’s default port!
Answer: 10.0.0.106
7. How many processes are associated with VCRUNTIME140.dll?
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 dlllist | grep VCRUNTIME140
In total, five processes are assosciated with VCRUNTIME140.dll:
Answer: 5
8. After dumping the infected process, what is its md5 hash?
The potential malware, is the executable from question 4, which has a pid of 3496. Using the dump command to extract it:
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 procdump -D ./ -p 3496
Then, using the md5sum on the dumped executable to find its hash value:
md5sum executable.3496.exe
#returns 690ea20bc3bdfb328e23005d9a80c290
Answer: 690ea20bc3bdfb328e23005d9a80c290
9. What is the LM hash of Bob's account?
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 hashdump
This is the fastest way to get a LM hash for all Users on the machine:
Answer: aad3b435b51404eeaad3b435b51404ee
10. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
Using the vadinfo plugin and grepping for the VAD node:
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep "0xfffffa800577ba10" -A 10
Answer: PAGE_READONLY
11. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep "0x00000000033c0000" -A 10
This outputs several VAD nodes starting at 0x00000000033c0000, but only one ending at 0x00000000033dffff:
Answer: PAGE_NOACCESS
12. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 cmdline
With the cmdline plugin we can see the history of program execution:
wscript.exe excuted a vbs file.
Answer: vhjReUDEuumrX
13. An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 timeliner | grep "2019-03-07 23:06:58" -B 5 -A 5
This process is slow, so I recommend working on the next questions while it’s at work, but here’s the grepped output!
Answer: Skype.exe
14. What was written in notepad.exe at the time when the memory dump was captured?
First things first, we need the PID of notepad.exe. Question 3 already asked us about it, it’s 3032.
To find the contents, I followed these instructions. There are other ways to do it, but this worked well for me. It will basically dump everything related to notepad.exe. To make it easily searchable, we string each file in the directory and direct the output to a single text file:
mkdir vads
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vaddump -p 3032 -D vads
strings -e l vads/* > vadsall.txt
In memory, we can look for contents of notepad files by searching for this string:
“Would you like to save the %% file non-transactionally?”
grep "Would you like to save" -A 10 vadsall.txt
There are two matches, and the second one contains the flag!
Answer: REDBULL_IS_LIFE
15. What is the short name of the file at file record 59045?
To find the name, we need to parse the MFT:
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 mftparser > mft.dmp
strings mft.dmp | grep "Record Number: 59045" -B 10 -A 20
The first $File_Name entry is the short name of the file: EMPLOY~1.xls
Answer: EMPLOY~1.xls
16. This box was exploited and is running meterpreter. What was the infected PID?
Submitting the md5 hash (from question 8) to Virustotal confirms the executable is a Trojan virus. The affected PID is 3496!
Answer: 3496
TLDR
– This is a great memory forensics challenge which can be solved using volatility2.
– A lot of plugins are to be used, such as vadinfo, mftparser, hashdump and cmdline.
