CyberDefenders — DumpMe
Memory Forensics Walkthrough
Today I am going to complete a memory forensics challenge published in CyberDefenders.
One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
#1. What is the SHA1 hash of triage.mem (memory dump)?
This is pretty straightforward. We can simply run the shasum command on the triage image and obtain the answer.
#2. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
The Volatility profile can be found using kdbgscan on the image.
#3. What was the process ID of notepad.exe?
To determine the process ID of notepad, we can list the running processes at the time of memory capture and figure out the process ID.
This will give us the running processes and scrolling down below, we can see the process ID of notepad.exe.
#4. Name the child process of wscript.exe.
Volatility comes with a lot of plugins to make our life easier. pstree is another handy plugin that lists the processes in the parent-child structure.
There is another process below wscript.exe that is running as its child process.
#5. What was the IP address of the machine at the time the RAM dump was created?
The trick I used here is to look for network connections that have been established with this machine.
We can clearly see the IP address of the system.
#6. Based on the answer regarding the infected PID, can you determine the IP of the attacker?
Among all the established network connections, UWkpjFjDzM.exe looks to be the suspicious one. Further, we can see the IP address of the attacker on port 4444.
#7. How many processes are associated with VCRUNTIME140.dll?
We can use the dlllist plugin to list all the DLLs of the processes and grep that with VCRUNTIME140.dll to get the number of processes that are associated with that DLL. Here, the number is 5.
#8. After dumping the infected process, what is its md5 hash?
We have already found out about the infected process. We can use procdump on the process ID of UWkpjFjDzM.exe to dump the process and find out the md5 hash.
Let us now find the md5 hash of this dump.
#9. What is the LM hash of Bob’s account?
All of the user account-related information is stored in registry hives. There are useful plugins to traverse the hives and one of them is hashdump.
Volatility you beauty. One plugin got the job done.
#10. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
To obtain the VAD information of any memory image, we can use the vadinfo plugin.
We can see the memory protection as PAGE_READONLY.
#11. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
Let me use the same above command and look for one of the memory addresses and compare the ending to find out the correct memory protection.
The memory protection starting at 0x00000000033c0000 and ending at 0x00000000033dffff is PAGE_NOACCESS.
#12. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
The approach that I took for this question is to look at all the commands that had been executed and a handy plugin for this is cmdline.
This will also give us the command line parameter for all the processes that can come in handy.
Scrolling the output, we will see this vbs script being run and this must be the answer.
#13. An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)
I got stuck in this question for quite a bit. I found the following link useful for solving it. https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/
Basically, Shimcache will keep track of any program’s modification time within the system and record the timestamps.
Volatility has another impressive plugin to find the process which was last modified.
There we have it, the application is Skype.exe.
#14. What was written in notepad.exe at the time when the memory dump was captured?
To figure out what was written in notepad.exe, let me firstly dump its memory and use strings to figure out if I can see any recognizable text.
There is the dump, now I can look for strings.
This command does the trick for me and the answer has to be flag<REDBULL_IS_LIFE>
#15. What is the short name of the file at file record 59045?
I have got no idea what the short name of the file is. However, I do know that most of the information about the files in the NTFS filesystem is stored in the Master File Table.
There is a plugin called mftparser that might help us here.
Let me search the file with that record number.
There it is.
#16. This box was exploited and is running meterpreter. What was the infected PID?
We know that the machine has a malicious process that is running with the name UWkpjFjDzM.exe
Going through the process listing, I got the PID.
Overall, this is a really fun challenge to try out especially if you are getting started with memory forensics and volatility. Let me know if you found this walkthrough useful.