Forensics (Warm Up)
Category: Forensics
Challenge: Warm Up
Points: 100
We are given a .zip file that contains challenge.raw file. Since this is a memory image file, I decided to use volatility tools for this challenge.
It worked! I get a suggested profile and confirmed that this is a memory image file.
Now let’s start solving the questions:
Number 1: What is the hostname of the source of this memory image?
For this one, I dump the hives to get the offset where we will get the hostname:
Then I dump the registry key where the hostname is revealed.
Question number 2, 3, and 4 has the same goal which is to get the password of the users.
What is the password of user Le?
What is the password of user Li?
What is the password of user S?
I’m interested in the 2 offsets: SYSTEM (-y) and SAM (-s)
I use crackstation.net, an online password hash cracker to crack the password. I was able to crack the first user and the others.
Now let’s proceed to Number 5, 6, and 7 which needs the IP Address and port of backdoor listening on.
What is the attacker’s IP address?
What is the victim’s IP address?
Which port is the backdoor listening on?
I run connections
and connscan
but it seems the profile does not support this command so I look for other solutions and found that we need to run netscan
command. From there, I get the IP Address of the Attacker and Victim and port which is the backdoor listening on.
Now let’s proceed to questions Number 8 to 13, which takes me longer to solve. I won’t discuss the other steps I tried here. I’ll just go straight to the right solution. Since we are looking for malware I run pslist
and pstree
command. pstree
uses the same technique as pslist
but the result is based on the parent-child relationship between the processes.
For example, here we can see that nc64.exe
started cmd.exe
which in turn started the instances of lsass.exe
and svchost.exe.
So we search for commands and can be done using thecmdline
Analysis:
The attacker run
nc64.exe
Download the
lsass.exe
and the path is located atC:\Users\samael\lsass.exe
Execute the
lsass.exe
that's running on pid1952
to downloadsvchost.exe
located atC:\Users\samael\svchost.exe
Execute the
svchost.exe
that's running on pid2972
, the file is mimikatz upon analysis
I assume the lsass.exe
is malware. I dump a process’s executable by using the procdump
command and uploaded it to the virustotal.com. Few AV detected this as malware.
I use memdump
, a simple analysis of these files can be done by using the “strings”, we are looking for a relation between the piece of information already retrieved from the dump (especially the opened TCP connection towards the 10.163.7.130
IP)
strings 1952.dmp | grep -Fi “10.163.7.130” -C 5
Look what I found, So it seems lsass.exe
processes is to download a new file svchost.exe
I suspected that this file is malware. I run procdump
again on pid 2972
and uploaded it to virustotal.com and look what I found?! Its mimikatz!!!
So now I identify all process name of malware running in lower and higher pid and the path.
Number 8: lsass.exe
Number 9: 1952
Number 10: svchost.exe
Number 11: 2972
Number 12:C:\Users\samael\lsass.exe
Number 13:C:\Users\samael\svchost.exe
Now we combine all the results and run md5sum
printf ‘%s’ “RC-MINIONS~darklighter~97sunfire~poisonthewell~10.163.7.130~10.163.7.100~5900~lsass.exe~1952~svchost.exe~2972~C:\Users\samael\lsass.exe~C:\Users\samael\svchost.exe” | md5sum
Voila!!!
rc14{81cd8971d7cdbf45d2cdf4c90fbaa339}
Conclusion
I would like to thanks my teammates (Sai and Chris). Thanks also to ROOTCON and PWN DE MANILA for the challenge.
I hope you guys enjoyed reading this write-up!
For references, you may look into these links:
Volatility Command Reference — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Last updated