BankingTroubles - Memory Image Forensics

What was the local IP address for the victim's machine?

$ volatility -f Bob.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/hnl/Desktop/ctf/cyberdefenders/banking-trouble/Bob.vmem)
                      PAE type : PAE
                           DTB : 0x319000L
                          KDBG : 0x80544ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2010-02-27 20:12:38 UTC+0000
     Image local date and time : 2010-02-27 15:12:38 -0500

$ volatility -f Bob.vmem --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x81c6a9f0 192.168.0.176:1176        212.150.164.203:80        888
0x82123008 192.168.0.176:1184        193.104.22.71:80          880
0x81cd4270 192.168.0.176:2869        192.168.0.1:30379         1244
0x81e41108 127.0.0.1:1168            127.0.0.1:1169            888
0x8206ac58 127.0.0.1:1169            127.0.0.1:1168            888
0x82108890 192.168.0.176:1178        212.150.164.203:80        1752
0x82210440 192.168.0.176:1185        193.104.22.71:80          880
0x8207ac58 192.168.0.176:1171        66.249.90.104:80          888
0x81cef808 192.168.0.176:2869        192.168.0.1:30380         4
0x81cc57c0 192.168.0.176:1189        192.168.0.1:9393          1244
0x8205a448 192.168.0.176:1172        66.249.91.104:80          888

What was the OS variable value?

$ volatility -f Bob.vmem --profile=WinXPSP2x86 envars | more
Volatility Foundation Volatility Framework 2.6
Pid      Process              Block      Variable                       Value
-------- -------------------- ---------- ------------------------------ -----
     548 smss.exe             0x00100000 CommonProgramFiles             
     548 smss.exe             0x00100000 Path                           C:\WINDOWS\System32
     548 smss.exe             0x00100000 ProgramFiles                   
     548 smss.exe             0x00100000 SystemDrive                    C:
     548 smss.exe             0x00100000 SystemRoot                     C:\WINDOWS
     612 csrss.exe            0x00100000 ComSpec                        C:\WINDOWS\system32\cmd.exe
     612 csrss.exe            0x00100000 FP_NO_HOST_CHECK               NO
     612 csrss.exe            0x00100000 NUMBER_OF_PROCESSORS           1
     612 csrss.exe            0x00100000 OS                             Windows_NT
     612 csrss.exe            0x00100000 Path                           C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
     612 csrss.exe            0x00100000 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
     612 csrss.exe            0x00100000 PROCESSOR_ARCHITECTURE         x86
     612 csrss.exe            0x00100000 PROCESSOR_IDENTIFIER           x86 Family 6 Model 26 Stepping 5, GenuineIntel
     612 csrss.exe            0x00100000 PROCESSOR_LEVEL                6
     612 csrss.exe            0x00100000 PROCESSOR_REVISION             1a05
     612 csrss.exe            0x00100000 SystemDrive                    C:
     612 csrss.exe            0x00100000 SystemRoot                     C:\WINDOWS
     612 csrss.exe            0x00100000 TEMP                           C:\WINDOWS\TEMP
     612 csrss.exe            0x00100000 TMP                            C:\WINDOWS\TEMP
     612 csrss.exe            0x00100000 windir                         C:\WINDOWS
     644 winlogon.exe         0x00010000 ALLUSERSPROFILE                C:\Documents and Settings\All Users
     644 winlogon.exe         0x00010000 APPDATA                        C:\Documents and Settings\Administrator\Application Data
     644 winlogon.exe         0x00010000 CommonProgramFiles             C:\Program Files\Common Files
     644 winlogon.exe         0x00010000 COMPUTERNAME                   BOB-DCADFEDC55C
     644 winlogon.exe         0x00010000 ComSpec                        C:\WINDOWS\system32\cmd.exe
     644 winlogon.exe         0x00010000 FP_NO_HOST_CHECK               NO
     644 winlogon.exe         0x00010000 LOGONSERVER                    \\BOB-DCADFEDC55C

What was the Administrator's password?

$ volatility -f Bob.vmem --profile=WinXPSP2x86 hashdump > hash.txt
Volatility Foundation Volatility Framework 2.6
Administrator:500:<redacted>:::

$ hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt --force

Which process was most likely responsible for the initial exploit?

$ volatility -f Bob.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System                    4      0     58      573 ------      0                                                              
0x81f04228 smss.exe                548      4      3       21 ------      0 2010-02-26 03:34:02 UTC+0000                                 
0x822eeda0 csrss.exe               612    548     12      423      0      0 2010-02-26 03:34:04 UTC+0000                                 
0x81e5b2e8 winlogon.exe            644    548     21      521      0      0 2010-02-26 03:34:04 UTC+0000                                 
0x82256da0 services.exe            688    644     16      293      0      0 2010-02-26 03:34:05 UTC+0000                                 
0x82129da0 lsass.exe               700    644     22      416      0      0 2010-02-26 03:34:06 UTC+0000                                 
0x81d3f020 vmacthlp.exe            852    688      1       35      0      0 2010-02-26 03:34:06 UTC+0000                                 
0x82266870 svchost.exe             880    688     28      340      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x822e1da0 svchost.exe             948    688     10      276      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x822ea020 svchost.exe            1040    688     83     1515      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x81dea020 svchost.exe            1100    688      6       96      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x81de55f0 svchost.exe            1244    688     19      239      0      0 2010-02-26 03:34:08 UTC+0000                                 
0x81dde568 spoolsv.exe            1460    688     11      129      0      0 2010-02-26 03:34:10 UTC+0000                                 
0x821018b0 vmtoolsd.exe           1628    688      5      220      0      0 2010-02-26 03:34:25 UTC+0000                                 
0x81ddd8d0 VMUpgradeHelper        1836    688      4      108      0      0 2010-02-26 03:34:34 UTC+0000                                 
0x820d6b88 alg.exe                2024    688      7      130      0      0 2010-02-26 03:34:35 UTC+0000                                 
0x81cdd790 explorer.exe           1756   1660     14      345      0      0 2010-02-26 03:34:38 UTC+0000                                 
0x81ca96f0 VMwareTray.exe         1108   1756      1       59      0      0 2010-02-26 03:34:39 UTC+0000                                 
0x820cd5c8 VMwareUser.exe         1116   1756      4      179      0      0 2010-02-26 03:34:39 UTC+0000                                 
0x81cee5f8 wscntfy.exe            1132   1040      1       38      0      0 2010-02-26 03:34:40 UTC+0000                                 
0x82333620 msiexec.exe             244    688      5      181      0      0 2010-02-26 03:46:06 UTC+0000                                 
0x81ce1af8 msiexec.exe             452    244      0 --------      0      0 2010-02-26 03:46:07 UTC+0000   2010-02-26 03:46:28 UTC+0000  
0x81c80c78 wuauclt.exe             440   1040      8      188      0      0 2010-02-27 19:48:49 UTC+0000                                 
0x8221a020 wuauclt.exe             232   1040      4      136      0      0 2010-02-27 19:49:11 UTC+0000                                 
0x82068020 firefox.exe             888   1756      9      172      0      0 2010-02-27 20:11:53 UTC+0000                                 
0x820618c8 AcroRd32.exe           1752    888      8      184      0      0 2010-02-27 20:12:23 UTC+0000                                 
0x82209640 svchost.exe            1384    688      9      101      0      0 2010-02-27 20:12:36 UTC+0000

What is the extension of the malicious file retrieved from the process responsible for the initial exploit?

AcroRd32.exe is an executable file required to run Adobe Acrobat Reader in a computer. It is an important component needed to view pdf documents.

Suspicious processes opened network connections to external IPs. Provide the two external IP addresses. (comma-separated without spaces, ascending)

$ volatility -f Bob.vmem --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x81c6a9f0 192.168.0.176:1176        212.150.164.203:80        888
0x82123008 192.168.0.176:1184        193.104.22.71:80          880
0x81cd4270 192.168.0.176:2869        192.168.0.1:30379         1244
0x81e41108 127.0.0.1:1168            127.0.0.1:1169            888
0x8206ac58 127.0.0.1:1169            127.0.0.1:1168            888
0x82108890 192.168.0.176:1178        212.150.164.203:80        1752
0x82210440 192.168.0.176:1185        193.104.22.71:80          880
0x8207ac58 192.168.0.176:1171        66.249.90.104:80          888
0x81cef808 192.168.0.176:2869        192.168.0.1:30380         4
0x81cc57c0 192.168.0.176:1189        192.168.0.1:9393          1244
0x8205a448 192.168.0.176:1172        66.249.91.104:80          888

A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).

# We see svchost.exe PID
volatility -f Bob.vmem --profile=WinXPSP2x86 pslist

# We dump these process. Here is an example
volatility -f Bob.vmem --profile=WinXPSP2x86 memdump -p 880 --dump-dir=./dump

# We grep all of the http from these file, but we dont see nothing
strings * | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u

# Finally, I decided to grep ip from Question Number 6.
strings * | grep "http://193.104.22.71/"

Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc. When was this file first submitted for analysis on VirusTotal?

$ volatility -f Bob.vmem --profile=WinXPSP2x pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System                    4      0     58      573 ------      0                                                              
0x81f04228 smss.exe                548      4      3       21 ------      0 2010-02-26 03:34:02 UTC+0000                                 
0x822eeda0 csrss.exe               612    548     12      423      0      0 2010-02-26 03:34:04 UTC+0000                                 
0x81e5b2e8 winlogon.exe            644    548     21      521      0      0 2010-02-26 03:34:04 UTC+0000                                 
0x82256da0 services.exe            688    644     16      293      0      0 2010-02-26 03:34:05 UTC+0000                                 
0x82129da0 lsass.exe               700    644     22      416      0      0 2010-02-26 03:34:06 UTC+0000                                 
0x81d3f020 vmacthlp.exe            852    688      1       35      0      0 2010-02-26 03:34:06 UTC+0000                                 
0x82266870 svchost.exe             880    688     28      340      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x822e1da0 svchost.exe             948    688     10      276      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x822ea020 svchost.exe            1040    688     83     1515      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x81dea020 svchost.exe            1100    688      6       96      0      0 2010-02-26 03:34:07 UTC+0000                                 
0x81de55f0 svchost.exe            1244    688     19      239      0      0 2010-02-26 03:34:08 UTC+0000                                 
0x81dde568 spoolsv.exe            1460    688     11      129      0      0 2010-02-26 03:34:10 UTC+0000                                 
0x821018b0 vmtoolsd.exe           1628    688      5      220      0      0 2010-02-26 03:34:25 UTC+0000                                 
0x81ddd8d0 VMUpgradeHelper        1836    688      4      108      0      0 2010-02-26 03:34:34 UTC+0000                                 
0x820d6b88 alg.exe                2024    688      7      130      0      0 2010-02-26 03:34:35 UTC+0000                                 
0x81cdd790 explorer.exe           1756   1660     14      345      0      0 2010-02-26 03:34:38 UTC+0000                                 
0x81ca96f0 VMwareTray.exe         1108   1756      1       59      0      0 2010-02-26 03:34:39 UTC+0000                                 
0x820cd5c8 VMwareUser.exe         1116   1756      4      179      0      0 2010-02-26 03:34:39 UTC+0000                                 
0x81cee5f8 wscntfy.exe            1132   1040      1       38      0      0 2010-02-26 03:34:40 UTC+0000                                 
0x82333620 msiexec.exe             244    688      5      181      0      0 2010-02-26 03:46:06 UTC+0000                                 
0x81ce1af8 msiexec.exe             452    244      0 --------      0      0 2010-02-26 03:46:07 UTC+0000   2010-02-26 03:46:28 UTC+0000  
0x81c80c78 wuauclt.exe             440   1040      8      188      0      0 2010-02-27 19:48:49 UTC+0000                                 
0x8221a020 wuauclt.exe             232   1040      4      136      0      0 2010-02-27 19:49:11 UTC+0000                                 
0x82068020 firefox.exe             888   1756      9      172      0      0 2010-02-27 20:11:53 UTC+0000                                 
0x820618c8 AcroRd32.exe           1752    888      8      184      0      0 2010-02-27 20:12:23 UTC+0000                                 
0x82209640 svchost.exe            1384    688      9      101      0      0 2010-02-27 20:12:36 UTC+0000

# we dump AcroRd32.exe from process                             
hnl@hnl-Inspiron-5468:~/Desktop/ctf/cyberdefenders/banking-trouble$ volatility -f Bob.vmem --profile=WinXPSP2x86 memdump -p 1752 --dump-dir=./dump
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing AcroRd32.exe [  1752] to 1752.dmp

# Let's extract some of the contents from this dump file
$ foremost 1752.dmp

# You will see all of the extracted data from this dump files. Our main process is AcroRd32.exe and it open the document files (PDF). So, our main purpose will be 'PDF' folder.
$ ls
audit.txt  bmp  dll  exe  gif  htm  jar  jpg  ole  pdf  png  zip
$ cd pdf/

# Question  said our suspicious file md5 hash is end with 528afe08e437765cc . You will see this hash with '00601560.pdf' name.
$ md5sum *
4c1d41459dc5b476394ceb06471dd1f8  00445397.pdf
4c1d41459dc5b476394ceb06471dd1f8  00446730.pdf
1873297b6b3702817a760f95187236bc  00579981.pdf
1873297b6b3702817a760f95187236bc  00585184.pdf
1873297b6b3702817a760f95187236bc  00600544.pdf
70ebcd37c81e49858b8946ba49eb44b5  00600928.pdf
f32aa81676c7391528afe08e437765cc  00601560.pdf

# And then upload in virus total. You will see first submit date in Details tab.

What was the PID of the process that loaded the file PDF.php?

0x820618c8 AcroRd32.exe           1752    888      8      184      0      0 2010-02-27 20:12:23 UTC+0000

The JS includes a function meant to hide the call to function eval(). Provide the name of that function.

# We will use peepdf tool. Finally, you will see javascript function name
$ git clone https://github.com/jesparza/peepdf.git
$ echo 'extract js > all-javascripts-from-my.pdf' > extract.txt
$ peepdf.py -l -f -s extract.txt ../00601560.pdf
$ cat all-javascripts-from-my.pdf

The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.

js malware.js
cat shellcode.js

Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.

$ volatility -f Bob.vmem --profile=WinXPSP2x86 malfind -p 644 -D ./malfind
$ cd malfind/
$ md5sum *
a713f24caea9f219ee4c4b8c780fc3b2  process.0x81e5b2e8.0x24990000.dmp
baa16a4a537f2a13f99dd8a065ae8c92  process.0x81e5b2e8.0x26200000.dmp
f59c1246231631494ac73e61b9dfeb4c  process.0x81e5b2e8.0x42e60000.dmp
8e77e4e4b8f10c6122693a88e9da4d31  process.0x81e5b2e8.0x7a330000.dmp
61467d672b45dc64ca4f5dc919c8826f  process.0x81e5b2e8.0x7fc00000.dmp
066---------31db4b----------5269  process.0x81e5b2e8.0xa10000.dmp

What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?

$ volatility -f Bob.vmem --profile=WinXPSP2x86 hivelist

# Dump all registry
$ volatility -f Bob.vmem --profile=WinXPSP2x86 dumpregistry --dump-dir=./registrydump

# Question said '\WINDOWS\system32\config\software'. So, Let analyse registry.0xe1526748.software.reg. I opened in Regisry Explorer.
# Let find winlogon registry path by googling,

The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.

js shellcode.js
ghex <logfilename.log>

The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.

python jsunpack-n.py -v 00601560.pdf

PreviousMemory Forensics NextDumpMe - Memory Image Forensics

Last updated 4 years ago