BankingTroubles - Memory Image Forensics
What was the local IP address for the victim's machine?
$ volatility -f Bob.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/hnl/Desktop/ctf/cyberdefenders/banking-trouble/Bob.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80544ce0L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-02-27 20:12:38 UTC+0000
Image local date and time : 2010-02-27 15:12:38 -0500
$ volatility -f Bob.vmem --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81c6a9f0 192.168.0.176:1176 212.150.164.203:80 888
0x82123008 192.168.0.176:1184 193.104.22.71:80 880
0x81cd4270 192.168.0.176:2869 192.168.0.1:30379 1244
0x81e41108 127.0.0.1:1168 127.0.0.1:1169 888
0x8206ac58 127.0.0.1:1169 127.0.0.1:1168 888
0x82108890 192.168.0.176:1178 212.150.164.203:80 1752
0x82210440 192.168.0.176:1185 193.104.22.71:80 880
0x8207ac58 192.168.0.176:1171 66.249.90.104:80 888
0x81cef808 192.168.0.176:2869 192.168.0.1:30380 4
0x81cc57c0 192.168.0.176:1189 192.168.0.1:9393 1244
0x8205a448 192.168.0.176:1172 66.249.91.104:80 888What was the OS variable value?
$ volatility -f Bob.vmem --profile=WinXPSP2x86 envars | more
Volatility Foundation Volatility Framework 2.6
Pid Process Block Variable Value
-------- -------------------- ---------- ------------------------------ -----
548 smss.exe 0x00100000 CommonProgramFiles
548 smss.exe 0x00100000 Path C:\WINDOWS\System32
548 smss.exe 0x00100000 ProgramFiles
548 smss.exe 0x00100000 SystemDrive C:
548 smss.exe 0x00100000 SystemRoot C:\WINDOWS
612 csrss.exe 0x00100000 ComSpec C:\WINDOWS\system32\cmd.exe
612 csrss.exe 0x00100000 FP_NO_HOST_CHECK NO
612 csrss.exe 0x00100000 NUMBER_OF_PROCESSORS 1
612 csrss.exe 0x00100000 OS Windows_NT
612 csrss.exe 0x00100000 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
612 csrss.exe 0x00100000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
612 csrss.exe 0x00100000 PROCESSOR_ARCHITECTURE x86
612 csrss.exe 0x00100000 PROCESSOR_IDENTIFIER x86 Family 6 Model 26 Stepping 5, GenuineIntel
612 csrss.exe 0x00100000 PROCESSOR_LEVEL 6
612 csrss.exe 0x00100000 PROCESSOR_REVISION 1a05
612 csrss.exe 0x00100000 SystemDrive C:
612 csrss.exe 0x00100000 SystemRoot C:\WINDOWS
612 csrss.exe 0x00100000 TEMP C:\WINDOWS\TEMP
612 csrss.exe 0x00100000 TMP C:\WINDOWS\TEMP
612 csrss.exe 0x00100000 windir C:\WINDOWS
644 winlogon.exe 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
644 winlogon.exe 0x00010000 APPDATA C:\Documents and Settings\Administrator\Application Data
644 winlogon.exe 0x00010000 CommonProgramFiles C:\Program Files\Common Files
644 winlogon.exe 0x00010000 COMPUTERNAME BOB-DCADFEDC55C
644 winlogon.exe 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
644 winlogon.exe 0x00010000 FP_NO_HOST_CHECK NO
644 winlogon.exe 0x00010000 LOGONSERVER \\BOB-DCADFEDC55CWhat was the Administrator's password?
$ volatility -f Bob.vmem --profile=WinXPSP2x86 hashdump > hash.txt
Volatility Foundation Volatility Framework 2.6
Administrator:500:<redacted>:::
$ hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt --forceWhich process was most likely responsible for the initial exploit?
$ volatility -f Bob.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System 4 0 58 573 ------ 0
0x81f04228 smss.exe 548 4 3 21 ------ 0 2010-02-26 03:34:02 UTC+0000
0x822eeda0 csrss.exe 612 548 12 423 0 0 2010-02-26 03:34:04 UTC+0000
0x81e5b2e8 winlogon.exe 644 548 21 521 0 0 2010-02-26 03:34:04 UTC+0000
0x82256da0 services.exe 688 644 16 293 0 0 2010-02-26 03:34:05 UTC+0000
0x82129da0 lsass.exe 700 644 22 416 0 0 2010-02-26 03:34:06 UTC+0000
0x81d3f020 vmacthlp.exe 852 688 1 35 0 0 2010-02-26 03:34:06 UTC+0000
0x82266870 svchost.exe 880 688 28 340 0 0 2010-02-26 03:34:07 UTC+0000
0x822e1da0 svchost.exe 948 688 10 276 0 0 2010-02-26 03:34:07 UTC+0000
0x822ea020 svchost.exe 1040 688 83 1515 0 0 2010-02-26 03:34:07 UTC+0000
0x81dea020 svchost.exe 1100 688 6 96 0 0 2010-02-26 03:34:07 UTC+0000
0x81de55f0 svchost.exe 1244 688 19 239 0 0 2010-02-26 03:34:08 UTC+0000
0x81dde568 spoolsv.exe 1460 688 11 129 0 0 2010-02-26 03:34:10 UTC+0000
0x821018b0 vmtoolsd.exe 1628 688 5 220 0 0 2010-02-26 03:34:25 UTC+0000
0x81ddd8d0 VMUpgradeHelper 1836 688 4 108 0 0 2010-02-26 03:34:34 UTC+0000
0x820d6b88 alg.exe 2024 688 7 130 0 0 2010-02-26 03:34:35 UTC+0000
0x81cdd790 explorer.exe 1756 1660 14 345 0 0 2010-02-26 03:34:38 UTC+0000
0x81ca96f0 VMwareTray.exe 1108 1756 1 59 0 0 2010-02-26 03:34:39 UTC+0000
0x820cd5c8 VMwareUser.exe 1116 1756 4 179 0 0 2010-02-26 03:34:39 UTC+0000
0x81cee5f8 wscntfy.exe 1132 1040 1 38 0 0 2010-02-26 03:34:40 UTC+0000
0x82333620 msiexec.exe 244 688 5 181 0 0 2010-02-26 03:46:06 UTC+0000
0x81ce1af8 msiexec.exe 452 244 0 -------- 0 0 2010-02-26 03:46:07 UTC+0000 2010-02-26 03:46:28 UTC+0000
0x81c80c78 wuauclt.exe 440 1040 8 188 0 0 2010-02-27 19:48:49 UTC+0000
0x8221a020 wuauclt.exe 232 1040 4 136 0 0 2010-02-27 19:49:11 UTC+0000
0x82068020 firefox.exe 888 1756 9 172 0 0 2010-02-27 20:11:53 UTC+0000
0x820618c8 AcroRd32.exe 1752 888 8 184 0 0 2010-02-27 20:12:23 UTC+0000
0x82209640 svchost.exe 1384 688 9 101 0 0 2010-02-27 20:12:36 UTC+0000What is the extension of the malicious file retrieved from the process responsible for the initial exploit?
AcroRd32.exe is an executable file required to run Adobe Acrobat Reader in a computer. It is an important component needed to view pdf documents.Suspicious processes opened network connections to external IPs. Provide the two external IP addresses. (comma-separated without spaces, ascending)
$ volatility -f Bob.vmem --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81c6a9f0 192.168.0.176:1176 212.150.164.203:80 888
0x82123008 192.168.0.176:1184 193.104.22.71:80 880
0x81cd4270 192.168.0.176:2869 192.168.0.1:30379 1244
0x81e41108 127.0.0.1:1168 127.0.0.1:1169 888
0x8206ac58 127.0.0.1:1169 127.0.0.1:1168 888
0x82108890 192.168.0.176:1178 212.150.164.203:80 1752
0x82210440 192.168.0.176:1185 193.104.22.71:80 880
0x8207ac58 192.168.0.176:1171 66.249.90.104:80 888
0x81cef808 192.168.0.176:2869 192.168.0.1:30380 4
0x81cc57c0 192.168.0.176:1189 192.168.0.1:9393 1244
0x8205a448 192.168.0.176:1172 66.249.91.104:80 888A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).
# We see svchost.exe PID
volatility -f Bob.vmem --profile=WinXPSP2x86 pslist
# We dump these process. Here is an example
volatility -f Bob.vmem --profile=WinXPSP2x86 memdump -p 880 --dump-dir=./dump
# We grep all of the http from these file, but we dont see nothing
strings * | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u
# Finally, I decided to grep ip from Question Number 6.
strings * | grep "http://193.104.22.71/"Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc. When was this file first submitted for analysis on VirusTotal?
$ volatility -f Bob.vmem --profile=WinXPSP2x pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System 4 0 58 573 ------ 0
0x81f04228 smss.exe 548 4 3 21 ------ 0 2010-02-26 03:34:02 UTC+0000
0x822eeda0 csrss.exe 612 548 12 423 0 0 2010-02-26 03:34:04 UTC+0000
0x81e5b2e8 winlogon.exe 644 548 21 521 0 0 2010-02-26 03:34:04 UTC+0000
0x82256da0 services.exe 688 644 16 293 0 0 2010-02-26 03:34:05 UTC+0000
0x82129da0 lsass.exe 700 644 22 416 0 0 2010-02-26 03:34:06 UTC+0000
0x81d3f020 vmacthlp.exe 852 688 1 35 0 0 2010-02-26 03:34:06 UTC+0000
0x82266870 svchost.exe 880 688 28 340 0 0 2010-02-26 03:34:07 UTC+0000
0x822e1da0 svchost.exe 948 688 10 276 0 0 2010-02-26 03:34:07 UTC+0000
0x822ea020 svchost.exe 1040 688 83 1515 0 0 2010-02-26 03:34:07 UTC+0000
0x81dea020 svchost.exe 1100 688 6 96 0 0 2010-02-26 03:34:07 UTC+0000
0x81de55f0 svchost.exe 1244 688 19 239 0 0 2010-02-26 03:34:08 UTC+0000
0x81dde568 spoolsv.exe 1460 688 11 129 0 0 2010-02-26 03:34:10 UTC+0000
0x821018b0 vmtoolsd.exe 1628 688 5 220 0 0 2010-02-26 03:34:25 UTC+0000
0x81ddd8d0 VMUpgradeHelper 1836 688 4 108 0 0 2010-02-26 03:34:34 UTC+0000
0x820d6b88 alg.exe 2024 688 7 130 0 0 2010-02-26 03:34:35 UTC+0000
0x81cdd790 explorer.exe 1756 1660 14 345 0 0 2010-02-26 03:34:38 UTC+0000
0x81ca96f0 VMwareTray.exe 1108 1756 1 59 0 0 2010-02-26 03:34:39 UTC+0000
0x820cd5c8 VMwareUser.exe 1116 1756 4 179 0 0 2010-02-26 03:34:39 UTC+0000
0x81cee5f8 wscntfy.exe 1132 1040 1 38 0 0 2010-02-26 03:34:40 UTC+0000
0x82333620 msiexec.exe 244 688 5 181 0 0 2010-02-26 03:46:06 UTC+0000
0x81ce1af8 msiexec.exe 452 244 0 -------- 0 0 2010-02-26 03:46:07 UTC+0000 2010-02-26 03:46:28 UTC+0000
0x81c80c78 wuauclt.exe 440 1040 8 188 0 0 2010-02-27 19:48:49 UTC+0000
0x8221a020 wuauclt.exe 232 1040 4 136 0 0 2010-02-27 19:49:11 UTC+0000
0x82068020 firefox.exe 888 1756 9 172 0 0 2010-02-27 20:11:53 UTC+0000
0x820618c8 AcroRd32.exe 1752 888 8 184 0 0 2010-02-27 20:12:23 UTC+0000
0x82209640 svchost.exe 1384 688 9 101 0 0 2010-02-27 20:12:36 UTC+0000
# we dump AcroRd32.exe from process
hnl@hnl-Inspiron-5468:~/Desktop/ctf/cyberdefenders/banking-trouble$ volatility -f Bob.vmem --profile=WinXPSP2x86 memdump -p 1752 --dump-dir=./dump
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing AcroRd32.exe [ 1752] to 1752.dmp
# Let's extract some of the contents from this dump file
$ foremost 1752.dmp
# You will see all of the extracted data from this dump files. Our main process is AcroRd32.exe and it open the document files (PDF). So, our main purpose will be 'PDF' folder.
$ ls
audit.txt bmp dll exe gif htm jar jpg ole pdf png zip
$ cd pdf/
# Question said our suspicious file md5 hash is end with 528afe08e437765cc . You will see this hash with '00601560.pdf' name.
$ md5sum *
4c1d41459dc5b476394ceb06471dd1f8 00445397.pdf
4c1d41459dc5b476394ceb06471dd1f8 00446730.pdf
1873297b6b3702817a760f95187236bc 00579981.pdf
1873297b6b3702817a760f95187236bc 00585184.pdf
1873297b6b3702817a760f95187236bc 00600544.pdf
70ebcd37c81e49858b8946ba49eb44b5 00600928.pdf
f32aa81676c7391528afe08e437765cc 00601560.pdf
# And then upload in virus total. You will see first submit date in Details tab.What was the PID of the process that loaded the file PDF.php?
0x820618c8 AcroRd32.exe 1752 888 8 184 0 0 2010-02-27 20:12:23 UTC+0000The JS includes a function meant to hide the call to function eval(). Provide the name of that function.
# We will use peepdf tool. Finally, you will see javascript function name
$ git clone https://github.com/jesparza/peepdf.git
$ echo 'extract js > all-javascripts-from-my.pdf' > extract.txt
$ peepdf.py -l -f -s extract.txt ../00601560.pdf
$ cat all-javascripts-from-my.pdfThe payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.
js malware.js
cat shellcode.jsProcess winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.
$ volatility -f Bob.vmem --profile=WinXPSP2x86 malfind -p 644 -D ./malfind
$ cd malfind/
$ md5sum *
a713f24caea9f219ee4c4b8c780fc3b2 process.0x81e5b2e8.0x24990000.dmp
baa16a4a537f2a13f99dd8a065ae8c92 process.0x81e5b2e8.0x26200000.dmp
f59c1246231631494ac73e61b9dfeb4c process.0x81e5b2e8.0x42e60000.dmp
8e77e4e4b8f10c6122693a88e9da4d31 process.0x81e5b2e8.0x7a330000.dmp
61467d672b45dc64ca4f5dc919c8826f process.0x81e5b2e8.0x7fc00000.dmp
066---------31db4b----------5269 process.0x81e5b2e8.0xa10000.dmpWhat is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?
$ volatility -f Bob.vmem --profile=WinXPSP2x86 hivelist
# Dump all registry
$ volatility -f Bob.vmem --profile=WinXPSP2x86 dumpregistry --dump-dir=./registrydump
# Question said '\WINDOWS\system32\config\software'. So, Let analyse registry.0xe1526748.software.reg. I opened in Regisry Explorer.
# Let find winlogon registry path by googling,The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.
js shellcode.js
ghex <logfilename.log>The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.
python jsunpack-n.py -v 00601560.pdfLast updated
Was this helpful?