DumpMe - Memory Image Forensics

What is the SHA1 hash of triage.mem (memory dump)?

$ sha1sum Triage-Memory.mem 
c95e8cc8c946f95a109ea8e47a6800de10a27abd  Triage-Memory.mem

What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)

Win7SP1x64

What was the process ID of notepad.exe?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist | grep notepad
Volatility Foundation Volatility Framework 2.6
0xfffffa80054f9060 notepad.exe            3032   1432      1       60      1      0 2019-03-22 05:32:22 UTC+0000                                 

3032

Name the child process of wscript.exe.

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist
0xfffffa8005a80060 wscript.exe            5116   3952      8      312      1      1 2019-03-22 05:35:32 UTC+0000                                 
0xfffffa8005a1d9e0 UWkpjFjDzM.exe         3496   5116      5      109      1      1 2019-03-22 05:35:33 UTC+0000

UWkpjFjDzM.exe

What was the IP address of the machine at the time the RAM dump was created?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x13e057300        UDPv4    10.0.0.101:55736               *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05b4f0        UDPv6    ::1:55735                      *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05b790        UDPv6    fe80::7475:ef30:be18:7807:55734 *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05d4b0        UDPv6    fe80::7475:ef30:be18:7807:1900 *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05dec0        UDPv4    127.0.0.1:55737                *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05e3f0        UDPv4    10.0.0.101:1900                *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000
0x13e05eab0        UDPv6    ::1:1900                       *:*                                   2888     svchost.exe    2019-03-22 05:32:20 UTC+0000

10.0.0.101

Based on the answer regarding the infected PID, can you determine the IP of the attacker?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
0x13ebcdef0        TCPv4    0.0.0.0:80                     0.0.0.0:0            LISTENING        3952     hfs.exe        
0x13e2348a0        TCPv4    -:49366                        192.168.206.181:389  CLOSED           504                     
0x13e397190        TCPv4    10.0.0.101:49217               10.0.0.106:4444      ESTABLISHED      3496     UWkpjFjDzM.exe 
0x13e3986d0        TCPv4    -:49378                        213.209.1.129:25     CLOSED           504                     
0x13e3abae0        TCPv4    -:49226                        72.51.60.132:443     CLOSED           4048     POWERPNT.EXE   

10.0.0.106

How many processes are associated with VCRUNTIME140.dll?

volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist
Volatility Foundation Volatility Framework 2.6
0x000007fefa5c0000            0x16000             0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140.dll
0x000007fefa5b0000             0x4000             0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll
0x000007fefa4a0000            0xf2000             0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ucrtbase.DLL
0x000007fefa5a0000             0x3000             0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll
0x000007fefa490000             0x3000             0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll

5

What is the md5 hash of the potential malware on the system?

# Look process number
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist | grep UWkpjFjDzM.exe
Volatility Foundation Volatility Framework 2.6
0xfffffa8005a1d9e0 UWkpjFjDzM.exe         3496   5116      5      109      1      1 2019-03-22 05:35:33 UTC+0000                                 

# Dump Process
volatility -f Triage-Memory.mem --profile=Win7SP1x64 procdump -p 3496 --dump-dir=./

# md5 hash
$ md5sum executable.3496.exe 
690ea20bc3bdfb328e23005d9a80c290  executable.3496.exe

What is the LM hash of Bob's account?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

aad3b435b51404eeaad3b435b51404ee

What memory protection constants does the VAD node at 0xfffffa800577ba10 have?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt
Volatility Foundation Volatility Framework 2.6

VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad 
Flags: NoChange: 1, Protection: 1
Protection: PAGE_READONLY
Vad Type: VadNone
ControlArea @fffffa8005687a50 Segment fffff8a000c4f870
NumberOfSectionReferences:          1 NumberOfPfnReferences:           0
NumberOfMappedViews:               29 NumberOfUserReferences:         30
Control Flags: Commit: 1
First prototype PTE: fffff8a000c4f8b8 Last contiguous PTE: fffff8a000c4f8d0
Flags2: Inherit: 1, SecNoChange: 1

PAGE_READONLY

What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt
Volatility Foundation Volatility Framework 2.6

VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS
Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24
Protection: PAGE_NOACCESS
Vad Type: VadNone

PAGE_NOACCESS

There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 cmdline > cmdline.txt
Volatility Foundation Volatility Framework 2.6

wscript.exe pid:   5116
Command line : "C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs
************************************************************************

vhjReUDEuumrX

An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 shimcache
Volatility Foundation Volatility Framework 2.6

2019-03-07 23:06:58 UTC+0000   \??\C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Skype.exe

What was written in notepad.exe at the time when the memory dump was captured?

# Dump notepad.exe process
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 memdump -p 3032 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing notepad.exe [  3032] to 3032.dmp

# Grep flag with flag keyword
$ strings -e l 3032.dmp  | grep 'flag*' > flag.txt
flag<REDBULL_IS_LIFE>

What is the short name of the file at file record 59045?

$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 mftparser
Volatility Foundation Volatility Framework 2.6

MFT entry found at offset 0x2193d400
Attribute: In Use & File
Record Number: 59045
Link count: 2


$STANDARD_INFORMATION
Creation                       Modified                       MFT Altered                    Access Date                    Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000   2019-03-17 07:04:43 UTC+0000   2019-03-17 07:04:42 UTC+0000   Archive

$FILE_NAME
Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000   2019-03-17 07:04:43 UTC+0000   2019-03-17 07:04:42 UTC+0000   Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS


EMPLOY~1.XLS

This box was exploited and is running meterpreter. What was the infected PID?

0xfffffa8005a1d9e0 UWkpjFjDzM.exe         3496   5116      5      109      1      1 2019-03-22 05:35:33 UTC+0000

PreviousBankingTroubles - Memory Image Forensics NextUlysses - Memory Image Forensics

Last updated 4 years ago