DumpMe - Memory Image Forensics
What is the SHA1 hash of triage.mem (memory dump)?
$ sha1sum Triage-Memory.mem
c95e8cc8c946f95a109ea8e47a6800de10a27abd Triage-Memory.memWhat volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
Win7SP1x64What was the process ID of notepad.exe?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist | grep notepad
Volatility Foundation Volatility Framework 2.6
0xfffffa80054f9060 notepad.exe 3032 1432 1 60 1 0 2019-03-22 05:32:22 UTC+0000
3032Name the child process of wscript.exe.
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist
0xfffffa8005a80060 wscript.exe 5116 3952 8 312 1 1 2019-03-22 05:35:32 UTC+0000
0xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000
UWkpjFjDzM.exeWhat was the IP address of the machine at the time the RAM dump was created?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13e057300 UDPv4 10.0.0.101:55736 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05b4f0 UDPv6 ::1:55735 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05b790 UDPv6 fe80::7475:ef30:be18:7807:55734 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05d4b0 UDPv6 fe80::7475:ef30:be18:7807:1900 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05dec0 UDPv4 127.0.0.1:55737 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05e3f0 UDPv4 10.0.0.101:1900 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
0x13e05eab0 UDPv6 ::1:1900 *:* 2888 svchost.exe 2019-03-22 05:32:20 UTC+0000
10.0.0.101Based on the answer regarding the infected PID, can you determine the IP of the attacker?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6
0x13ebcdef0 TCPv4 0.0.0.0:80 0.0.0.0:0 LISTENING 3952 hfs.exe
0x13e2348a0 TCPv4 -:49366 192.168.206.181:389 CLOSED 504
0x13e397190 TCPv4 10.0.0.101:49217 10.0.0.106:4444 ESTABLISHED 3496 UWkpjFjDzM.exe
0x13e3986d0 TCPv4 -:49378 213.209.1.129:25 CLOSED 504
0x13e3abae0 TCPv4 -:49226 72.51.60.132:443 CLOSED 4048 POWERPNT.EXE
10.0.0.106How many processes are associated with VCRUNTIME140.dll?
volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist
Volatility Foundation Volatility Framework 2.6
0x000007fefa5c0000 0x16000 0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140.dll
0x000007fefa5b0000 0x4000 0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll
0x000007fefa4a0000 0xf2000 0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ucrtbase.DLL
0x000007fefa5a0000 0x3000 0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll
0x000007fefa490000 0x3000 0xffff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll
5What is the md5 hash of the potential malware on the system?
# Look process number
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist | grep UWkpjFjDzM.exe
Volatility Foundation Volatility Framework 2.6
0xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000
# Dump Process
volatility -f Triage-Memory.mem --profile=Win7SP1x64 procdump -p 3496 --dump-dir=./
# md5 hash
$ md5sum executable.3496.exe
690ea20bc3bdfb328e23005d9a80c290 executable.3496.exeWhat is the LM hash of Bob's account?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
aad3b435b51404eeaad3b435b51404eeWhat memory protection constants does the VAD node at 0xfffffa800577ba10 have?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt
Volatility Foundation Volatility Framework 2.6
VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad
Flags: NoChange: 1, Protection: 1
Protection: PAGE_READONLY
Vad Type: VadNone
ControlArea @fffffa8005687a50 Segment fffff8a000c4f870
NumberOfSectionReferences: 1 NumberOfPfnReferences: 0
NumberOfMappedViews: 29 NumberOfUserReferences: 30
Control Flags: Commit: 1
First prototype PTE: fffff8a000c4f8b8 Last contiguous PTE: fffff8a000c4f8d0
Flags2: Inherit: 1, SecNoChange: 1
PAGE_READONLYWhat memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt
Volatility Foundation Volatility Framework 2.6
VAD node @ 0xfffffa80052652b0 Start 0x00000000033c0000 End 0x00000000033dffff Tag VadS
Flags: CommitCharge: 32, PrivateMemory: 1, Protection: 24
Protection: PAGE_NOACCESS
Vad Type: VadNone
PAGE_NOACCESSThere was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 cmdline > cmdline.txt
Volatility Foundation Volatility Framework 2.6
wscript.exe pid: 5116
Command line : "C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs
************************************************************************
vhjReUDEuumrXAn application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 shimcache
Volatility Foundation Volatility Framework 2.6
2019-03-07 23:06:58 UTC+0000 \??\C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Skype.exeWhat was written in notepad.exe at the time when the memory dump was captured?
# Dump notepad.exe process
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 memdump -p 3032 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing notepad.exe [ 3032] to 3032.dmp
# Grep flag with flag keyword
$ strings -e l 3032.dmp | grep 'flag*' > flag.txt
flag<REDBULL_IS_LIFE>What is the short name of the file at file record 59045?
$ volatility -f Triage-Memory.mem --profile=Win7SP1x64 mftparser
Volatility Foundation Volatility Framework 2.6
MFT entry found at offset 0x2193d400
Attribute: In Use & File
Record Number: 59045
Link count: 2
$STANDARD_INFORMATION
Creation Modified MFT Altered Access Date Type
------------------------------ ------------------------------ ------------------------------ ------------------------------ ----
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Archive
$FILE_NAME
Creation Modified MFT Altered Access Date Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2019-03-17 06:50:07 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:43 UTC+0000 2019-03-17 07:04:42 UTC+0000 Users\Bob\DOCUME~1\EMPLOY~1\EMPLOY~1.XLS
EMPLOY~1.XLSThis box was exploited and is running meterpreter. What was the infected PID?
0xfffffa8005a1d9e0 UWkpjFjDzM.exe 3496 5116 5 109 1 1 2019-03-22 05:35:33 UTC+0000Last updated
Was this helpful?