Memory Image: https://www.dropbox.com/sh/4qfk1miauqbvqst/AAAVCI1G8Sc8xMoqK_TtmSbia?dl=0

Question 1:

What is the SHA1 hash of triage.mem?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution:

kali Desktop/forensic_images » sha1sum memory.mem 
c95e8cc8c946f95a109ea8e47a6800de10a27abd  memory.mem

Question 2:

What profile is the most appropriate for this machine? (ex: Win10x86_14393)

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

The first step of volatility is always find the image info of the memory dump.

kali Desktop/forensic_images » volatility imageinfo -f memory.mem 
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/forensic_images/memory.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029f80a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029f9d00L
                KPCR for CPU 1 : 0xfffff880009ee000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-03-22 05:46:00 UTC+0000
     Image local date and time : 2019-03-22 01:46:00 -0400

Got the answer as Win7SP1x64

Question 3:

What was the process ID of notepad.exe?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution:

We indicated the profile and use the pslist plugin to print all the running process

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 pslist | grep notepad
Volatility Foundation Volatility Framework 2.6
0xfffffa80054f9060 notepad.exe            3032   1432      1       60      1      0 2019-03-22 05:32:22 UTC+0000

and we got the answer pid as 3032

Question 4:

Name the child processes of wscript.exe.

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution:

pstree will indicate child process using idention and periods.

Let’s grep the top and bottom 3 line of process wscript.exe

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 pstree | grep -C 3 wscript.exe 
Volatility Foundation Volatility Framework 2.6
. 0xfffffa8004798320:calc.exe                        3548   1432      3     77 2019-03-22 05:34:43 UTC+0000
. 0xfffffa80053d3060:POWERPNT.EXE                    4048   1432     23    765 2019-03-22 05:35:09 UTC+0000
. 0xfffffa8004905620:hfs.exe                         3952   1432      6    214 2019-03-22 05:34:51 UTC+0000
.. 0xfffffa8005a80060:wscript.exe                    5116   3952      8    312 2019-03-22 05:35:32 UTC+0000
... 0xfffffa8005a1d9e0:UWkpjFjDzM.exe                3496   5116      5    109 2019-03-22 05:35:33 UTC+0000
.... 0xfffffa8005bb0060:cmd.exe                      4660   3496      1     33 2019-03-22 05:35:36 UTC+0000
. 0xfffffa80054f9060:notepad.exe                     3032   1432      1     60 2019-03-22 05:32:22 UTC+000

and we got the answer UWkpjFjDzM.exe

Question 5:

What was the IP address of the machine at the time the RAM dump was created?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution:

We have to find the ip address, using the plugin netscan

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 netscan | grep -v '127.0.0.1\|0.0.0.0'

Use grep to filter localhost ip address. The owner of system process svchost.exe seems bind to ip address 10.0.0.101:55736 which is the IP address when the RAM dump is created

Question 6

Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution

Going back to question 4 we found out the malicious process is UWkpjFjDzM.exe

Still using the same netscan plugin,we find out there’s a connection to 10.0.0.106 port 4444 is one of the favorite port for malicious connection from hacker

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 netscan | grep UWkpjFjDzM.exe         
Volatility Foundation Volatility Framework 2.6
0x13e397190        TCPv4    10.0.0.101:49217               10.0.0.106:4444      ESTABLISHED      3496     UWkpjFjDzM.exe

So the malicious hacker ip is 10.0.0.106

Question 7

What process name is VCRUNTIME140.dll associated with?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution

We have to use the dlllist plugin

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 dlllist > dlllist

We find the keyword dll VCRUNTIME140.dll

we found the malicious software OfficeClickToRun.exe

However beware that the process name should be OfficeClickToR

Question 8

What is the md5 hash value the potential malware on the system?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution :

We are not able to identify the hash directly in memory dump.

We have to use one of the volatility function Procdump

At first I though the malicious process is OfficeClickToR

but it appears to be UWkpjFjDzM.exe we found earlier one

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 procdump -p 3496 --dump-dir .
Volatility Foundation Volatility Framework 2.6
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8005a1d9e0 0x0000000000400000 UWkpjFjDzM.exe       OK: executable.3496.exe

kali Desktop/forensic_images » md5sum executable.3496.exe 
690ea20bc3bdfb328e23005d9a80c290  executable.3496.exe

and we got the md5 hash

Question 9

What is the LM hash of bobs account?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution :

Use the hashdump plugin

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 hashdump                     
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Bob:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

and we got bob’s hash

Question 10

What protections does the VAD node at 0xfffffa800577ba10 have?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution

simple

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 vadinfo | grep -A 5 '0xfffffa800577ba10'                                                                                                                130 ↵
Volatility Foundation Volatility Framework 2.6
VAD node @ 0xfffffa800577ba10 Start 0x0000000000030000 End 0x0000000000033fff Tag Vad 
Flags: NoChange: 1, Protection: 1
Protection: PAGE_READONLY
Vad Type: VadNone
ControlArea @fffffa8005687a50 Segment fffff8a000c4f870
NumberOfSectionReferences:          1 NumberOfPfnReferences:           0

The answer is PAGE_READONLY

Question 11

There was a VBS script run on the machine. What is the name of the script? (submit without file extension)

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution:

After some research find out that, wscript.exe is tasked with executing the VBScript files.

[What is wscript.exe?]([https://www.file.net/process/wscript.exe.html#:~:text=The%20genuine%20wscript.exe%20file,any%20harm%20to%20your%20PC.](https://www.file.net/process/wscript.exe.html#:~:text=The genuine wscript.exe file,any harm to your PC.))

Hence, we can perform a memory dump on wscript.exe and use strings to identify which VBScripts file has been executed

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 memdump -p 5116 --dump-dir .                                                                                                                              2 ↵
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing wscript.exe [  5116] to 5116.dmp
kali Desktop/forensic_images » strings 5116.dmp| grep vbs                                   
"C:\Windows\System32\wscript.exe" //B //NOLOGO %TEMP%\vhjReUDEuumrX.vbs
%TEMP%\vhjReUDEuumrX.vbs
%TEMP%\vhjReUDEuumrX.vbs
vbscript.dll
vbscript.pdb
vbscript
.vbs
.vbs
x86_microsoft-windows-m..ents-mdac-ado15-vbs_31bf3856ad364e35_none_9360988f60461a77
amd64_microsoft-windows-m..ents-mdac-oledb-vbs_31bf3856ad364e35_none_444030db0904e80b
amd64_microsoft-windows-m..nts-mdac-rds-ce-vbs_31bf3856ad364e35_none_17691405728212bf
amd64_microsoft-windows-scripting-vbscript_31bf3856ad364e35_none_1dd485790300b91fn
x86_microsoft-windows-m..ents-mdac-oledb-vbs_31bf3856ad364e35_none_e821955750a776d5
x86_microsoft-windows-m..nts-mdac-rds-ce-vbs_31bf3856ad364e35_none_bb4a7881ba24a189
wow64_microsoft-windows-scripting-vbscript_31bf3856ad364e35_none_28292fcb37617b1a
amd64_microsoft-windows-m..ents-mdac-ado15-vbs_31bf3856ad364e35_none_ef7f341318a38bad
vbscript
.vbs
.vbs
x86_microsoft-windows-s..-vbscript.resources_31bf3856ad364e35_en-us_fc14ed9ab50fcbf0
amd64_microsoft-windows-s..-vbscript.resources_31bf3856ad364e35_en-us_5833891e6d6d3d26
version:1|.ade:3|.adp:3|.app:3|.asp:3|.bas:3|.bat:3|.bz:3|.bz2:3|.cer:3|.chm:3|.class:3|.cmd:3|.com:3|.command:3|.cpl:3|.crt:3|.csh:3|.desktop:3|.exe:3|.fxp:3|.gz:3|.hex:3|.hlp:3|.hqx:3|.hta:3|.inf:3|.ini:3|.ins:3|.isp:3|.its:3|.job:3|.js:3|.jse:3|.ksh:3|.lnk:3|.lzh:3|.mad:3|.maf:3|.mag:3|.mam:3|.maq:3|.mar:3|.mas:3|.mat:3|.mau:3|.mav:3|.maw:3|.mda:3|.mde:3|.mdt:3|.mdw:3|.mdz:3|.msc:3|.msi:3|.msp:3|.mst:3|.ocx:3|.ops:3|.pcd:3|.pi:3|.pif:3|.prf:3|.prg:3|.pst:3|.rar:3|.reg:3|.scf:3|.scr:3|.sct:3|.sea:3|.shb:3|.shs:3|.sit:3|.tar:3|.tgz:3|.tmp:3|.url:3|.vb:3|.vbe:3|.vbs:3|.vsmacros:3|.vss:3|.vst:3|.vsw:3|.webloc:3|.ws:3|.wsc:3|.wsf:3|.wsh:3|.zip:3|.zlo:3|.zoo:3|.pdf:2|.fdf:2
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|javascript:1|vbscript:1|acrobat:2|mailto:2|file:2
eventvwr.exegatherNetworkInfo.vbs
slmgr.vbs
winrm.vbs
amd64_microsoft-windows-m..ents-mdac-oledb-vbs_31bf3856ad364e35_none_444030db0904e80b
.vbs
amd64_microsoft-windows-s..-vbscript.resources_31bf3856ad364e35_en-us_5833891e6d6d3d26
x86_microsoft-windows-s..-vbscript.resources_31bf3856ad364e35_en-us_fc14ed9ab50fcbf0

The answer is vhjReUDEuumrX.vbs

Question 12

An application was run at 2019-03-07 23:06:58 UTC, what is the name of the program? (Include extension)

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution

I have no clue at first, but manage to find the plugin shimache which indicates the timestamp

Caching Out: The Value of Shimcache for Investigators

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 shimcache | grep '2019-03-07 23:06:58'
Volatility Foundation Volatility Framework 2.6
2019-03-07 23:06:58 UTC+0000   \??\C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

We find out The skype application is running

Question 13

What was written in notepad.exe in the time of the memory dump?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.

Solution

kali Desktop/forensic_images » volatility -f memory.mem --profile=Win7SP1x64 memdump -p 3032 --dump-dir .
kali Desktop/forensic_images » strings -e l 3032.dmp | grep "flag<"
flag<REDBULL_IS_LIFE>
flag<Th>
flag<Th>
flag<TheK>
flag<TheK>

The solution is straight forward, get the notepad memory dump and grep for the flag

Question 14

What is the shortname of the file at file record 59045?

Flag Format-flag<xyz>
Everything after the – is what you need to submit, your answer is the xyx.