top of page
Search

DumpMe - Volatility

  • wadas24
  • Aug 10, 2021
  • 3 min read

This is independent research and does not reflect my employer


Overview

One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.


Evidence (Chain of Custody)

Filename: Triage-Memory.mem

Hash: c95e8cc8c946f95a109ea8e47a6800de10a27abd


Technical Summary

For analysis of the below questions below, I was able to begin by attempting to identify any rogue processes. The initial finding came when I was looking at the process list and came across the process named “UWkpjFjDzM.” I am able to dump this file and look at the hash, which VirusTotal confirms is meterpreter. You can then see there is an established connection to this attacker as well. Tracing this process tree will help give us the processes that were infected.


Analysis

  1. What is the SHA1 hash of triage.mem (memory dump)?

    1. c95e8cc8c946f95a109ea8e47a6800de10a27abd

Once this file was downloaded and extracted. The sha1sum function can be used against this file


  1. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)

    1. Win7SP1x64

To find the appropriate profile, the imageinfo function is used in volatility.


  1. What was the process ID of notepad.exe?

    1. 3032

Now that we have the correct profile (Win7SP1x64), we can use the pslist function which will display all processes by following the EPROCESS linked list


  1. Name the child process of wscript.exe.

    1. UWkpjFjDzM.exe

The next function we can use is pstree to display the process trees for all programs that were running at the time of memory capture


  1. What was the IP address of the machine at the time the RAM dump was created?

    1. 10.0.0.101

Using the netscan function in volatility, we can see that there are several IP addresses listed. We can see the suspicious process found in Question 4 is listening on IP 10.0.0.101 and port 49217.


  1. Based on the answer regarding the infected PID, can you determine the IP of the attacker?

    1. 10.0.0.106

Looking at all established connections we can see the same infected PID connected via ip 10.0.0.106.



  1. How many processes are associated with VCRUNTIME140.dll?

    1. 5

Using the dlllist function and grepping for VCRUNTIME140 we can find 5 results.


  1. After dumping the infected process, what is its md5 hash?

    1. 690ea20bc3bdfb328e23005d9a80c290

Procdump can be used on the infected process. Once this process is grabbed. The md5sum function will give us our hash



  1. What is the LM hash of Bob's account?

    1. aad3b435b51404eeaad3b435b51404ee

The hashdump function within Volatility will dump all accounts hashes.


  1. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?

    1. PAGE_READONLY

The vadinfo function in Volatility will show us details about the VAD note listed.


  1. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

    1. PAGE_NOACCESS

Using the same technique as above we can see this VAD has PAGE_NOACCESS protection.


  1. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

    1. vhjReUDEuumrX

Knowing that malicious actors will have some trace in command lines, I decided to use the cmdline function and grep for “vbs.” This resulted in a suspicious named file ending in vbs.


  1. An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)

    1. Skype.exe

Using the shimcache function we can see a list of all programs that have been executed on this host. Using grep to focus on this particular date, we find Skype.exe


  1. What was written in notepad.exe at the time when the memory dump was captured?

    1. flag<REDBULL_IS_LIFE>

To grab the text from what was written in Notepad, I needed to use the memdump function to dump all of the memory that was associated with this process. I was then able to use the “strings -e l” function to examine this dump. I also used the grep function to search for the term “flag” which would be shown within this dump.


  1. What is the short name of the file at file record 59045?

    1. EMPLOY~1.XLS

For this question we need to look at the Master File Table. We could take a look at this MFT by using the mftparser command and grep “59045”


  1. This box was exploited and is running meterpreter. What was the infected PID?

    1. 3496

Throughout this exercise we are pointed to UWkpjFjDzM.exe. We can look at this process by using the pslist and find the process ID.



 
 
 

Comments

Post: Blog2_Post

©2021 by DW does DFIR. Proudly created with Wix.com

bottom of page