WriteUp — THM Forensics

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside.

This is a writeup for TryHackMe room Forensics. In this room we use volatility forensics to extract information from a memory dump containing malware.

Photo by Agence Olloweb on Unsplash

Volatility forensics

The first task is to analyze a memory dump using open source Volatility memory forensics tool. A good summary of volatility commands can be found in this cheat sheet.

Let’s start by uncompressing the dump and verifying the md5 hash. Then identify the image and display metadata including information about the operating system:

volatility imageinfo -f victim.raw
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search…
 Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
 AS Layer2 : FileAddressSpace (/home/kali/pwn/forensics/victim.raw)
 PAE type : No PAE
 DTB : 0x187000L
 KDBG : 0xf800028420a0L
 Number of Processors : 1
 Image Type (Service Pack) : 1
 KPCR for CPU 0 : 0xfffff80002843d00L
 KUSER_SHARED_DATA : 0xfffff78000000000L
 Image date and time : 2019–05–02 18:11:45 UTC+0000
 Image local date and time : 2019–05–02 11:11:45 -0700

According to the metadata this is a Windows memory dump. We will use this information to set the profile in future volatility commands. The next task is to identify the PID of SearchIndexer:

volatility -f victim.raw — profile=Win7SP1x64 pslist | grep SearchIndexer
Volatility Foundation Volatility Framework 2.6
0xfffffa8003367060 SearchIndexer. 2180 504 11 629 0 0 2019–05–02 18:03:32 UTC+0000

The next task is to identify the last directory accessed by the user. This information is stored by Windows using two registry keys called ShellBags. Check out this whitepaper for more information. Volatility has a plugin to extract this information:

volatility -f victim.raw --profile=Win7SP1x64 shellbags

Based on the output the last directory is __REDACTED__.

Task 2

First we need to find a suspicious open port. Use netscan to find out open ports:

volatility -f victim.raw --profile=Win7SP1x64 netscan

Based on the output there are suspicious ports open, the first one is UDP:5005 (used by Windows Media streaming services).

The next question is to find vad tag and execute protection as indicators of malicious processes. This can be accomplished using malfind plugin:

volatility -f victim.raw --profile=Win7SP1x64 malfind | grep Pid:
Volatility Foundation Volatility Framework 2.6
Process: explorer.exe Pid: 1860 Address: 0x3ee0000
Process: explorer.exe Pid: 1860 Address: 0x3f90000
Process: svchost.exe Pid: 1820 Address: 0x24f0000
Process: svchost.exe Pid: 1820 Address: 0x4d90000
Process: wmpnetwk.exe Pid: 2464 Address: 0x280000

Based on this the answer is 1860;1820;2464.

IOC Saga

Start by dumping the suspicious memory and process executables:

volatility -f victim.raw --profile=Win7SP1x64 memdump -p 1820,1860,2464 --dump-dir ./malware
volatility -f victim.raw --profile=Win7SP1x64 procdump -p 1820,1860,2464 --dump-dir ./malware

Look for strings that match the website in answer mask.

Q1

strings * | grep -E '^www\.go....\.ru' 

Q2

strings * | grep -E ‘^www\.i….\.com’

Q3

strings * | grep -E '^www\.ic......\.com' 

Q4

strings * | grep -E '^202\....\.233\....' 

Q5

strings * | grep -E '\.200\...\.164'     

Q6

strings * | grep -E '209.190\....\....' 

Q7

Compare pid 2464 to some other process.

volatility -f victim.raw --profile=Win7SP1x64 envars -p 2464

And that’s all folks!