DumpMe Blue Team Challenge Walkthrough Write-Up
Category : Endpoint Forensics
LEVEL : Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/65
Scenario:
A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
Tools:
Q1-
What is the SHA1 hash of Triage-Memory.mem (memory dump)?
- Easy one , just use this commend :
sha1sum Triage-Memory.mem- It will take some time ( Memory.mem about 5 GB) :
THE Answer : c95e8cc8c946f95a109ea8e47a6800de10a27abdQ2-What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
- Use “imageinfo” plugin , and it will take time depend on your PC :
└─$ vol.py -f Triage-Memory.mem imageinfo
THE Answer : Win7SP1x64Q3-What was the process ID of notepad.exe?
- I used pslist plugin to list all process and grep notepad :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem pslist |grep "notepad.exe"
THE Answer : 3032Q4-Name the child process of wscript.exe.
- I used pstree plugin and grep with wscript.exe :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem pstree |grep "wscript.exe" -C 3
- From the result above , we can easy see the child process :
THE Answer : UWkpjFjDzM.exeQ5-What was the IP address of the machine at the time the RAM dump was created?
There is multiple plugins to check the connections like :
- connscan
- connections
- sockscan
- sockets
- netscan
The only one work with me is netscan plugin :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem netscan
THE Answer : 10.0.0.101 Q6-Based on the answer regarding the infected PID, can you determine the IP of the attacker?
- I used the same plugin from previous question “netscan”
From the image above , you can see that there is an established connection to port 4444 (metasploit meterpreter) to IP-add 10.0.0.106
THE Answer : 10.0.0.106 Q7-How many processes are associated with VCRUNTIME140.dll?
- Easy one just use dlllist plugin to Print list of loaded dlls for each process and grep “VCRUNTIME140.dll”:
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem dlllist | grep "VCRUNTIME140.dll"
THE Answer : 5Q8-After dumping the infected process, what is its md5 hash?
- First we need to know PID to UWkpjFjDzM.exe process , to do that just use pslist and grep this process:
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem pslist |grep "UWkpjFjDzM.exe"
- From image above we get the PID (3496) , and I used procdump plugin to Dump a process to an executable file sample :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem procdump -p3496 --dump-dir .
- To get md5 hash just use md5sum + file name :
THE Answer : 690ea20bc3bdfb328e23005d9a80c290Q9-What is the LM hash of Bob’s account?
- Easy one , just use hashdump plugin :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem hashdump
THE Answer : aad3b435b51404eeaad3b435b51404eeQ10-What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
- I used vdainfo plugin and grep with the value “0xfffffa800577ba10” :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem vadinfo | grep "0xfffffa800577ba10" -C 5
THE Answer : PAGE_READONLYQ11-What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
- Same as the previous question but grep with this value “0x00000000033dffff” :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem vadinfo | grep "0x00000000033dffff" -C 5
THE Answer : PAGE_NOACCESSQ12-There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
- Use cmdline plugin and grep with vbs :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem cmdline |grep -i vbs -C 2
THE Answer : vhjReUDEuumrXQ13-An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)
When i used pslist plugin , all the process i got have a date of 2019–03–22 , but the application was run at 2019–03–07 , so I used cachedump plugin to Parses the Application Compatibility Shim Cache registry key :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem shimcache |grep -i "2019–03–07 23:06:58 UTC"
THE Answer : Skype.exeQ14-What was written in notepad.exe at the time when the memory dump was captured?
- As we know notepad.exe PID is 3032 , so i just dump the process :
└─$ vol.py -f Triage-Memory.mem --profile=Win7SP1x64 memdump -p3032 --dump-dir .
- to get the flag use this commend :
└─$ strings -e l 3032.dmp|grep -i "Flag<"
THE Answer : Q15-What is the short name of the file at file record 59045?
- I used mftparser and grep with PID=59045 :
└─$ vol.py --profile=Win7SP1x64 -f Triage-Memory.mem |grep "59045" -C 10
THE Answer : EMPLOY~1.XLSQ16-This box was exploited and is running meterpreter. What was the infected PID?
- As we know infected process is UWkpjFjDzM.exe , and get PID I used pstree plugin :
└─$ vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pstree | grep "UWkpjFjDzM.exe"
THE Answer : 3496THE END
BY :Ahmed Nasser
