BlackEnergy writeup using volatility2 - cyberdefenders

Instructions: Uncompress the lab (pass: cyberdefenders.org)

Scenario: A multinational corporation has been hit by a cyber attack that has led to the theft of sensitive data. The attack was carried out using a variant of the BlackEnergy v2 malware that has never been seen before. The company's security team has acquired a memory dump of the infected machine, and they want you, as a soc analyst, to analyze the dump to understand the attack scope and impact.

Tools: Volatility

Question 1/8 - Which volatility profile would be best for this machine?

To find the best possible profile , there is a plugin imageinfo. Use this plugin to get the profile.

Command : python2 volatility/vol.py -f CYBERDEF-567078-20230213-171333.raw imageinfo

blackenergy writeups cyberdefenders image

Answer - WinXPSP2x86

Question 2/8 - How many processes were running when the image was acquired?

To count the number of running processes , plugin pslist is used. (Different processes with the same name will be considerd as 1)

Command : python2 volatility/vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 pslist

Answer - 19

Question 3/8 - What is the process ID of cmd.exe?

In the previous answer/plugin , we can see the pid of cmd.exe .

Answer - 1960

Question 4/8 - What is the name of the most suspicious process?

In the process list , there is an unusual process -

Answer - rootkit.exe

Question 5/8 - Which process shows the highest likelihood of code injection?

After using malfind plugin, it identifies three malicious functionalities . csrss.exe and winlogon.exe are highly protected due to their critical roles but svchost.exe can host unprotected services.

Answer - svchost.exe

Question 6/8 - There is an odd file referenced in the recent process. Provide the full path of that file.

To find the files related to a process, we can use handles plugin with the process id and file type.

Command : python2 volatility/vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 handles -p 880 -t file false indicates that this dll is not in memory, which makes it suspicious.

Answer - C:\WINDOWS\system32\drivers\str.sys

Question 7/8 - What is the name of the injected dll file loaded from the recent process?

To find all the dll files loaded into memory during the process execution, we can use the plugin ldrmodules along with processid.

Command : python2 /home/kali/tools/volatility/vol.py -f CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 ldrmodules -p 880

Answer - msxml3r.dll

Question 8/8 - What is the base address of the injected dll?

Malfind reveals the address -

Answer - 0x980000

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell