DumpMe writeup using volatility2 - cyberdefenders

Instructions: Uncompress the lab (pass: cyberdefenders.org)

Scenario: A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.

Tools: Volatility 2

Question 1/16 - What is the SHA1 hash of Triage-Memory.mem (memory dump)?

After extracting the given file , use following command sha1sum Triage-Memory.mem to calculate the hash. (linux)

Answer - C95E8CC8C946F95A109EA8E47A6800DE10A27ABD

Question 2/16 - What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)

To find the appropriate profile using volatility2, we can use the plugin imageinfo. Which gives informations about the memorydump. It will give some possibles profiles and the first one would be most appropriate one.

Answer - Win7SP1x64

Question 3/16 - What was the process ID of notepad.exe?

Now we have to find the process id of an process , we can use the plugin pslist to get the process id . Command would be -
python2 /home/kali/tools/volatility/vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pslist

Answer - 3032

Question 4/16 - Name the child process of wscript.exe.

To get the children/grandchild process , we can use pstree plugin , and grep with -A flag to get n number of lines when the expression matches. Final command would be -
python2 /home/kali/tools/volatility/vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pstree | grep -A 3 -i "wscript"

On the left side , each increament of dot indicates a generation. Like . is parent and .. is the child of it. Child process is malicious which is confirmed by using malfind plugin.

Answer - UWkpjFjDzM.exe

Question 5/16 - What was the IP address of the machine at the time the RAM dump was created?

There are several pattern to find the ip address of the machine. We can use the netscan plugin. The malicious process and many other process have the same source ip address, which is the ip address of the machine.

Answer - 10.0.0.101

Question 6/16 - Based on the answer regarding the infected PID, can you determine the IP of the attacker?

From previous command, we can clearly see the ip address of the remote machine where the malicious process is trying to connect to.

Answer - 10.0.0.106

Question 7/16 - How many processes are associated with VCRUNTIME140.dll?

To find the accociated process with a dll , we can use dlllist plugin, and using grep command to filter out only processes with a specific dll. Possible command would be -

python2 /home/kali/tools/volatility/vol.py -f Triage-Memory.mem --profile=Win7SP1x64 dlllist | grep -i VCRUNTIME140.dll

Answer - 5

Question 8/16 - After dumping the infected process, what is its md5 hash?

To dump a file from a process we can use the plugin procdump, it takes two main arguments - 1. Process ID 2. Output_directory. Then use md5sum tool to calculate hd5 hash of the file. The final possible command would be -

python2 /home/kali/tools/volatility/vol.py -f Triage-Memory.mem --profile=Win7SP1x64 procdump --dump-dir=./out/ --pid=3496

Answer - 690ea20bc3bdfb328e23005d9a80c290

Question 9/16 - What is the LM hash of Bob's account?

Dumping the hash is as simple as listing the processes , use hashdump plugin. It will show you the users along with there hashes.

Answer - aad3b435b51404eeaad3b435b51404ee

Question 10/16 - What memory protection constants does the VAD node at 0xfffffa800577ba10 have?

VAD (virtual address descriptor), in windows is used for memory management. To find the memory protection on a specific vad node , we can use vadinfo plugin , along with advance grep filteration. The possible command would be -

python2 /home/kali/tools/volatility/vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep -A 5 "0xfffffa800577ba10"

Answer - PAGE_READONLY

Question 11/16 - What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

Using previous command with the given vad address , which reveals the memory protection on the given vad range.

Answer - PAGE_NOACCESS

Question 12/16 - There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

A vbs script was ran, highly possible that it ran on command line. We can use cmdline plugin to get the command that were executed on command line. Use grep for addition filteration.

Answer - vhjReUDEuumrX

Question 13/16 - An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)

The ShimCache (Application Compatibility Cache) is a Windows artifact that contains information about recently executed applications and files that have been accessed on the system.

We can use the shimcahce plugin to get the executed application along with timings. Use grep for filteration of output.

Answer - Skype.exe

Question 14/16 - What was written in notepad.exe at the time when the memory dump was captured?

Answer - flag<REDBULL_IS_LIFE>

Question 15/16 - What is the short name of the file at file record 59045?

Answer - EMPLOY~1.XLS

Question 16/16 - This box was exploited and is running meterpreter. What was the infected PID?

Answer - 3496

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell