Redline writeup using volatility 3 - cyberdefenders
Instructions: Uncompress the lab (pass: cyberdefenders.org)
Scenario: As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System "NIDS". Your investigation will involve identifying the specific malware family employed in the attack, along with its characteristics. Additionally, your task is to identify and mitigate any traces or footprints left by the attacker.
Tools: Volatility 3
Question 1/8 - What is the name of the suspicious process?
To find the suspicious process, first I listed the running processes using the plugin windows.pslist. There were a lot of processes, for each suspecious process I do google search and found that the process oneetx.exe is a malware.
Example command:python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.pslistwindows.malfind plugin also mark it as a malfunction.
Answer - oneetx.exe
Question 2/8 - What is the child process name of the suspicious process?
To find the child process, we can use the plugin windows.pstree. Which is used to list out all process with their respective child processes.
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.pstree
Answer - rundll32.exe
Question 3/8 - What is the memory protection applied to the suspicious process memory region?
In the previous question where we uses windows.malfind plugin we can also see the memory protection of that suspicious process.
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.malfind
Answer - PAGE_EXECUTE_READWRITE
Question 4/8 - What is the name of the process responsible for the VPN connection?
While searching for the suspicious process , I found a process outline.exe which is a vpn service. That is responsible for vpn connection.
We can use windows.pstree plugin to confirm, where tun2socks.exe is a child process of Outline.exe.
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.pstree
Answer - outline.exe
Question 5/8 - What is the attacker's IP address?
To find the ip address of the attacker, we can use the plugin windows.netscan to identify all the addresses where the suspecious file is trying to connect to.
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.netscan
Answer - 77.91.124.20
Question 6/8 - Based on the previous artifacts. What is the name of the malware family?
To find the family of the malware , I first dump the malware using windows.dumpfile plugin. Then check the hash of the malware on the VirusTotal. Virustotal identifies it as a trojan. After some google search about the trojan and the lab name, I got the malware family name.
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.pstreeAnswer - RedLine Stealer
Question 7/8 - What is the full URL of the PHP file that the attacker visited?
As it is mentioned that there is an php file that is visited by the attacker. After trying several ways, I searched for the ip address of the attacker in the strings of MemoryDump
strings MemoryDump.mem | grep -i 77.91.124.20
Answer - http://77.91.124.20/store/games/index.php
Question 8/8 - What is the full path of the malicious executable?
To find the full path we can use pstree or filescan plugins. By using filescan we can use following command syntax :
python3 /home/kali/tools/volatility3/vol.py -f MemoryDump.mem windows.filescan | grep -i "oneetx.exe"
Answer - C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe