My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.
Solution
The Forensics category consisted of 7 tasks: OS, Password, IP Addr, Note, Execution, Path of the Executable, and Malicious. The content of individual tasks is included in points 1-7. All tasks in this category were solved based on the KnightSquad.DMP file, which was attached to the first task:
szczygielka@hacks$ file KnightSquad.DMP
KnightSquad.DMP: MS Windows 64bit crash dump, full dump, 771726 pages
To solve the tasks, we will mainly use WinDbg, Volatility 2, Volatility 3. Both versions of Volatility differ in some commands, so it is worth to pay attention to the information returned by both versions of this software and their capabilities because some commands in Volatility 2 seem to have no equivalents in Volatility 3.
Additionally, in Volatility 2, it is necessary to select an operating system profile, which we will do after the OS task, once we have some information about the system.
Useful cheatsheet for Volatility 2 and Volatility 3:
1. OS - What is the OS version?
To find the operating system version we can use the following command in WinDbg's integrated command line:
!analyze -v!
In the output of the command, we get the OS version, which is 7.1.7601.24214.
Flag:
KCTF{7.1.7601.24214}
Selecting an operating system profile in Volatility 2
To use Volatility 2 for solving the next tasks, we must determine the profile based on the operating system version. We know that the build number is 7.1.7601.24214 and that it is a 64-bit machine running Windows 7, and that it uses Service Pack 1.
We can use the following command to check the list of available profiles for Windows 7 in Volatility 2:
szczygielka@hacks$ python2 vol.py --info | grep Win7
Volatility Foundation Volatility Framework 2.6.1
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x64_24000 - A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86_24000 - A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)
Based on the information received from the OS task, we can select the profile Win7SP1x64.
2. Password - What is the login password of the OS?
To get the password we have to get NTLM hashes. We can use hashdump functionality to get the hashes.
Based on the output information, we can suspect that it is the text2.txt file or the text.txt file. To recover a single file, we have to use the address of this file returned in the previous command. Let's try to recover the text2.txt file first.
Volatility 2
In case of use the Volatility 2, we must specify the path where the recovered file will be saved:
5. Execution - My leader, Noman Prodhan, executed something in the cmd of this infected machine. Could you please figure out what he actually executed?
Commands entered into cmd.exe are processed by conhost.exe (csrss.exe prior to Windows 7). So even if an attacker managed to kill the cmd.exe prior to us obtaining a memory dump, there is still a good chance of recovering history of the command line session from conhost.exe’s memory. If you find something weird (using the console’s modules), try to dump the memory of the conhost.exe associated process and search for strings inside it to extract the command lines.
Volatility 2
In the Volatility 2 there are at least 3 commands related to a command line, they are:
cmdline
cmdscan
consoles
We will check the output of each of them, because their results may be useful also in solving the Path of the Execution task. For the cmdline and cmdscan commands, we want to find all the results for the conhost.exe process.
The cmdline command
Let's use the cmdline command to search for the conhost.exe process:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 cmdline | grep "conhost.exe"
Volatility Foundation Volatility Framework 2.6.1
conhost.exe pid: 2348
Command line : \??\C:\Windows\system32\conhost.exe "-1209142271685361894-531425533-402668515-715241983-586801334-1893083562-2146092597
conhost.exe pid: 4888
Command line : \??\C:\Windows\system32\conhost.exe "-943315145667469034-835458599-11439838731992957646818159495-191605888-1892123205
conhost.exe pid: 4580
Command line : \??\C:\Windows\system32\conhost.exe "1094193548945927055-9018413218307182252079099763-884703563-73234193-284509992
In this case, this command returned the PIDs of the conhost.exe processes. With PIDs, we can dump the memory of each process, and then search for strings in them, hoping to find commands or other interesting strings (we will do this in Volatility 3).
The cmdscan command
In this case, we can see 2 commands that were executed in the console:
The output indicates that for the process with PID 4580, we can see that two commands have been executed. As in the case of the cmdlinecommand, we can dump the process memory and search for strings.
The consoles command
The consoles command displays the entire screen buffer (input and output), not just the command typed in the console. In this case, it turned out to be significant. After executing the consolescommand, we get the flag. This is because the flag was returned in the output of the executed script windows.bat:
The flag is present in each of the above processes. Since the procdump command available in Volatility 3 recovers the .exe file along with the associated DLLs, we will use the memmap command to retrieve it. For example, let's dump the process with PID number 4888:
6. Path of the Executable - What is the path folder of the executable file which execute privious flag?
Volatility 2
In the task Execution, in the output of executing the cmdscan and consoles commands in Volatility 2, there was a full path of the executed windows.bat script, that is:
\Users\siam\Documents\windows.bat
Flag:
KCTF{\Users\siam\Documents}
7. Malicious - What is the malicious software name?
Let's remind the content of the first task:
My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.
So we are most likely looking for some malware that runs automatically.
In Volatility 2 we can use the autoruns plugin to find software that runs automatically:
Command in Volatility 2 to check autostart files is as follows:
