OS, Password, IP Addr, Note, Execution, Path of the Executable, Malicious - Forensics
Task
My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.
Solution
The Forensics category consisted of 7 tasks: OS, Password, IP Addr, Note, Execution, Path of the Executable, and Malicious. The content of individual tasks is included in points 1-7. All tasks in this category were solved based on the KnightSquad.DMP file, which was attached to the first task:
szczygielka@hacks$ file KnightSquad.DMP
KnightSquad.DMP: MS Windows 64bit crash dump, full dump, 771726 pagesTo solve the tasks, we will mainly use WinDbg, Volatility 2, Volatility 3. Both versions of Volatility differ in some commands, so it is worth to pay attention to the information returned by both versions of this software and their capabilities because some commands in Volatility 2 seem to have no equivalents in Volatility 3.
Additionally, in Volatility 2, it is necessary to select an operating system profile, which we will do after the OS task, once we have some information about the system.
Useful cheatsheet for Volatility 2 and Volatility 3:
https://blog.onfvp.com/post/volatility-cheatsheet/
1. OS - What is the OS version?
To find the operating system version we can use the following command in WinDbg's integrated command line:
!analyze -v!
In the output of the command, we get the OS version, which is 7.1.7601.24214.
Flag:
KCTF{7.1.7601.24214}Selecting an operating system profile in Volatility 2
To use Volatility 2 for solving the next tasks, we must determine the profile based on the operating system version. We know that the build number is 7.1.7601.24214 and that it is a 64-bit machine running Windows 7, and that it uses Service Pack 1.
Information on how to correctly determine the Windows machine profile in Volatility 2 can be found here.
We can use the following command to check the list of available profiles for Windows 7 in Volatility 2:
szczygielka@hacks$ python2 vol.py --info | grep Win7
Volatility Foundation Volatility Framework 2.6.1
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x64_24000 - A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86_24000 - A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)Based on the information received from the OS task, we can select the profile Win7SP1x64.
2. Password - What is the login password of the OS?
To get the password we have to get NTLM hashes. We can use hashdump functionality to get the hashes.
Volatility 2:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10eca58175d4228ece151e287086e824:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
siam:1001:aad3b435b51404eeaad3b435b51404ee:7ab3201ceecd554f772573bb064a0f38:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:99d22b68c0d197f683f3d994c7f31254:::Volatility 3:
szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.hashdump
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
User rid lmhash nthash
Administrator 500 aad3b435b51404eeaad3b435b51404ee 10eca58175d4228ece151e287086e824
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
siam 1001 aad3b435b51404eeaad3b435b51404ee 7ab3201ceecd554f772573bb064a0f38
HomeGroupUser$ 1002 aad3b435b51404eeaad3b435b51404ee 99d22b68c0d197f683f3d994c7f31254Let's save found NTLM hashes to the hashes.txt file and use the Hashcatto crack them with rockyou.txt wordlist:
szczygielka@hacks$ hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txtOne of the hashes was cracked. Hash which was cracked and recovered password:
7ab3201ceecd554f772573bb064a0f38:squadFlag:
KCTF{squad}3. IP Addr - What is the IP address of this system?
To get the IP address we can use netscan functionality.
Volatility 2:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0xb90dce00 UDPv4 0.0.0.0:3702 *:* 1392 svchost.exe 2023-12-18 15:57:03 UTC+0000
0xb9232d90 UDPv4 0.0.0.0:0 *:* 1432 mfemms.exe 2023-12-18 15:56:56 UTC+0000
0xb9232d90 UDPv6 :::0 *:* 1432 mfemms.exe 2023-12-18 15:56:56 UTC+0000
0xb9236ac0 UDPv4 0.0.0.0:0 *:* 1432 mfemms.exe 2023-12-18 15:56:56 UTC+0000
0xb92cc8a0 UDPv4 10.0.2.15:138 *:* 4 System 2023-12-18 15:56:57 UTC+0000
0xb92ce840 UDPv4 10.0.2.15:137 *:* 4 System 2023-12-18 15:56:57 UTC+0000
0xb92ec010 UDPv4 0.0.0.0:0 *:* 1092 svchost.exe 2023-12-18 15:56:57 UTC+0000
0xb92ec010 UDPv6 :::0 *:* 1092 svchost.exe 2023-12-18 15:56:57 UTC+0000
0xb9480480 UDPv4 0.0.0.0:51204 *:* 1392 svchost.exe 2023-12-18 15:56:53 UTC+0000
0xb9497bb0 UDPv4 0.0.0.0:51205 *:* 1392 svchost.exe 2023-12-18 15:56:53 UTC+0000
0xb9497bb0 UDPv6 :::51205 *:* 1392 svchost.exe 2023-12-18 15:56:53 UTC+0000
0xb95d5010 UDPv4 0.0.0.0:3702 *:* 1392 svchost.exe 2023-12-18 15:57:03 UTC+0000
0xb961d780 UDPv4 0.0.0.0:5004 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
0xb96287b0 UDPv4 0.0.0.0:5005 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
0xb962c400 UDPv4 0.0.0.0:5004 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
0xb962c400 UDPv6 :::5004 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
0xb962ebb0 UDPv4 0.0.0.0:5005 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
0xb962ebb0 UDPv6 :::5005 *:* 3896 wmpnetwk.exe 2023-12-18 15:58:49 UTC+0000
<SNIP>Volatility 3:
szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.netscan
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0xb90dce00 UDPv4 0.0.0.0 3702 * 0 1392 svchost.exe 2023-12-18 15:57:03.000000
0xb9232d90 UDPv4 0.0.0.0 0 * 0 1432 mfemms.exe 2023-12-18 15:56:56.000000
0xb9232d90 UDPv6 :: 0 * 0 1432 mfemms.exe 2023-12-18 15:56:56.000000
0xb9236ac0 UDPv4 0.0.0.0 0 * 0 1432 mfemms.exe 2023-12-18 15:56:56.000000
0xb92cc8a0 UDPv4 10.0.2.15 138 * 0 4 System 2023-12-18 15:56:57.000000
0xb92ce840 UDPv4 10.0.2.15 137 * 0 4 System 2023-12-18 15:56:57.000000
0xb92d4010 TCPv4 10.0.2.15 139 0.0.0.0 0 LISTENING 4 System -
0xb92ec010 UDPv4 0.0.0.0 0 * 0 1092 svchost.exe 2023-12-18 15:56:57.000000
0xb92ec010 UDPv6 :: 0 * 0 1092 svchost.exe 2023-12-18 15:56:57.000000
0xb9480480 UDPv4 0.0.0.0 51204 * 0 1392 svchost.exe 2023-12-18 15:56:53.000000
0xb9497bb0 UDPv4 0.0.0.0 51205 * 0 1392 svchost.exe 2023-12-18 15:56:53.000000
0xb9497bb0 UDPv6 :: 51205 * 0 1392 svchost.exe 2023-12-18 15:56:53.000000
0xb94ebc80 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System -
0xb94ebc80 TCPv6 :: 445 :: 0 LISTENING 4 System -
0xb9542cd0 TCPv6 ::1 49181 ::1 2869 CLOSED - - -
0xb95d5010 UDPv4 0.0.0.0 3702 * 0 1392 svchost.exe 2023-12-18 15:57:03.000000
0xb961d780 UDPv4 0.0.0.0 5004 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
0xb96287b0 UDPv4 0.0.0.0 5005 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
0xb962c400 UDPv4 0.0.0.0 5004 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
0xb962c400 UDPv6 :: 5004 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
0xb962ebb0 UDPv4 0.0.0.0 5005 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
0xb962ebb0 UDPv6 :: 5005 * 0 3896 wmpnetwk.exe 2023-12-18 15:58:49.000000
<SNIP>The machine's IP address is 10.0.2.15.
Flag:
KCTF{10.0.2.15}4. Note - My boss has written something in the text file. Could you please help me find it?
Let's assume that may be a plain text file, i.e. a .txt file. Let's start by searching for all files of this type using filescan functionality.
Volatility 2:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 filescan | grep ".txt"
Volatility Foundation Volatility Framework 2.6.1
0x00000000b9ba7bb0 16 0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
0x00000000b9d1ef20 16 0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text.txt
0x00000000bbd7f950 1 1 -W-rw- \Device\HarddiskVolume2\Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txtVolatility 3:
szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.filescan | grep ".txt"
0xb9ba7bb0 100.0\Users\siam\Documents\text2.txt 216
0xb9d1ef20 \Users\siam\Documents\text.txt 216
0xbbd7f950 \Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txt 216Based on the output information, we can suspect that it is the text2.txt file or the text.txt file. To recover a single file, we have to use the address of this file returned in the previous command. Let's try to recover the text2.txt file first.
Volatility 2
In case of use the Volatility 2, we must specify the path where the recovered file will be saved:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 dumpfiles -Q 0x00000000b9ba7bb0 -D .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0xb9ba7bb0 None \Device\HarddiskVolume2\Users\siam\Documents\text2.txtVolatility 3
In case of use the Volatility 3, it is not necessary to provide the output path:
szczygielka@hacks$ vol.py -f KnightSquad.DMP windows.dumpfiles --physaddr 0xb9ba7bb0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xb9ba7bb0 text2.txt file.0xb9ba7bb0.0xfa8004edf270.DataSectionObject.text2.txt.datThe file text2.txtwas recovered successfully. After opening it, we can see that part of the first line is encoded in Base64:
After decoding the string from Base64, we get the flag:
szczygielka@hacks$ base64 -d <<< S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0=
KCTF{Respect_Y0ur_Her4nki}Flag:
KCTF{Respect_Y0ur_Her4nki}5. Execution - My leader, Noman Prodhan, executed something in the cmd of this infected machine. Could you please figure out what he actually executed?
To solve this task, the following information from HackTricks will be helpful:
Commands entered into cmd.exe are processed by conhost.exe (csrss.exe prior to Windows 7). So even if an attacker managed to kill the cmd.exe prior to us obtaining a memory dump, there is still a good chance of recovering history of the command line session from conhost.exe’s memory. If you find something weird (using the console’s modules), try to dump the memory of the conhost.exe associated process and search for strings inside it to extract the command lines.
Volatility 2
In the Volatility 2 there are at least 3 commands related to a command line, they are:
cmdline
cmdscan
consolesWe will check the output of each of them, because their results may be useful also in solving the Path of the Execution task. For the cmdline and cmdscan commands, we want to find all the results for the conhost.exe process.
The cmdline command
Let's use the cmdline command to search for the conhost.exe process:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 cmdline | grep "conhost.exe"
Volatility Foundation Volatility Framework 2.6.1
conhost.exe pid: 2348
Command line : \??\C:\Windows\system32\conhost.exe "-1209142271685361894-531425533-402668515-715241983-586801334-1893083562-2146092597
conhost.exe pid: 4888
Command line : \??\C:\Windows\system32\conhost.exe "-943315145667469034-835458599-11439838731992957646818159495-191605888-1892123205
conhost.exe pid: 4580
Command line : \??\C:\Windows\system32\conhost.exe "1094193548945927055-9018413218307182252079099763-884703563-73234193-284509992In this case, this command returned the PIDs of the conhost.exe processes. With PIDs, we can dump the memory of each process, and then search for strings in them, hoping to find commands or other interesting strings (we will do this in Volatility 3).
The cmdscan command
In this case, we can see 2 commands that were executed in the console:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 4888
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
**************************************************
CommandProcess: conhost.exe Pid: 4580
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 @ 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
Cmd #15 @ 0x50158:
Cmd #16 @ 0x8dd50:The output indicates that for the process with PID 4580, we can see that two commands have been executed. As in the case of the cmdlinecommand, we can dump the process memory and search for strings.
The consoles command
The consoles command displays the entire screen buffer (input and output), not just the command typed in the console. In this case, it turned out to be significant. After executing the consolescommand, we get the flag. This is because the flag was returned in the output of the executed script windows.bat:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 4888
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
Title: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
AttachedProcess: ModuleCoreServ Pid: 4880 Handle: 0x60
----
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
----
Screen 0x2d0bb0 X:80 Y:300
Dump:
**************************************************
ConsoleProcess: conhost.exe Pid: 4580
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 2656 Handle: 0x60
----
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 at 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
----
Screen 0x710b0 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\siam>C:\Users\siam\Documents\windows.bat
"KCTF{W3_AR3_tH3_Kn1GHt}"
C:\Users\siam>C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
C:\Users\siam>Volatility 3
Unfortunately Volatility 3 does not have plugins that would be equivalent to the commands cmdscan and consoles. We can only use the cmdlinecommand:
szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.cmdline | grep "conhost.exe"
2348ressconhost.exe \??\C:\Windows\system32\conhost.exe "-1209142271685361894-531425533-402668515-715241983-586801334-1893083562-2146092597
4888 conhost.exe \??\C:\Windows\system32\conhost.exe "-943315145667469034-835458599-11439838731992957646818159495-191605888-1892123205
4580 conhost.exe \??\C:\Windows\system32\conhost.exe "1094193548945927055-9018413218307182252079099763-884703563-73234193-284509992The flag is present in each of the above processes. Since the procdump command available in Volatility 3 recovers the .exe file along with the associated DLLs, we will use the memmap command to retrieve it. For example, let's dump the process with PID number 4888:
szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.memmap --pid 4888 --dumpUsing strings on the dumped process we get the flag:
szczygielka@hacks$ strings -a pid.4888.dmp | grep "KCTF{"
echo "KCTF{W3_AR3_tH3_Kn1GHt}"
KCTF{S00ry_Hacker_You_are_wrong}
KCTF{NO-NO-NoTHis-isnot}Flag:
KCTF{W3_AR3_tH3_Kn1GHt}6. Path of the Executable - What is the path folder of the executable file which execute privious flag?
Volatility 2
In the task Execution, in the output of executing the cmdscan and consoles commands in Volatility 2, there was a full path of the executed windows.bat script, that is:
\Users\siam\Documents\windows.batFlag:
KCTF{\Users\siam\Documents}7. Malicious - What is the malicious software name?
Let's remind the content of the first task:
My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.
So we are most likely looking for some malware that runs automatically.
In Volatility 2 we can use the autoruns plugin to find software that runs automatically:
Command in Volatility 2 to check autostart files is as follows:
szczygielka@hacks$ python2 vol.py --plugins=/home/szczygielka/Downloads/OS/volatility2/volatility-autoruns-master -f KnightSquad.DMP --profile=Win7SP1x64 autoruns
Volatility Foundation Volatility Framework 2.6.1
Autoruns==========================================
Hive: \SystemRoot\System32\Config\SOFTWARE
Microsoft\Windows\CurrentVersion\Run (Last modified: 2022-10-06 21:56:19 UTC+0000)
%SystemRoot%\system32\VBoxTray.exe : VBoxTray (PIDs: 3576)
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)
%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )
Hive: \??\C:\Users\siam\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
Danger : (PIDs: )
Hive: \??\C:\Users\siam\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
C:\Users\ezyzip\MadMan.exe : Danger (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:28 UTC+0000)
C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:38 UTC+0000)
C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
<SNIP>The MadMan.exe file looks quite suspicious. To dump the suspicious MadMan.exe file, we need its location in memory. We can check it with the command:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 filescan | grep "MadMan.exe"
Volatility Foundation Volatility Framework 2.6.1
0x00000000b9892a10 2 0 R--rwd \Device\HarddiskVolume2\Users\ezyzip\MadMan.exe
0x00000000b9894c00 16 0 R--r-d \Device\HarddiskVolume2\Users\ezyzip\MadMan.exeFor the second returned address, we get the actual MadMan.exe executable. Command to dump the MadMan.exe file:
szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 dumpfiles -Q 0x00000000b9894c00 -D.After uploading the MadMan.exe file or its hash for analysis at VirusTotal, we can see that the file is malicious:
Flag:
KCTF{MadMan.exe}Last updated