Scribd
Upload
99 views11 pages

Udomctf Memory Forensics Challenges

The document provides instructions for analyzing a memory dump file using Volatility. Step 1 explains how to export the memory dump file path for use in commands. Step 2 uses hashing to verify the correct file was downloaded. Step 3 answers questions by extracting information from the memory dump, such as determining the machine type is x86-64 based on the PE values. Later steps use Volatility plugins like pslist to find processes and strings to search for patterns, helping to determine how the file was transferred. The last login is identified from the computer name environment variable.

Uploaded by

DAVID MGAYA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views11 pages

Udomctf Memory Forensics Challenges

The document provides instructions for analyzing a memory dump file using Volatility. Step 1 explains how to export the memory dump file path for use in commands. Step 2 uses hashing to verify the correct file was downloaded. Step 3 answers questions by extracting information from the memory dump, such as determining the machine type is x86-64 based on the PE values. Later steps use Volatility plugins like pslist to find processes and strings to search for patterns, helping to determine how the file was transferred. The last login is identified from the computer name environment variable.

Uploaded by

DAVID MGAYA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Step 1: Environment Setup

lets export the file so that we can easily access it anywhere in the terminal

┌──(stuxnet8㉿stuxnet8)-[~/Desktop/UDOMCTF]
└─$ export memo=/home/stuxnet8/Desktop/UDOMCTF/UDOMCYBER.raw

if you want to view it you can just say

echo $memo

Step 2: Checking to see if its the correct file i have downloaded and no errors occurred.

┌──(stuxnet8㉿stuxnet8)-[~/Desktop/volatility/volatility3-1.0.0]
└─$ sha256sum $memo
bed58189367d00655d9b5aaa2563f393e67d3a51635d5198d299a45d8b47b3c6
Step 3: Answering Questions

2: Machine Type

To quickly get the machine type we can use volatility3

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.info
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
Variable Value

Kernel Base 0xf8020f417000


DTB 0x1aa000
Symbols file:///home/stuxnet8/Desktop/volatility/volatility3-
1.0.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDB
E0A583-1.json.xz
Is64Bit True
IsPAE False
primary 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf80210026398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 1
SystemTime 2023-04-20 14:21:53
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995

Here i wanted to elaborate more on the architecture of the machine. Let's learn
Machine type typically refers to the architecture or instruction set that a computer or
processor uses. It defines the set of instructions that a CPU can understand and execute.
Common machine types include x86 (32-bit), x86_64 (64-bit), ARM, MIPS, and others.
These machine types determine the binary format and structure of executable files compiled
for a specific architecture. So mmmhhhh it makes sense if the machine type is similar with
the PE type that is (Portable Execution Type right). Am surprised why it has fewer solves......

3: Trash

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.pslist
.........
check at the bottom of the results
2772 708 dllhost.exe 0xc883f9292080 2 - 1
False 2023-04-20 14:19:07.000000 N/A Disabled
7148 564 svchost.exe 0xc883f97f0080 3 - 0
False 2023-04-20 14:19:13.000000 N/A Disabled
6192 708 ShellExperienc 0xc883f930f2c0 11 - 1
False 2023-04-20 14:19:15.000000 N/A Disabled
6892 708 RuntimeBroker. 0xc883f926b080 5 - 1
False 2023-04-20 14:19:16.000000 N/A Disabled
764 2700 msedge.exe 0xc883f8a11080 11 - 1
False 2023-04-20 14:20:52.000000 N/A Disabled
6124 708 FileCoAuth.exe 0xc883f921c080 10 - 1
True 2023-04-20 14:21:30.000000 N/A Disabled
6656 708 smartscreen.ex 0xc883f8b16080 10 - 1
False 2023-04-20 14:21:38.000000 N/A Disabled
6300 708 RuntimeBroker. 0xc883f6d05080 7 - 1
False 2023-04-20 14:21:43.000000 N/A Disabled
6140 708 RuntimeBroker. 0xc883f864c080 9 - 1
False 2023-04-20 14:21:44.000000 N/A Disabled
7052 2668 DumpIt.exe 0xc883f9727080 2 - 1
True 2023-04-20 14:21:49.000000 N/A Disabled
5224 7052 conhost.exe 0xc883f981d080 6 - 1
False 2023-04-20 14:21:49.000000 N/A Disabled

Ok a simple google such on common tools used for acquiring memory images would have
given you the result. Still very few solves only 3 ..... com3 on guys.

Let me first laugh hahaaaaaaa ...... : ) @samoh is going to hate me for this one.
I think this is supposed to be the easiest of all coz firstly the answer is in the question itself
plus its one of the most popular viruses that have ever existed. I will not solve this one you
have the answer to that already..... its encrypts data.
6: CMD

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.pslist
Volatility 3 Framework 1.0.0
.......
5032 564 svchost.exe 0xc883f94a4080 4 - 0
False 2023-04-20 14:01:28.000000 N/A Disabled
2152 964 taskhostw.exe 0xc883f8ae30c0 2 - 1
False 2023-04-20 14:11:04.000000 N/A Disabled
6348 2668 git-bash.exe 0xc883f879b080 1 - 1
False 2023-04-20 14:14:59.000000 N/A Disabled
6320 6348 mintty.exe 0xc883f63d5340 8 - 1
False 2023-04-20 14:14:59.000000 N/A Disabled
2380 6320 mintty.exe 0xc883f9d41340 0 - 1
False 2023-04-20 14:15:00.000000 2023-04-20 14:15:01.000000
Disabled
3416 2380 cygwin-console 0xc883f9eba0c0 0 - 1
False 2023-04-20 14:15:00.000000 2023-04-20 14:15:01.000000
Disabled
1036 3416 conhost.exe 0xc883f84d4300 3 - 1
False 2023-04-20 14:15:01.000000 N/A Disabled
6632 2380 bash.exe 0xc883f98350c0 3 - 1
False 2023-04-20 14:15:01.000000 N/A Disabled
2664 2700 msedge.exe 0xc883f948b080 16 - 1
False 2023-04-20 14:15:17.000000 N/A Disabled
6580 2700 msedge.exe 0xc883f9832080 19 - 1
False 2023-04-20 14:16:44.000000 N/A Disabled
5832 1408 audiodg.exe 0xc883f96d72c0 6 - 0
False 2023-04-20 14:16:50.000000 N/A Disabled
2500 708 explorer.exe 0xc883f8ab6080 7 - 1
False 2023-04-20 14:19:00.000000 N/A Disabled
2772 708 dllhost.exe 0xc883f9292080 2 - 1
False 2023-04-20 14:19:07.000000 N/A Disabled
7148 564 svchost.exe 0xc883f97f0080 3 - 0
False 2023-04-20 14:19:13.000000 N/A Disabled
6192 708 ShellExperienc 0xc883f930f2c0 11 - 1
False 2023-04-20 14:19:15.000000 N/A Disabled
6892 708 RuntimeBroker. 0xc883f926b080 5 - 1
False 2023-04-20 14:19:16.000000 N/A Disabled
764 2700 msedge.exe 0xc883f8a11080 11 - 1
False 2023-04-20 14:20:52.000000 N/A Disabled
6124 708 FileCoAuth.exe 0xc883f921c080 10 - 1
True 2023-04-20 14:21:30.000000 N/A Disabled
6656 708 smartscreen.ex 0xc883f8b16080 10 - 1
False 2023-04-20 14:21:38.000000 N/A Disabled
6300 708 RuntimeBroker. 0xc883f6d05080 7 - 1
False 2023-04-20 14:21:43.000000 N/A Disabled
6140 708 RuntimeBroker. 0xc883f864c080 9 - 1
False 2023-04-20 14:21:44.000000 N/A Disabled
7052 2668 DumpIt.exe 0xc883f9727080 2 - 1
True 2023-04-20 14:21:49.000000 N/A Disabled
5224 7052 conhost.exe 0xc883f981d080 6 - 1
False 2023-04-20 14:21:49.000000 N/A Disabled

7:

strings $memo | grep -i send

look closely you will see how the user wanted to send the file

"string"}},"type":"o@SH
?
LoggingSendTelemetryEvent@@YGXAAUTelemetryEvent@@QAUStructuredEventParame
ter@@@Z
OneRmManager::SendOneRmTelemetry::
<lambda_0af931efbd7470ca5a2a6a5b9c56f126>::operator ()
sisSendFeedbackEnabledByPolicy
BatteryStatusManager::SendBatterySaverOn
init_recording_on_send
how to send virus through email - Search
popupSendFeedback
sendFeedbackHeader
Advanced Keylogger is watching youPreparing to send log via
email...PRODUCED BY ADVANCED KEYLOGGER LOG PARSER
https://bing.com https://th.bing.com/th?q=How+We+Send+File+in+G
tabs.sendRequest
RTCDTMFSender
RTCRtpSender

8: Last Login

Ok suprisingly no one solved this one so i had to solve it my self. trick was knowing the last
logon computer server. I know most people were trying UDOM{mpoti} but thats the user-
account the PC name was the one needed. See when the computers are connected in a
network they are not identified by the user account but rather the computer name. Thats the
last logon user. I got this knowledge from a close friend from Egypt @Mmox. additionally the
$ must be indicated at the name of the computer. Why is that you should find out.

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.env | grep -i computername
472gresswininit.exe 0x1f4d2e015c0canCOMPUTERNAME DESKTOP-NQ555HE
564 services.exe 0x2faa5803120 COMPUTERNAME DESKTOP-NQ555HE
572 lsass.exe 0x24027203120 COMPUTERNAME DESKTOP-NQ555HE
708 svchost.exe 0x2e846003310 COMPUTERNAME DESKTOP-NQ555HE
784 svchost.exe 0x1a4b2603390 COMPUTERNAME DESKTOP-NQ555HE
872 dwm.exe 0x28d1d2f1910 COMPUTERNAME DESKTOP-NQ555HE
964 svchost.exe 0x29f44803310 COMPUTERNAME DESKTOP-NQ555HE
984 svchost.exe 0x16070803380 COMPUTERNAME DESKTOP-NQ555HE
1004 svchost.exe 0x19e4fc03380 COMPUTERNAME DESKTOP-NQ555HE

or one could just

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.env | grep -i logon
2388resssihost.exe 0x213b50f1c40canLOGONSERVER \\DESKTOP-NQ555HE
2492 svchost.exe 0x233bfe03460 LOGONSERVER \\DESKTOP-NQ555HE
2668 explorer.exe 0xbf1c70 LOGONSERVER \\DESKTOP-NQ555HE
2688 taskhostw.exe 0x149fa811c40 LOGONSERVER \\DESKTOP-NQ555HE
2800 ctfmon.exe 0x24293c21c40 LOGONSERVER \\DESKTOP-NQ555HE
2228 svchost.exe 0x1d21be03460 LOGONSERVER \\DESKTOP-NQ555HE
3624 StartMenuExper 0x19c486035f0 LOGONSERVER \\DESKTOP-NQ555HE
3912 RuntimeBroker. 0x281d2e03460 LOGONSERVER \\DESKTOP-NQ555HE
4404 RuntimeBroker. 0x203e1a03460 LOGONSERVER \\DESKTOP-NQ555HE
3300 RuntimeBroker. 0x1f3c3c03460 LOGONSERVER \\DESKTOP-NQ555HE
4312 RuntimeBroker. 0x17d48a03460 LOGONSERVER \\DESKTOP-NQ555HE
4652 SecurityHealth 0x18badfe1d30 LOGONSERVER \\DESKTOP-NQ555HE

NB: Remember to include the $ at the end of the computer name

8: Funguo still zero solves

┌──(root㉿stuxnet8)-[/home/stuxnet8/Desktop/volatility/volatility3-1.0.0]
└─# python3 vol.py -f $memo windows.registry.userassist.UserAssist
Volatility 3 Framework 1.0.0
y
Progress: 100.00 PDB scanning finished
Hive Offset Hive Name Path Last Write Time Type Name
ID Count Focus Count Time Focused Last Updated Raw Data

0xde0d46feb000 hive0xde0d46feb000 - - - - -
- - - - -
0xde0d4713b000 hive0xde0d4713b000 - - - - -
- - - - -
0xde0d48018000 hive0xde0d48018000 - - - - -
- - - - -

9: My Git.

Ok since we know the virus already we need to know where was it downloaded from so just
a simple strings can do the magic

command

strings $memo | grep -i wanna

wannacry
!wannadecryptor!.exeu.wry
Global\MsWinZonesCacheCounterMutexAtasksche.exeWNcry@2ol7t.wnryTaskStartR
ansom:Win32/WannaCrypt!rfn
4ABehavior:Win32/WannaCrypt.B!rsm
Wanna
Wanna
wannacry
https://www.bing.com/search?
pglt=43&q=download+wannacry+sample&cvid=6246daa8a24740459f30c65b72f8748d&
aqs=edge.2.0l8j69i64.76415j0j1&FORM=ANNTA1&PC=U531
cry.zip"Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip*
Ahttps://github.com/5l1v3r1/WannacrySample-1/raw/main/wannacry.zip
Lhttps://raw.githubusercontent.com/5l1v3r1/WannacrySample-
1/main/wannacry.zip
Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip"Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip*
Ahttps://github.com/5l1v3r1/WannacrySample-1/raw/main/wannacry.zip
Lhttps://raw.githubusercontent.com/5l1v3r1/WannacrySample-
1/main/wannacry.zip
Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip"Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip*
Ahttps://github.com/5l1v3r1/WannacrySample-1/raw/main/wannacry.zip
Lhttps://raw.githubusercontent.com/5l1v3r1/WannacrySample-
1/main/wannacry.zip
Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip"Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip*
Ahttps://github.com/5l1v3r1/WannacrySample-1/raw/main/wannacry.zip
Lhttps://raw.githubusercontent.com/5l1v3r1/WannacrySample-
1/main/wannacry.zip
Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip"Bhttps://github.com/5l1v3r1/WannacrySample-
1/blob/main/wannacry.zip*
https://www.bing.com/search?
q=how+to+send+wanna+cry+lyrics&cvid=f53a77a1c0274f81b308aea36b079724&aqs=
edge.1.69i57j0&FORM=ANAB01&PC=U531
https://www.bing.com/search?
q=how+to+send+wanna+cry+lyrics&cvid=f53a77a1c0274f81b308aea36b079724&aqs=
edge.1.69i57j0&FORM=ANAB01&PC=U531

Follow the Github url you will have your answer.

the last qn you guys answered it plus the hint is provided.

I apologize, but I'm currently unable to properly document or write this write-up due to a
busy schedule and upcoming exams. There is just soo much i could explain but yeahhh
hope this is helpful.

You might also like