rogueone

Released2023-11-17
Retired2025-01-16
AuthorCyberJunkie
ctf sherlock easy windows memory volatility3 virustotal

Scenario

Your SIEM system generated multiple alerts in less than a minute, indicating potential C2 communication from Simon Stark’s workstation. Despite Simon not noticing anything unusual, the IT team had him share screenshots of his task manager to check for any unusual processes. No suspicious processes were found, yet alerts about C2 communications persisted. The SOC manager then directed the immediate containment of the workstation and a memory dump for analysis. As a memory forensics expert, you are tasked with assisting the SOC team at Forela to investigate and resolve this urgent incident.

Task 01

Question: Please identify the malicious process and confirm process id of malicious process.

A memory image is available for analysis. volatility3 can be used to analyze such memory dumps. For the initial detection of potentially malicious processes, there are various approaches. Since later questions also mention C2 traffic, one valid option is to inspect existing network connections for anomalies or unusual patterns. Vol provides several options for this, including the netscan plugin. This plugin searches the image for existing network objects and correlates them with processes, IPs, and ports. Upon reviewing the output, one process—purportedly svchost.exe—stands out due to its communication with an external IP over port 8888.

vol -f .\20230810.mem windows.netscan

Offset  	    Proto   LocalAddr    	LocalPort   ForeignAddr 	ForeignPort State   	PID 	Owner   	Created
[...]
0x9e8b8cb58010  TCPv4   172.17.79.131   64254   	13.127.155.166  8888    	ESTABLISHED 6812    svchost.exe 2023-08-10 11:30:03.000000

Answer: 6812

Task 02

Question: The SOC team believe the malicious process may spawned another process which enabled threat actor to execute commands. What is the process ID of that child process?

To examine the process hierarchy, plugins such as pslist, pstree, or psscan can be used to identify active (and in some cases, previously terminated) processes and their dependencies. As part of the output from the pstree plugin, it becomes evident that there is a cmd.exe process (PID: 4364) that is linked to the malicious process with PID 6812, which was confirmed in Task 1.

vol -f .\20230810.mem windows.pstree

     PID    PPID    ImageFileName   Offset(V)	 Threads Handles	SessionId	Wow64	CreateTime	ExitTime
[...]
***  6812   7436    svchost.exe   0x9e8b87762080 3	-    1	False	2023-08-10 11:30:03.000000 	N/A
**** 4364   6812    cmd.exe       0x9e8b8b6ef080 1	-    1	False	2023-08-10 11:30:57.000000 	N/A

Answer: 4364

Task 03

Question: The reverse engineering team need the malicious file sample to analyze. Your SOC manager instructed you to find the hash of the file and then forward the sample to reverse engineering team. Whats the md5 hash of the malicious file?

To generate the hash of the file, the dumpfiles module can be used by specifying the process ID to export all associated files from the memory image. One of these files is the .exe that was executed — this is the malicious file in question.

vol -f .\20230810.mem windows.dumpfiles.DumpFiles --pid 6812

Cache   FileObject      FileName        Result
[...]
ImageSectionObject      0x9e8b91ec0140  svchost.exe     file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img

Afterward, the MD5 hash can be determined using the Get-FileHash Cmdlet along with the corresponding Algorithm flag.

Get-Filehash -Algorithm md5 file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img | Select-Object Hash

Hash
----
5BD547C6F5BFC4858FE62C8867ACFBB5

Answer: 5BD547C6F5BFC4858FE62C8867ACFBB5

Task 04

Question: In order to find the scope of the incident, the SOC manager has deployed a threat hunting team to sweep across the environment for any indicator of compromise. It would be a great help to the team if you are able to confirm the C2 IP address and ports so our team can utilise these in their sweep.

The answer to this question was already verified through the output in Task 1, as the unusual port was used to initially identify the malicious process.

Answer: 13.127.155.166:8888

Task 05

Question: We need a timeline to help us scope out the incident and help the wider DFIR team to perform root cause analysis. Can you confirm time the process was executed and C2 channel was established?

This question can also be answered using the output from Task 1, where the required timestamp is already visible.

Answer: 10/08/2023 11:30:03

Task 06

Question: What is the memory offset of the malicious process?

This question can also be answered using a previous output - in this case, the output of pstree from Task 2, which, in addition to the information being sought, also displays the offset.

Answer: 0x9e8b87762080

Task 07

Question: You successfully analyzed a memory dump and received praise from your manager. The following day, your manager requests an update on the malicious file. You check VirusTotal and find that the file has already been uploaded, likely by the reverse engineering team. Your task is to determine when the sample was first submitted to VirusTotal.

Thanks to the known MD5 hash from Task 3, a search on VirusTotal can be conducted. In the Details tab, the First Submission date is listed, among other information.

https://www.virustotal.com/gui/file/eaf09578d6eca82501aa2b3fcef473c3795ea365a9b33a252e5dc712c62981ea/details

Answer: 10/08/2023 11:58:10