Cyber Defenders - DeepDive CTF
Intro
CyberDefenders.org, have a fun challenge where you have to disect a memory dump with a hidden process.
You are provided with the following files to aid in your analysis:
- Memory dump
Walkthrough
1) What profile should you use for this memory sample?
python ./vol.py -f ~/Downloads/banking-malware.vmem kdbgscan
**************************************************
Instantiating KDBG using: ~/Downloads/banking-malware.vmem WinXPSP2x86 (5.1.0 32bit)
Offset (P) : 0x2bef120
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64_24000
PsActiveProcessHead : 0x2c28940
PsLoadedModuleList : 0x2c46c90
KernelBase : 0xfffff80002a0c000
Answer:
Win7SP1x64_24000
2) What is the KDBG virtual address of the memory sample?
python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 (Instantiated with Win7SP1x64_24000)
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (~/Downloads/banking-malware.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bef120L
Answer:
0xf80002bef120
3) There is a malicious process running, but it’s hidden. What’s its name?
python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 psxview
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
------------------ -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x000000007d336950 vds_ps.exe 2448 False False True True True True True
Answer:
vds_ps.exe
4) What is the physical offset of the malicious process?
Answer:
0x000000007d336950
5) What is the full path (including executable name) of the hidden executable?
python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo -o 0x000000007d336950|grep exe
Volatility Foundation Volatility Framework 2.6.1
FileObject @fffffa80046035d0, Name: \Device\HarddiskVolume1\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe
Answer:
C:\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe
6) Which malware is this?
Answer:
emotet
7) The malicious process had two PEs injected into its memory. What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC
Hint:
- Dump VAD
python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vaddump --offset 0x000000007d336950 -D emotet
- Run clamscan on VAD dump files to find droppers
vds_ps.exe.7d336950.0x0000000002a10000-0x0000000002a2cfff.dmp: Win.Trojan.Emotet-6736162-1 FOUND vds_ps.exe.7d336950.0x0000000000400000-0x000000000045ffff.dmp: Win.Dropper.Trickbot-9782007-0 FOUND
- injected PE’s normally have the Protection Flag: PAGE_EXECUTE_READWRITE
python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo --offset=0x000000007d336950|grep -B 3 PAGE_EXECUTE_READWRITE
Volatility Foundation Volatility Framework 2.6.1
VAD node @ 0xfffffa8004058b00 Start 0x0000000000220000 End 0x000000000023ffff Tag VadS
Flags: CommitCharge: 32, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--
VAD node @ 0xfffffa800589cc00 Start 0x0000000002a10000 End 0x0000000002a2cfff Tag VadS
Flags: CommitCharge: 29, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--
VAD node @ 0xfffffa8002f1b640 Start 0x0000000002a80000 End 0x0000000002ab6fff Tag VadS
Flags: CommitCharge: 55, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--
VAD node @ 0xfffffa8004643780 Start 0x0000000077900000 End 0x0000000077a1efff Tag VadS
Flags: PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--
VAD node @ 0xfffffa800464c560 Start 0x0000000077a20000 End 0x0000000077b19fff Tag VadS
Flags: PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
Answer:
0x36FFF
8) This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension
- We just answered the next process from within our previously captured pslist
Answer:
SearchIndexer.exe
9) What is the pooltag of the malicious process in ascii? (HINT: use volshell)
Hint:
- use vaddump to retrieve the physical offset : 0x000000007d336950
- volshell Command-Reference
dt("_EPROCESS",0x000000007d336950, space=addrspace().base)
but we’re in the object header, so need to move a number of bytes backwards
- WinXP - Win7 cbDataOffsetPoolHdr = 0x5c
- need to move backwards addition 0x4 - for the POOLTAG to lineup correctly
- 0x000000007d336950 - 0x60
dt("_POOL_HEADER",0x0000000007D3368F0, space=addrspace().base) 0x4 : PoolTag 1416573010
- Convert the long: 1416573010 to hex
- endianess is wrong so 546F3052 becomes 52306f54
- then convert to ASCII
Answer:
R0oT
10 What is the physical address of the hidden executable’s pooltag? (HINT: use volshell)
Hint:
- Physical + 4
- 0x7D3368F0 +0x4
Answer:
0x7D3368F4
Share on: