Cyber Defenders - DeepDive CTF

Intro

CyberDefenders.org, have a fun challenge where you have to disect a memory dump with a hidden process.

You are provided with the following files to aid in your analysis:

• Memory dump

Walkthrough

1) What profile should you use for this memory sample?

python ./vol.py -f ~/Downloads/banking-malware.vmem kdbgscan
**************************************************
Instantiating KDBG using: ~/Downloads/banking-malware.vmem WinXPSP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2bef120
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64_24000
PsActiveProcessHead           : 0x2c28940
PsLoadedModuleList            : 0x2c46c90
KernelBase                    : 0xfffff80002a0c000

Answer:

Win7SP1x64_24000

2) What is the KDBG virtual address of the memory sample?

python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 (Instantiated with Win7SP1x64_24000)
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (~/Downloads/banking-malware.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bef120L

Answer:

0xf80002bef120

3) There is a malicious process running, but it’s hidden. What’s its name?

 python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 psxview

 Offset(P)          Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
------------------ -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
 0x000000007d336950 vds_ps.exe             2448 False  False  True     True   True  True    True     

Answer:

vds_ps.exe

4) What is the physical offset of the malicious process?

Answer:

0x000000007d336950

5) What is the full path (including executable name) of the hidden executable?

python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo -o 0x000000007d336950|grep exe
Volatility Foundation Volatility Framework 2.6.1
FileObject @fffffa80046035d0, Name: \Device\HarddiskVolume1\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe

Answer:

 C:\Users\john\AppData\Local\api-ms-win-service-management-l2-1-0\vds_ps.exe

6) Which malware is this?

Answer:

 emotet

7) The malicious process had two PEs injected into its memory. What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC

Hint:

• Dump VAD

   python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vaddump --offset 0x000000007d336950 -D emotet
  

• Run clamscan on VAD dump files to find droppers

  vds_ps.exe.7d336950.0x0000000002a10000-0x0000000002a2cfff.dmp: Win.Trojan.Emotet-6736162-1 FOUND
  vds_ps.exe.7d336950.0x0000000000400000-0x000000000045ffff.dmp: Win.Dropper.Trickbot-9782007-0 FOUND
  

• injected PE’s normally have the Protection Flag: PAGE_EXECUTE_READWRITE

python ./vol.py -f ~/Downloads/banking-malware.vmem --profile=Win7SP1x64_24000 vadinfo --offset=0x000000007d336950|grep -B 3 PAGE_EXECUTE_READWRITE
Volatility Foundation Volatility Framework 2.6.1

VAD node @ 0xfffffa8004058b00 Start 0x0000000000220000 End 0x000000000023ffff Tag VadS
Flags: CommitCharge: 32, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--

VAD node @ 0xfffffa800589cc00 Start 0x0000000002a10000 End 0x0000000002a2cfff Tag VadS
Flags: CommitCharge: 29, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--

VAD node @ 0xfffffa8002f1b640 Start 0x0000000002a80000 End 0x0000000002ab6fff Tag VadS
Flags: CommitCharge: 55, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--

VAD node @ 0xfffffa8004643780 Start 0x0000000077900000 End 0x0000000077a1efff Tag VadS
Flags: PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
--

VAD node @ 0xfffffa800464c560 Start 0x0000000077a20000 End 0x0000000077b19fff Tag VadS
Flags: PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE

Answer:

0x36FFF

8) This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension

• We just answered the next process from within our previously captured pslist

Answer:

 SearchIndexer.exe

9) What is the pooltag of the malicious process in ascii? (HINT: use volshell)

Hint:

• use vaddump to retrieve the physical offset : 0x000000007d336950
• volshell Command-Reference

  dt("_EPROCESS",0x000000007d336950, space=addrspace().base)
  

  but we’re in the object header, so need to move a number of bytes backwards

• WinXP - Win7 cbDataOffsetPoolHdr = 0x5c
• need to move backwards addition 0x4 - for the POOLTAG to lineup correctly
• 0x000000007d336950 - 0x60

  dt("_POOL_HEADER",0x0000000007D3368F0, space=addrspace().base)
  0x4   : PoolTag                        1416573010
  

• Convert the long: 1416573010 to hex
• endianess is wrong so 546F3052 becomes 52306f54
• then convert to ASCII

Answer:

R0oT

10 What is the physical address of the hidden executable’s pooltag? (HINT: use volshell)

Hint:

• Physical + 4
• 0x7D3368F0 +0x4

Answer:

0x7D3368F4

---

Share on: