OtterCTF 2018 Memory Forensics Write-up (Part 3)
Without wasting any more time on intro let us wrap the remaining challs real quick :)
Let’s dump the process LunarMS.exe (PId: 708). We get a .dmp file , let us inspect it using xxd by searching for a portion of the real signature (5A 0C 00 00)
$ xxd 708.dmp | grep "5a0c 0000"
We see some readable text near 0c33a4a0.
Flag: CTF{M0rtyL0L}
Oh seems like rick used the clipboard for copy-paste. Let’s see what does the clipboard plugin yield:
Looks like we found our flag!!
Flag: CTF{M@il_Pr0vid0rs}
So we have a malware process running on rick’s PC. Let us first use psxview to list processes that are trying to hide themselves while running on the computer if so we would have see “False” in the first two columns (pslist and psscan).
Well, except in our case ;) no processes seem to be hidden.We shift our focus on examining the running process on the memory dump using pstree plugin:
Now pstree yields something interesting. It is pretty common for a system running VMware to have a process vmware-tray.exe but what arouses our suspicion is its PPid is Rick And Morty. This may be our malware.
To support our hypothesis let’s check the command line arguments using cmdline:
******************************************************************
Rick And Morty pid: 3820
Command line : "C:\Torrents\Rick And Morty season 1 download.exe"
******************************************************************
vmware-tray.ex pid: 3720
Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe"
*****************************************************************Seems like vmware-tray.exe was run from a suspicious Temp folder and not from the regular VMware program-files folder. Probably the malware got its way into Rick’s PC through a torrent file.
Flag:CTF{vmware-tray.exe}
old illegal habits huh? Seems to be hinting at torrents.Clearly, from previous evidences we know that the malware came in through torrents.We need to locate the torrent file and we have the filescan plugin to our rescue:
Let’s dump those files and see what they contain.For this we will be using the dumpfiles plugin.
root@kali:~/Documents/OtterCTF/Memory# volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D .So we get BitTorrent file on our current directory.Let’s fetch all strings:
root@kali:~/Documents/OtterCTF/Memory# strings file.None.0xfffffa801b42c9e0.dat
d8:announce44:udp://tracker.openbittorrent.com:80/announce13:announce-listll44:udp://tracker.openbittorrent.com:80/announceel42:udp://tracker.opentrackr.org:1337/announceee10:created by17:BitTorrent/7.10.313:creation datei1533150595e8:encoding5:UTF-84:infod6:lengthi456670e4:name36:Rick And Morty season 1 download.exe12:piece lengthi16384e6:pieces560:\I
!PC<^X
B.k_Rk
0<;O87o
!4^"
3hq,
&iW1|
K68:o
w~Q~YT
$$o9p
bwF:u
e7:website19:M3an_T0rren7_4_R!ckeThat’s our flag at the end!!
Flag:CTF{M3an_T0rren7_4_R!cke}
‣‣‣You just read Frost Bite. Hope you enjoyed it…
(Write-ups for subsequent parts are coming up)
STAY TUNED FOR MORE UPDATES
