OtterCTF 2018 Memory Forensics Write-up (Part IV)
Hmm. So the malware came in through a torrent file. Maybe this chall asks us to trace the path of the torrent file itself :)
The torrent file must have came from somewhere, looking at the processes list I think we should go and inspect Chrome.exe
I would like to use some external plugins in this case.These are some super cool plugins that @superponible had created as a part of the 2014 Volatility Plugin Contest.You can read more about it on his blog.
First we extract the plugins from the github repo into our plugins folder and then let us examine…
root@kali:~/Documents# volatility --plugins volatility-master/volatility/plugins/ -f OtterCTF.vmem --profile=Win7SP1x64 chromehistory
Clearly the download was a referral from some “mail.com” which claims to provide free web based secure email services LOL 😂
Most probably Rick got his computer infected by the malware through an infected attachment on his email. But apparently we don’t have his account credentials let’s see if we can grab them.
I simply decided to string on the .vmem file and grep for ‘@mail.com’. It threw back interesting results
So we have:
email id --> RickoPicko@mail.com
password --> M@il_Pr0vid0rs (extracted from the clipboard)
Finally we are logged in and we get our flag…
Flag:CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}
Most probably the bitcoin address should be present in the process dump of the two suspicious processes identified earlier:
******************************************************************
Rick And Morty pid: 3820
Command line : "C:\Torrents\Rick And Morty season 1 download.exe"
******************************************************************
vmware-tray.ex pid: 3720
Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe"
*****************************************************************We dump both processes 3720 and 3820 and apply strings on it.
Processes 3820 seems to be a dead end but applying strings on Process 3720 yields interesting results.
Your Files are locked. They are locked because you downloaded something with this file in it.
This is Ransomware. It locks your files until you pay for them. Before you ask, Yes we will
give you your files back once you pay and our server confirm that you pay.And we have our bitcoin address : 1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M
Flag:CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}
Honestly, I can’t believe this firstly it’s a malware and then we need to view it graphically. We need to find other ways to do this maybe we need to carve some graphical artifacts from the malware itself.
Let’s binwalk the malware file (process id 3720) we get:
So we have a png file embedded into the .exe file. Let’s carve that out using foremost and see what we get
Flag:CTF{S0_Just_M0v3_Socy}
‣‣‣You just read Frost Bite. Hope you enjoyed it…
(Write-ups for the remaining parts are coming up)
