DumpMe Blue Team Challenge
Today I will start solving the “DumpMe” room on the cyberdefenders.org platform. To complete this task, knowledge of Volatility will be necessary. But before we proceed to the questions, let me show you how to install Volatility and get it up and running.
To answer the questions in this room, you will need the Volatility framework, which effectively allows you to dump interesting information from RAM memory. If you want to continue and finish this room together with me, you will need this software. But don’t worry, I’ve described the entire installation process in this article → [LINK].
Scenario:
A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
There are 16 questions in total.
Question 1
What is the SHA1 hash of Triage-Memory.mem (memory dump)?
To answer this question, you just need to use the “certutil” command in the Command Prompt (CMD).
Syntax:
certutil -hashfile FILE SHA1
Question 2
What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
This question might be a bit tricky if you’re using Volatility 3. Due to the fact that Volatility 3 doesn’t necessarily require profiles to work, I took some liberties with the rules. First, I used the “windows.info” plugin to display information about the memory image.
When the scan was successful, in the “NTBuildLab” row, you can see “win7sp1,” which is the equivalent of a profile in Volatility 2. Now, you just need to add the system architecture to get the answer. Ultimately, I found that the plugin you would use with Volatility 3 is “Win7SP1x64.”
Question 3
What was the process ID of notepad.exe?
To list processes, you need to use the “windows.pslist” plugin in the same place where you previously used “windows.info.” Now, you just need to locate “notepad.exe.”
Question 4
Name the child process of wscript.exe.
To list the process tree, you should use the “windows.pstree” plugin and locate the parent process “wscript.exe.” You’ll see that directly underneath it, there’s a suspicious process named “UWkpjFjDzM.exe.”
Question 5
What was the IP address of the machine at the time the RAM dump was created?
To answer this question, you can use several plugins. I chose the “windows.netscan” plugin. In the slightly shifted “LocalAddr” column, you can find the IP address associated with this memory dump.
Question 6
Based on the answer regarding the infected PID, can you determine the IP of the attacker?
In this question, you need to find the outgoing connection from “UWkpjFjDzM.exe”. I used the same plugin as in the previous question, but this time I focused on the “ForeignAddr” column.
And that’s how I found the answer to the question: the address is 10.0.0.106.
Question 7
How many processes are associated with VCRUNTIME140.dll?
Using the command:
python vol.py -f C:\Path\to\dump windows.dlllist --pid 3496I was able to answer the question.
Question 8
After dumping the infected process, what is its md5 hash?
This question is much more challenging than the others, but with a clever approach, it can be solved. Using the command below, I managed to dump all files with PID 3496, including the process we’re looking for.
python vol.py -f C:\Path\To\Chalange\File -o C:\Output\path\for\dump windows.dumpfiles --pid 3496
Now, all that’s left is to calculate the MD5 hash using Get-FileHash in Powershell. It’s important to remember to temporarily disable Windows Defender for a brief moment, as otherwise, the command may not work correctly.
The md5 hash is 690ea20bc3bdfb328e23005d9a80c290
Question 9
What is the LM hash of Bob’s account?
To answer this question, I used the windows.hashdump.Hashdump plugin.
Bob LM hash is aad3b435b51404eeaad3b435b51404ee
Question 10
What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
To answer this question, I used the windows.vadinfo plugin. Due to the extensive output, I redirected it to a file named "vad.txt" and then opened it in Notepad. Despite encountering a few errors during the plugin execution, they didn't affect the accuracy of the answer I found.
Then I used CTRL+F to search for the string 0xfffffa800577ba10, and that’s how I found the answer to the question.
Question 11
What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
In this question, I came across an interesting thing. When attempting to search for 0x00000000033c0000, Notepad showed zero results. However, interestingly enough, to answer the question, you need to search for only 0x33c0000. This happens because Volatility 3 prints output a bit differently than Volatility 2, which was used to create this room. So, after searching for this string of characters, I discovered that the answer is PAGE_NOACCESS.
Question 12
There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)\
To answer this question, I used the windows.cmdline plugin and redirected the output to Notepad for easier searching.
Then, I simply looked for the “vbs” phrase, which I quickly found using CTRL + F. The answer is the string of characters “vhjReUDEuumrX”.
Question 13
An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)
To answer this question, I used the timeliner plugin and redirected the output to a file named “timeline.txt”. This allowed me to open Notepad again and search for the phrases, one of which was a date. Based on that, I found out that the process running at that time was “skype.exe”.
Question 14
What was written in notepad.exe at the time when the memory dump was captured?
This question was quite complicated, but not impossible. Based on the information from previous questions, I knew that the Notepad’s PID was 3032. Using the command provided below, I performed a memory dump.
python vol.py -f C:\path\to\dump -o C:\where\to\dump windows.memmap --dump --pid 3032Then, using the “strings” program from the Sysinternals Suite (which can be downloaded from https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite), I searched for the string “flag<” which was given as a hint for the answer. The flag is “flag<REDBULL_IS_LIFE>”.
Question 15
What is the short name of the file at file record 59045?
To answer this question, I had to use the plugin windows.mftscan.MFTScan and redirect the output to a file.
After completing the operation, I opened the file in Notepad and searched for the phrase “59045,” where I found the solution.
Question 16
As we’ve seen earlier, there’s a suspicious file named UWkpjFjDzM.exe present in the system, and we also found its PID to be 3496. Following this trail, it's likely that this file is responsible for the exploit.
Conclusion
That’s a challenging room that helped me grasp the basics of volatility. An additional challenge was using volatility 3 for questions that required volatility 2… 🙄
Nevertheless, I had a lot of fun with it.
See you soon!😎
Last updated