DumpMe Walkthrough — Cyberdefenders
Scenario:
One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
Challenge: DumpMe
Tool:
RemNux: Volatility 2
- What is the SHA1 hash of triage.mem (memory dump)?
I extracted the file and used the command below to get the SHA1 hash of Triage-Memory.mem.
sha1sum Triage-Memory.mem2. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
We can use the imageinfo and kdbgscan plugins to determine the proper profile of Triage-Memory.mem.
The imageinfo plugin will display the information about the image, such as Suggested Profiles, Number of Processors, Date and Time when the memory was acquired, etc.
vol.py -f Triage-Memory.mem imageinfoVolatility suggested 8 profiles and I used the first profile for the meantime to look for the Build string (NtBuildLab), Service Pack, Major, & Minor using the kdgbscan, a plugin that can be used to scan KDBG structure.
Based on the image above, it seems that the image is win7sp1 64-bit.
Volatility will display an error message if the profile provided is incorrect. Like the image below.
No error if the profile you choose is closely related to the correct one — for example, Win7SP1x64 (Assume that this is the correct profile), Win7SP0x64, and Win2008R2SP0x64.
These articles will explain how to determine the correct profile:
- https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/
- https://unminioncurioso.blogspot.com/2019/03/dfir-first-steps-with-volatility.html
- https://stuxnet999.github.io/volatility/2020/08/18/Basics-of-Memory-Forensics.html
Note: imageinfo and kdbgscan plugins are for Windows OS only.
To view the information about volatility, we can use the command below.
vol.py --info
We can also use the command below to view the volatility options & plugins.
vol.py -h
3. What was the process ID of notepad.exe?
The psscan plugin will scan the image for running processes and display their PIDs, PPIDs, Offset, and etc. Using grep command to only display the information of notepad.exe.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 psscan | grep notepad.exe
4. Name the child process of wscript.exe.
The pstree plugin will display the processes in a tree format.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pstree
I used the command grep with option -C 5 to print 5 lines before and after the wscript.exe.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 pstree | grep wscript.exe -C 5
The result shows the parent and child processes of wscript.exe.
5. What was the IP address of the machine at the time the RAM dump was created?
The netscan plugin will scan the image to determine the network connections.
The command below will display all the connections made by the machine. I then used the grep command to filter out all IPv6 connections. Furthermore, I filtered out 0.0.0.0 and 127.0.0.1 using the extended grep (egrep) command.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 netscan | grep v4 | egrep -v '0.0.0.0|127.0.0.1'-v, — invert-match: select non-matching lines
We can now determine the IP address of the machine under Local Address.
6. Based on the answer regarding the infected PID, can you determine the IP of the attacker?
The Challenge Details mentioned that the machine is infected with meterpreter malware. The yarascan plugin will scan the memory image and look for a signature using the provided yara rules. I used the rule from Cuckoo Sandbox Github since there’s no rule related to Metasploit on my remnux (/usr/local/yara-rules). Link for the metasploit.yar.
vol.py -f Triage-Memory.mem --profile=Win7SP0x64 yarascan -y metasploit.yarThe result shows the PID of the infected process.
-y: Yara File (rules file)
Now that I know the process ID, I used the netscan plugin and grep to determine the attacker’s IP address.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 netscan | grep 3496The above command produces the following output:
7. How many processes are associated with VCRUNTIME140.dll?
The dlllist plugin will display the list of dll for each process.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 dlllist
Since the dll name was already provided, I used grep to print only the VCRUNTIME140.dll.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 dlllist | grep VCRUNTIME140.dllThe image above shows how many processes are associated with VCRUNTIME140.dll.
8. After dumping the infected process, what is its md5 hash?
The procdump plugin can be used to dump a process.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 procdump -D . -p 3496The command above will dump the process ID 3496 with a filename of executable.3496.exe.
Then I used the command below to get the MD5 hash of the executable.3496.exe.
md5sum executable.3496.exe9. What is the LM hash of Bob’s account?
The hashdump plugin can be used to dump the account password hashes from memory image.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 hashdump | grep -i bobI used grep with the -i option to ignore the case and only display the hash of Bob’s account.
-i, — ignore-case: ignore case distinctions in patterns and data
10. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
The vadinfo plugin can be used to display the VAD information of the memory image (Protection, VAD node, Vad Type, etc.).
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo
Since the question already provided the node, I used grep with -C option and set it to 5.
Based on the image above, we can now determine the memory protection constants.
11. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
The same as the previous question, I used the vadinfo plugin since it is also asking for the memory protection constants.
I used the provided memory range to filter the output.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo | egrep -C 3 '0x00000000033c0000 | 0x00000000033dffff'The above command produces the following output:
12. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
The cmdline plugin can be used to display the command-line arguments.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 cmdline
I used grep to only display the command line with vbs.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 cmdline | grep vbs13. An application was run at 2019–03–07 23:06:58 UTC. What is the name of the program? (Include extension)
The shimcache plugin can parse the executable information, such as the application path and when it was last modified or accessed.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 shimcacheSince the question already provided the time, I used grep to display only the application that was accessed on 2019–03–07 23:06:58.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 shimcache | grep '2019-03-07 23:06:58'14. What was written in notepad.exe at the time when the memory dump was captured?
The notepad plugin can recover the text from notepad.exe. I tried using it, but it does not support Win7SP1x64.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 notepadThere is another plugin called memdump, it can be used to dump the process ID 3032 → notepad.exe.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 memdump -p 3032 --dump-dir=/home/remnux/DocumentsThe above command dumps the PID 3032 with the .dmp extension.
strings -e l ./3032.dmp | grep flagThe above command will extract all the strings on the file, and it will highlight the word ‘flag’
The placeholder hints that the answer to this question starts with ‘flag<’. From the image above, we can now determine the answer to this question.
See the image below for the strings options.
15. What is the short name of the file at file record 59045?
The mftparser plugin will extract and display the Master File Table entries information.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 mftparserI used grep to only display the record number 59045.
vol.py -f Triage-Memory.mem --profile=Win7SP1x64 mftparser | grep -C 15 '59045'The above command shows the Filename and Path of the record number 59045.
16. This box was exploited and is running meterpreter. What was the infected PID?
From the result of the yarascan on question number 6, we can now determine the PID of the infected process.
Plugins: Volatility Foundation GitHub
imageinfo — Identify information for the image
kdbgscan — Search for and dump potential KDBG values
psscan — Pool scanner for process objects
pstree — Print process list as a tree
netscan — Scan a Vista (or later) image for connections and sockets
dlllist — Print a list of loaded dlls for each process
procdump — Dump a process to an executable file sample
hashdump — Dumps passwords hashes (LM/NTLM) from memory
vadinfo — Dump the VAD info
cmdline — Display process command-line arguments
shimcache — Parses the Application Compatibility Shim Cache registry key
notepad — List currently displayed notepad text
memdump — Dump the addressable memory for a process
mftparser — Scans for and parses potential MFT entries
yarascan — Scan process or kernel memory with Yara signatures
Resources:
Youtube channels: Digital Forensics related content
- https://www.youtube.com/c/13cubed
- https://www.youtube.com/@DFIRScience
- https://www.youtube.com/c/AliHadiC5W
PDF file from Applied Incident Response
Book: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Article about Volatility:
- https://andreafortuna.org/ (Check out the Volatility, my own cheatsheet series)
