Room link –> https://tryhackme.com/room/forensics.
Task 1 - Volatility forensics
This is a memory dump of the infected system. Download the file attached to this Task. The MD5 hash of the uncompressed file is: ba44c4b977d28132faeb5fb8b06debce
For this room I used volatility 3.
Reference –> Volatility 3 useful commands list.
Verify md5 hash
md5sum victim.raw
ba44c4b977d28132faeb5fb8b06debce victim.raw
What is the Operating System of this Dump file? (OS name)
In Volatility 3 --profile
option was deprecated so you can execute vol.py -f victim.raw windows.info
.
windows
What is PID of SearchIndexer?
vol.py -f victim.raw windows.pslist | grep SearchIndexer
(remove grep to see effective output layout).
2180
What is the last directory accessed by the user? (The last folder name as it is?)
Use previous version of volatility and launch volatility -f victim.raw --profile=Win7SP1x64 shellbags | sort -k 6
like in this write-up.
deleted_files
Task 2
Dig a little more…
There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)
vol -f victim.raw windows.netscan
udp:5005
Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3)
We can use malfind plugin which lists process memory ranges that potentially contain injected code.
vol -f victim.raw windows.malfind
1860;1820;2464
Task 3 - IOC SAGA
In the previous task, you identified malicious processes, so let’s dig into them and find some Indicator of Compromise (IOC). You just need to find them and fill in the blanks (You may search for them on VirusTotal to discover more details).
First-of-all dump malicious processes.
I found answers into 1820 PID: vol -f victim.ram windows.memmap --pid 1820 --dump
.
strings pid.1820.dmp | grep www.go | grep .ru
www.goporn.ru
strings pid.1820.dmp | grep www.i | grep .com
www.ikaka.com
strings pid.1820.dmp | grep www.ic | grep .com
www.icsalabs.com
strings pid.1820.dmp | grep 202. | grep .233.
202.107.233.211
strings pid.1820.dmp | grep .200. | grep .164
209.200.12.164
strings pid.1820.dmp | grep 209. | grep .190.
209.190.122.186
vol -f victim.raw windows.envars --pid 2464
OANOCACHE