📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 01. Introduction
  • 02. Detect Operating system
  • 03. PSlist und PsTree
  • 04. Netscan plugin
  • 5. Conclusion

Was this helpful?

  1. Forensic Exercises
  2. Memory Forensics

Volatility3 Exercise 2

PreviousVolatility3 Exercise 1NextVolatility3 Exercise 3

Last updated 2 years ago

Was this helpful?

01. Introduction

Your company's webserver and database with critical data were hacked. During live response a memory dump was taken. Your task is to analyze the memory dump and determine whether any malicious program is running.

Tasks:

  1. Discover which operating system the image was taken from.

  2. Discover how you can use environment variables to optimize volatility.

  3. Find malicious process(es)

  4. Find the suspicious connection from the webserver.

Ressources:

02. Detect Operating system

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info  

The output shows that the memdump image is a Windows10. Volatilty2 suggests everytime more than one profile with different versions. Volatility3 seems to have a different profile system.

03. PSlist und PsTree

Processes can be listed with the PSList and PsTree command. I always prefere the PsTree command because you can see the parent / child structure of the processes.

By manually checking the process hierarchy we find out that the processes with the following PIDs have a susipicious hierarchy: 1240 this is the svchost.exe which has a parent of cmd.exe which definately looks suspicious. PID 6288 also svchost, has the other svchost.exe with PID 1240 as partent this also is suspicious.

04. Netscan plugin

Now we can use the windows.netscan plugin to list the network connections.

There is a closed connection to a remote ip 207.154.250.59.

ip:"207.154.250.59",
city:"Frankfurt am Main",
region:"Hesse",
country:"DE",
loc:"50.1025,8.6299",
org:"AS14061 DigitalOcean, LLC",
postal:"60326",
timezone:"Europe/Berlin",
asn:Object,

asn:"AS14061",
name:"DigitalOcean, LLC",
domain:"digitalocean.com",
route:"207.154.240.0/20",

    type:"hosting",

company:Object,

name:"DigitalOcean, LLC",
domain:"digitalocean.com",

    type:"hosting",

privacy:Object,

vpn:false,
proxy:false,
tor:false,
relay:false,
hosting:true,

    service:"",

abuse:Object,

address:"US, NY, New York, 101, Ave of the Americas, 10013",
country:"US",
email:"abuse@digitalocean.com",
name:"DigitalOcean Abuse",
network:"207.154.192.0/18",

    phone:"+1-347-875-6044",

domains:Object,

ip:"207.154.250.59",
total:10,
domains:Array[5],

"wo-tennis.fr",
"squadsix.com",
"ismo-app.fr",
"bam-ticket.com",
"atelier-circourt.fr",

5. Conclusion

The check with the pstree plugin shows that the malicious process has no parent process.

The following processes are likely to be malicious: 1240 and 6288 because of the late start times, incorrect parent processes and the network connection to a server in the internet belonging to digital ocean.

MemoryForensic.zipDropbox
Memory Image
Volatility 3 CheatSheetonfvp
Volatility Cheatsheet
Logo
Logo