Volatility3 Exercise 3
Volatility 03 Exercise
01. Introduction
You are given a memorydump of a machine which was infected by a malware. All you know is the IP address of the C&C (command&control) server the malware connects to.
Requirements:
the memory dump (see resources)
Volatility
the IP of the C&C server:
80.74.140.117
Resources:
02. Detect OS Version
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info

02.1 Check network connections
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.netscan.NetScan

We will see the given suspicious IP address and its port its connecting to 80.74.140.117:5555
. After the line we also see that a service pid 1892
is listed.
02.2 PStree
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.pstree.PsTree

03 FLAG
Process ID is 1892 and Remoteport 5555
1892;5555
Last updated
Was this helpful?