Volatility3 Exercise 3

Volatility 03 Exercise

01. Introduction

You are given a memorydump of a machine which was infected by a malware. All you know is the IP address of the C&C (command&control) server the malware connects to.

Requirements:

• the memory dump (see resources)

• Volatility

• the IP of the C&C server: 80.74.140.117

Resources:

memdump.zipDropbox

Memory Dump

Volatility 3 CheatSheetonfvp

Volatility Cheatsheet

02. Detect OS Version

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info  

02.1 Check network connections

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.netscan.NetScan 

We will see the given suspicious IP address and its port its connecting to 80.74.140.117:5555. After the line we also see that a service pid 1892 is listed.

02.2 PStree

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.pstree.PsTree 

03 FLAG

Process ID is 1892 and Remoteport 5555

1892;5555