Volatility3 Exercise 3

Volatility 03 Exercise

01. Introduction

You are given a memorydump of a machine which was infected by a malware. All you know is the IP address of the C&C (command&control) server the malware connects to.

Requirements:

  • the memory dump (see resources)

  • Volatility

  • the IP of the C&C server: 80.74.140.117

Resources:

Logomemdump.zipDropbox
Memory Dump
LogoVolatility 3 CheatSheetonfvp
Volatility Cheatsheet

02. Detect OS Version

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info

02.1 Check network connections

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.netscan.NetScan

We will see the given suspicious IP address and its port its connecting to 80.74.140.117:5555. After the line we also see that a service pid 1892 is listed.

02.2 PStree

.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.pstree.PsTree

03 FLAG

Process ID is 1892 and Remoteport 5555

1892;5555

PreviousVolatility3 Exercise 2NextImage Forensics

Last updated

Was this helpful?