# Volatility3 Exercise 2

### 01. Introduction

> Your company's webserver and database with critical data were hacked. During live response a memory dump was taken. Your task is to analyze the memory dump and determine whether any malicious program is running.

Tasks:

1. Discover which operating system the image was taken from.
2. Discover how you can use environment variables to optimize volatility.
3. Find malicious process(es)
4. Find the suspicious connection from the webserver.

Ressources:

{% embed url="<https://www.dropbox.com/s/j1c4hec9ds3q8y2/MemoryForensic.zip?dl=0>" %}
Memory Image
{% endembed %}

{% embed url="<https://blog.onfvp.com/post/volatility-cheatsheet/>" %}
Volatility Cheatsheet
{% endembed %}

### 02. Detect Operating system

```
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info  
```

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FHPvgduF9AnJlNCTdIRWS%2Fwininfo01.png?alt=media&#x26;token=a43f072f-bed4-45da-8ec6-718a1a7a2a83" alt=""></div>

The output shows that the memdump image is a Windows10. Volatilty2 suggests everytime more than one profile with different versions. Volatility3 seems to have a different profile system.

### 03. PSlist und PsTree

Processes can be listed with the `PSList` and `PsTree` command. I always prefere the `PsTree` command because you can see the parent / child structure of the processes.

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FzIXyy2tYIi5fQglL7ADs%2Fpslist01.png?alt=media&#x26;token=2c1f624b-bd7b-4e58-968a-ca232f4395bb" alt=""></div>

By manually checking the process hierarchy we find out that the processes with the following PIDs have a susipicious hierarchy: `1240` this is the `svchost.exe` which has a parent of cmd.exe which definately looks suspicious. `PID 6288` also svchost, has the other svchost.exe with `PID 1240` as partent this also is suspicious.

### 04. Netscan plugin

Now we can use the `windows.netscan` plugin to list the network connections.

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FcRc9nDmRQkErj1u2AxYf%2Fnetscan01.png?alt=media&#x26;token=70973727-2599-4454-8abb-8c1cadde7603" alt=""></div>

There is a closed connection to a remote ip `207.154.250.59`.

```
ip:"207.154.250.59",
city:"Frankfurt am Main",
region:"Hesse",
country:"DE",
loc:"50.1025,8.6299",
org:"AS14061 DigitalOcean, LLC",
postal:"60326",
timezone:"Europe/Berlin",
asn:Object,

asn:"AS14061",
name:"DigitalOcean, LLC",
domain:"digitalocean.com",
route:"207.154.240.0/20",

    type:"hosting",

company:Object,

name:"DigitalOcean, LLC",
domain:"digitalocean.com",

    type:"hosting",

privacy:Object,

vpn:false,
proxy:false,
tor:false,
relay:false,
hosting:true,

    service:"",

abuse:Object,

address:"US, NY, New York, 101, Ave of the Americas, 10013",
country:"US",
email:"abuse@digitalocean.com",
name:"DigitalOcean Abuse",
network:"207.154.192.0/18",

    phone:"+1-347-875-6044",

domains:Object,

ip:"207.154.250.59",
total:10,
domains:Array[5],

"wo-tennis.fr",
"squadsix.com",
"ismo-app.fr",
"bam-ticket.com",
"atelier-circourt.fr",
```

### 5. Conclusion

The check with the pstree plugin shows that the malicious process has no parent process.

The following processes are likely to be malicious: `1240` and `6288` because of the late start times, incorrect parent processes and the network connection to a server in the internet belonging to `digital ocean`.