# Volatility3 Exercise 3

## Volatility 03 Exercise

### 01. Introduction

> You are given a memorydump of a machine which was infected by a malware. All you know is the IP address of the C\&C (command\&control) server the malware connects to.

Requirements:

* the memory dump (see resources)
* Volatility
* the IP of the C\&C server: `80.74.140.117`

Resources:

{% embed url="<https://www.dropbox.com/s/z6mgo7w6gq5bdj5/memdump.zip?dl=0>" %}
Memory Dump
{% endembed %}

{% embed url="<https://blog.onfvp.com/post/volatility-cheatsheet/>" %}
Volatility Cheatsheet
{% endembed %}

### 02. Detect OS Version

```
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.info  
```

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FeaCudE4hGE0NwMmirICP%2Fwininfo02.png?alt=media&#x26;token=e1722904-aa75-424b-940e-74df725fa7c4" alt=""></div>

### 02.1 Check network connections

```
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.netscan.NetScan 
```

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FTiiY0pZZeWmaNgMlWTVR%2Fnetscan02.png?alt=media&#x26;token=5b11c96f-9036-429f-9d3e-7426a1656f26" alt=""></div>

We will see the given suspicious IP address and its port its connecting to `80.74.140.117:5555`. After the line we also see that a service `pid 1892` is listed.

### 02.2 PStree

```
.\vol.py -f 'C:\Pentestlab\MemoryDump\memdump.mem' windows.pstree.PsTree 
```

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FfH9tKrqaXcCNiTxG2Pjs%2Fpstree01.png?alt=media\&token=6b36a55c-9cc1-4b4c-9a4f-d40ea81344c4)

#### 03 FLAG

Process ID is 1892 and Remoteport 5555

1892;5555