Reminiscent

first thing we have to find the profile image to proceed our analysis

we will use the imageinfo pulgin

vol.py -f flounder-pc-memdump.elf imageinfo
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800027fe0a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800027ffd00L
                KPCR for CPU 1 : 0xfffff880009eb000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2017-10-04 18:07:30 UTC+0000
     Image local date and time : 2017-10-04 11:07:30 -0700

first thing we will list the processes as a tree using the pstree plugin

remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf pstree 
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa800169bb30:csrss.exe                         348    328      9    416 2017-10-04 18:04:29 UTC+0000
 0xfffffa8001f63b30:wininit.exe                       376    328      3     77 2017-10-04 18:04:29 UTC+0000
. 0xfffffa8001ff2b30:lsass.exe                        492    376      8    590 2017-10-04 18:04:30 UTC+0000
. 0xfffffa8001fcdb30:services.exe                     476    376     11    201 2017-10-04 18:04:29 UTC+0000
.. 0xfffffa8002204960:svchost.exe                     384    476     17    386 2017-10-04 18:04:30 UTC+0000
... 0xfffffa8001efa500:csrss.exe                      396    384      9    283 2017-10-04 18:04:29 UTC+0000
.... 0xfffffa8000e90060:conhost.exe                  2772    396      2     55 2017-10-04 18:06:58 UTC+0000
... 0xfffffa8001f966d0:winlogon.exe                   432    384      4    112 2017-10-04 18:04:29 UTC+0000
.. 0xfffffa80021044a0:svchost.exe                     792    476     21    443 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa800209bb30:VBoxService.ex                  664    476     12    118 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa800217cb30:svchost.exe                     900    476     41    977 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa8002294b30:spoolsv.exe                    1052    476     13    277 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa8002122060:sppsvc.exe                     1840    476      4    145 2017-10-04 18:04:37 UTC+0000
.. 0xfffffa80021b4060:SearchIndexer.                 1704    476     16    734 2017-10-04 18:04:47 UTC+0000
... 0xfffffa80023ed550:SearchFilterHo                 812   1704      4     92 2017-10-04 18:04:48 UTC+0000
... 0xfffffa80024f4b30:SearchProtocol                1960   1704      6    311 2017-10-04 18:04:48 UTC+0000
.. 0xfffffa80021ccb30:svchost.exe                     988    476     13    286 2017-10-04 18:04:30 UTC+0000
.. 0xfffffa8002390620:svchost.exe                    1196    476     28    333 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa800096eb30:wmpnetwk.exe                   2248    476     18    489 2017-10-04 18:06:33 UTC+0000
.. 0xfffffa8002245060:taskhost.exe                   1720    476      8    148 2017-10-04 18:04:36 UTC+0000
.. 0xfffffa80022bbb30:svchost.exe                    1092    476     19    321 2017-10-04 18:04:31 UTC+0000
.. 0xfffffa8000945060:svchost.exe                    2120    476     12    335 2017-10-04 18:06:32 UTC+0000
.. 0xfffffa8002001b30:svchost.exe                     600    476     12    360 2017-10-04 18:04:30 UTC+0000
... 0xfffffa8000801b30:WmiPrvSE.exe                  2924    600     10    204 2017-10-04 18:06:26 UTC+0000
... 0xfffffa8000930b30:WmiPrvSE.exe                   592    600      9    127 2017-10-04 18:06:35 UTC+0000
.. 0xfffffa8002166b30:svchost.exe                     868    476     21    429 2017-10-04 18:04:30 UTC+0000
... 0xfffffa80022c8060:dwm.exe                       2020    868      4     72 2017-10-04 18:04:41 UTC+0000
.. 0xfffffa80020b5b30:svchost.exe                     728    476      7    270 2017-10-04 18:04:30 UTC+0000
. 0xfffffa8001fffb30:lsm.exe                          500    376     11    150 2017-10-04 18:04:30 UTC+0000
 0xfffffa80006b7040:System                              4      0     83    477 2017-10-04 18:04:27 UTC+0000
. 0xfffffa8001a63b30:smss.exe                         272      4      2     30 2017-10-04 18:04:27 UTC+0000
 0xfffffa80020bb630:explorer.exe                     2044   2012     36    926 2017-10-04 18:04:41 UTC+0000
. 0xfffffa80022622e0:VBoxTray.exe                    1476   2044     13    146 2017-10-04 18:04:42 UTC+0000
. 0xfffffa80007e0b30:thunderbird.ex                  2812   2044     50    534 2017-10-04 18:06:24 UTC+0000
. 0xfffffa800224e060:powershell.exe                   496   2044     12    300 2017-10-04 18:06:58 UTC+0000
.. 0xfffffa8000839060:powershell.exe                 2752    496     20    396 2017-10-04 18:07:00 UTC+0000

and we can see the explorer.exe is a suspicious process since it has the powershell process as a child process so this means that the attacker has executed some powershell commands in the memory

First Method :

we have the resume email sent to the victim taking a look can find that the victim have downloaded a resume zip file from the attacker's server, so we can use the filescan plugin to list all the files in the system and therfore search for the resume file using grep

vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf filescan > filescan.txt

remnux@remnux:~/ctf/memoryctf/reminiscent$ cat filescan.txt | grep resume
0x000000001e1f6200      1      0 R--r-- \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk
0x000000001e8feb70      1      1 R--rw- \Device\HarddiskVolume2\Users\user\Desktop\resume.pdf.lnk

and now we will use the dumpfiles plugin to extract those files from the memory using the option -Q to select the offset

remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf dumpfiles -Q 0x000000001e1f6200,0x000000001e8feb70 --dump-dir=/home/remnux/ctf/memoryctf/reminiscent/dumpedResumes/

we can see that powershell commands are executed within the pdf file, the first base64 encoded text contains code that extracts another payload and execute it using invoke expression iex

and decoding the second big encoded base64 text reveals the flag

Second Method :

WinEVT Logs :

and there is another way to get the flag which is by looking at the winevt powershell operational logs since we know that a powershell payload has been executed by the attacker

using the filescan output we generated previously we can search for the powershell logs using grep

emnux@remnux:~/ctf/memoryctf/reminiscent$ cat filescan.txt | grep -i "operational"
0x000000001e0816a0      7      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
0x000000001e14f070     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
0x000000001e247d50     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx
0x000000001e28d070     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
0x000000001e308b70     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx
0x000000001e309f20     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
0x000000001e30cbb0     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
0x000000001e344bc0     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx
0x000000001e382700     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
0x000000001e394680     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx
0x000000001e39e820     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
0x000000001e444f20     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx
0x000000001e5ee910      9      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx
0x000000001e9d14a0     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
0x000000001eb909f0     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
0x000000001ed0c720     19      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
0x000000001fc41260     17      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
0x000000001fcdf9b0     18      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx
0x000000001fd58070     16      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
0x000000001fdbfda0      5      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx

and this is the offset to the powershell operational logs

0x000000001fd58070     16      1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

now using the dumpfiles plugin

remnux@remnux:~/ctf/memoryctf/reminiscent$ vol.py --profile=Win7SP1x64 -f flounder-pc-memdump.elf dumpfiles -Q 0x000000001fd58070 --dump-dir=/home/remnux/ctf/memoryctf/reminiscent/powershellOperationalDumpfiles/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1fd58070   None   \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
SharedCacheMap 0x1fd58070   None   \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

now using the command cat to read its content reveals all the powershell commands executed in the system reading through the commands we can find the flag

Flag :

HTB{$_j0G_y0uR_M3m0rY_$}

PreviousHTB forensics challenges NextRogueOne

Last updated 2 years ago

hashtagFirst Method :

hashtagSecond Method :

hashtagWinEVT Logs :

hashtagFlag :

First Method :

Second Method :

WinEVT Logs :

Flag :