After downloading the victim.zip file and verifying it’s hash via powershell we are ready to get started!
Question 2 – What is the OS of this Dump?
For this question we can try to determine the profile of the memory dump using the imageinfo command from volatility. Looking at this output we can see this is most likely an image from a Windows 7 computer (Win7SP1x64). The answer to this question will be ‘windows’
Question 3 – What is the PID of SearchIndexer?
We can use the pslist command to find this out. Remember to specify your profile now that you have determined it from the first task. The answer to this question we can find by looking down the list. In this case the PID is 2180.
Question 4 – What is the last directory accessed by the user?
This question requires a bit more digging than the first two but luckily there is a hint given, ‘Why don’t you search a bag full of shells in you backyard?’ This is obviously referring to the ‘shellbags’ command, so lets try running that. There is probably a good way to sort these results but I just ended up scrolling through the “Access Date” column to find the most recent date. We can see that the Z:\logs\deleted_files was the most recently accessed folder with an access date of 2019-04-27 10:38:24 UTC. The answer to this question will be “deleted_files”.
Digging a little more…
Question 5 – There are many suspcious open port, which is it ?(sic) and Question 6 – Vads tag and execute protection are strong indicators of malicious processes, can you find which are they?
Running the netscan command will show us the network activity at the time of the image capture. The first entry here caught my eye as unusual but without any evidence to back it up I had to ‘dig a little more’ as the title suggested.
Jumping ahead to the next question I ran the malfind command and got the following: 3 malicious processes; explorer, svchost and wmpnetwk.
This answers question six, the Process ID (PIDs) being 1860;1820;2464.
Going back to question 5 my suspicion was confirmed and wmpnetwk seems to be suspicious. The answer here being udp:5005 (procotol:port).
Task 3 IOC Saga asks us to find some IOC’s from the malicious processes identified in Task 2. First let’s go ahead and use procdump to extract a copy of each process.
Next we will upload each file to Virustotal to check. It seems that PID 1820 (svchost) is OK after all. The other two files, explorer(PID-1860) and wmpnetwk(PID-2464) were detected though.
Let’s go a step further here and also execute the ‘memdump’ command for further analysis of these files.
Once we’ve got the 3 dump files we’ll use a combination of strings and grep to look through these files to find our IOC’s. (Sorry Powershell, I really tried to make it work with “Select-String” but I found it much easier to use the Linux tools here.)
Question 7 We’ll have to use the hint as the given string matches a few results here. The hint was “This site is a little naughty.” Our answer for this question will be http://www.goporn.ru.
Question 8 I tried to filter the results a bit better and discovered that grep accepts regex which means less piping to more grep commands! For this question the answer will be http://www.ikaka.com
We’ll repeat the same command for the next set of questions.
Question 9 – http://www.icasalabs.com
Question 10 – 18.104.22.168
Question 11 – 22.214.171.124
Question 12 – 126.96.36.199
For the last question we need to find a unique environment variable for the suspicious process with the PID of 2464. We can use the ‘envars’ command for this. To make it easier to read we’ll also add a filter to only show the particular PID we want to look at.
Nothing jumped out at me straight away as suspicious so I reran the envars command again on the other previously identified processes. The unique one now revealed itself as the answer to the last question: OANOCACHE.
That’s it for this room. Hopefully this writeup was useful to you, I learned a few things about how to best search for the evidence from your artifacts using grep and regex!
One thought on “TryHackMe – Forensics Room”