Skip to main content

Command & Control - level 3

  • Description: Berthier, the antivirus software didn't find anything. It's up to you now. Try to find the malware in the memory dump. The validation flag is the md5 checksum of the full path of the executable.
  • Difficulty: Medium

🔎 Solution

To identify potentially malicious processes, we first examined the system's process tree using pstree. This visualization helps reveal abnormal parent-child relationships between processes. Notably, we observed that the process iexplore.exe (PID 2772) had spawned a child process: cmd.exe.

┌──(kali㉿kali)-[~/Desktop]
└─$ ./vol2/volatility2 -f ch2.dmp --profile=Win7SP0x86 pstree    
...
0x87978b78:System                                      4      0    103   3257 2013-01-12 16:38:09 UTC+0000
. 0x88c3ed40:smss.exe                                 308      4      2     29 2013-01-12 16:38:09 UTC+0000
 0x87ac6030:explorer.exe                             2548   2484     24    766 2013-01-12 16:40:27 UTC+0000
. 0x87b6b030:iexplore.exe                            2772   2548      2     74 2013-01-12 16:40:34 UTC+0000
.. 0x89898030:cmd.exe                                1616   2772      2    101 2013-01-12 16:55:49 UTC+0000
. 0x95495c18:taskmgr.exe                             1232   2548      6    116 2013-01-12 16:42:29 UTC+0000
. 0x87bf7030:cmd.exe                                 3152   2548      1     23 2013-01-12 16:44:50 UTC+0000
.. 0x87cbfd40:winpmem-1.3.1.                         3144   3152      1     23 2013-01-12 16:59:17 UTC+0000
. 0x898fe8c0:StikyNot.exe                            2744   2548      8    135 2013-01-12 16:40:32 UTC+0000
. 0x87b784b0:AvastUI.exe                             2720   2548     14    220 2013-01-12 16:40:31 UTC+0000
. 0x87b82438:VMwareTray.exe                          2660   2548      5     80 2013-01-12 16:40:29 UTC+0000
. 0x87c6a2a0:swriter.exe                             3452   2548      1     19 2013-01-12 16:41:01 UTC+0000
.. 0x87ba4030:soffice.exe                            3512   3452      1     28 2013-01-12 16:41:03 UTC+0000
... 0x87b8ca58:soffice.bin                           3564   3512     12    400 2013-01-12 16:41:05 UTC+0000                            3556   3544      0 ------ 2013-01-12 16:41:05 UTC+0000

This behavior is suspicious - iexplore.exe is a legitimate web browser, and it typically should not be launching command-line interfaces. Such an anomaly strongly suggests this process may be involved in malicious activity.

Next, we utilized the cmdline plugin, which retrieves the full command-line arguments used to launch each process. This allowed us to extract the complete file path associated with the suspicious process.

┌──(kali㉿kali)-[~/Desktop]
└─$ ./vol2/volatility2 -f ch2.dmp --profile=Win7SP0x86 cmdline -p 2772
Volatility Foundation Volatility Framework 2.6
************************************************************************
iexplore.exe pid:   2772
Command line : "C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe"

Finally, we calculated the MD5 hash of the path and complete the challenge.

┌──(kali㉿kali)-[~/Desktop]
└─$ echo -n -E "C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe" | md5sum 
49979149632639432397b3a1df8cb43d  -

🚩Flag

49979149632639432397b3a1df8cb43d