Hack4S3cur1ty

[OTTERCTF][Memory Forensics] 7 - Hide And Seek 본문

CTFs/2018

[OTTERCTF][Memory Forensics] 7 - Hide And Seek

h4ck4s3cur1ty 2018. 12. 16. 06:18

malware가 감염되었고 프로세스 이름을 구해야 하니 pstree로 확인해보면 수상한 프로세스가 실행되어있는걸 확인할 수 있다.


1
2
3
4
5
6
7
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa801b27e060:explorer.exe                     2728   2696     33    854 2018-08-04 19:27:04 UTC+0000
0xfffffa801b486b30:Rick And Morty                  3820   2728      4    185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex                 3720   3820      8    147 2018-08-04 19:33:02 UTC+0000
cs


filescan과 dumpfiles를 통해 해당 파일들을 추출했다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan
Volatility Foundation Volatility Framework 2.6
Offset(P)            #Ptr   #Hnd Access Name
------------------ ------ ------ ------ ----
0x000000007d8813c0      2      0 RW-rwd \Device\HarddiskVolume1\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
0x000000007d63dbc0     10      0 R--r-d \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
0x000000007daad840     16      0 -W-r-- \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
0x000000007dc6cf20     13      0 R--r-d \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
 
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -0x000000007d8813c0 -D ./res
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x7d8813c0   None   \Device\HarddiskVolume1\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
 
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -0x000000007d63dbc0 -D ./res
Volatility Foundation Volatility Framework 2.6
ImageSectionObject 0x7d63dbc0   None   \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
DataSectionObject 0x7d63dbc0   None   \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
 
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -0x000000007daad840 -D ./res
Volatility Foundation Volatility Framework 2.6
ImageSectionObject 0x7daad840   None   \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
DataSectionObject 0x7daad840   None   \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
 
>vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -0x000000007dc6cf20 -D ./res
Volatility Foundation Volatility Framework 2.6
ImageSectionObject 0x7dc6cf20   None   \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
DataSectionObject 0x7dc6cf20   None   \Device\HarddiskVolume1\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
cs




Rick And Morty season 1 download.exe는 sfx형식의 압축파일이고 vmware-tray.exe를 드랍 후 실행시킨다.




vmware-tray.exe를 virustotal에 업로드 시켜보니 악성코드로 탐지된다.




저작자표시

'CTFs > 2018' 카테고리의 다른 글

[OTTERCTF][Memory Forensics] 9 - Path To Glory 2  (0) 2018.12.16
[OTTERCTF][Memory Forensics] 8 - Path To Glory  (0) 2018.12.16
[OTTERCTF][Memory Forensics] 6 - Silly Rick  (0) 2018.12.16
[OTTERCTF][Memory Forensics] 5 - Name Game 2  (0) 2018.12.16
[OTTERCTF][Memory Forensics] 4 - Name Game  (0) 2018.12.16
'CTFs/2018' Related Articles more
Comments