Hi, in this walkthrough, I will try to explain investigation steps with Volatility. I won’t use any hints for the sake of doing this room black box.
Reference I’m using is their GitHub wiki page
Original Publish Date: Nov 20, 2022
Case 1 — BOB! THIS ISN’T A HORSE!
Your SOC has informed you that they have gathered a memory dump from a quarantined endpoint thought to have been compromised by a banking Trojan masquerading as an Adobe document. Your job is to use your knowledge of threat intelligence and reverse engineering to perform memory forensics on the infected host.
You have been informed of a suspicious IP in connection to the file that could be helpful.
The memory file is located in
1 — What is the build version of the host machine in Case 001?
After skimming through the help page, I can see OS related plugin.
The answer to the first question would be the first outlined section.
2 — At what time was the memory file acquired in Case 001?
The answer is the second outlined section in the above image.
3 — What process can be considered suspicious in Case 001?
Looking up to the reference, we can use “
The output we’re given looks fairly normal in the beginning. If you know the windows core processes,
winlogon.exe etc. they are expected. And one process stands out. If nothing stands out intuitively, you can always search them one by one.
Answer is bottom-right box.
4 — What is the parent process of the suspicious process in Case 001?
Output above, top-right
5 — What is the PID of the suspicious process in Case 001?
6 — What is the parent process PID in Case 001?
7 — What user-agent was employed by the adversary in Case 001?
Now, because we are looking for a string in a dump, we need to find strings loaded into memory. Without loading it, the program in question cannot use those. And looking at the reference, we can see what we are looking for right away.
Running the plugin right away throws an error. To fix that, we can specify a directory with
-o which we can write into according to the base help page.
After running the command
./vol.py -f /Scenarios/Investigations/Investigation-1.vmem -o /tmp windows.memmap --pid 1640 --dump
and waiting for it to finish, we can see our dump.
Now we can use
strings to investigate.
less we can type
-i to make it case-insensitive then search for the string
n a couple of times, we can see what we are looking for.
8 — Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)
If we are looking for a particular domain, it makes sense to search for
Constructed a regex for the domain we’re looking for, and we got ourselves the answer, which is yes.
Case 2 — That Kind of Hurt my Feelings
You have been informed that your corporation has been hit with a chain of ransomware that has been hitting corporations internationally. Your team has already retrieved the decryption key and recovered from the attack. Still, your job is to perform post-incident analysis and identify what actors were at play and what occurred on your systems. You have been provided with a raw memory dump from your team to begin your analysis.
The memory file is located in
9 — What suspicious process is running at PID 740 in Case 002?
pstree again, we can see something really standing out.
Answer is highlighted above.
10 — What is the full path of the suspicious binary in PID 740 in Case 002?
As you can see, there’s no path in
Searching for the keyword “path” in reference page, we reach the plugin
To filter results, we should pipe out to
grep by reason of we’re looking for a specific
We found our answer quickly.
11 — What is the parent process of PID 740 in Case 002?
pstree output before. It would be
12 — What is the suspicious parent process PID connected to the decryptor in Case 002?
The question is referring to the PID of
tasksche.exe which is
13 — From our current information, what malware is present on the system in Case 002?
If it’s not distinctive enough that we are dealing with
wannacry here, you can search
wannadecryptor which will give out the result anyway.
14 — What DLL is loaded by the decryptor used for socket creation in Case 002?
Nothing was conspicuous, so basically I searched every DLL from the output above :) and found out the answer is
15 — What mutex can be found that is a known indicator of the malware in question in Case 002?
You should know the drill by now :) search keyword, find which plugin to use, look up help page for the plugin.
Using the same PID, we can’t see anything stand out.
Our second option would be to search for parent PID
And to filter results only by PID I’m using Perl regex flag with the PID
We found our answer:
16 — What plugin could be used to identify all files loaded from the malware working directory in Case 002?
The last question is a simple one. From the reference, it’s
That was it! Hope it was clear, thank you for reading.