TryHackMe: Volatility Walkthrough (2022) (Only Investigations)

Check out the Volatility room on TryHackMe

Hi, in this walkthrough, I will try to explain investigation steps with Volatility. I won’t use any hints for the sake of doing this room black box.

Reference I’m using is their GitHub wiki page

Original Publish Date: Nov 20, 2022

Case 1 — BOB! THIS ISN’T A HORSE!

Your SOC has informed you that they have gathered a memory dump from a quarantined endpoint thought to have been compromised by a banking Trojan masquerading as an Adobe document. Your job is to use your knowledge of threat intelligence and reverse engineering to perform memory forensics on the infected host.

You have been informed of a suspicious IP in connection to the file that could be helpful. 41.168.5.140

The memory file is located in /Scenarios/Investigations/Investigation-1.vmem

1 — What is the build version of the host machine in Case 001?

After skimming through the help page, I can see OS related plugin.

Help page

Info plugin output

The answer to the first question would be the first outlined section.

2 — At what time was the memory file acquired in Case 001?

The answer is the second outlined section in the above image.

3 — What process can be considered suspicious in Case 001?

Looking up to the reference, we can use “pstree” plugin.

The output we’re given looks fairly normal in the beginning. If you know the windows core processes, smss.exe, winlogon.exe etc. they are expected. And one process stands out. If nothing stands out intuitively, you can always search them one by one.

Pstree output

Answer is bottom-right box.

4 — What is the parent process of the suspicious process in Case 001?

Output above, top-right

5 — What is the PID of the suspicious process in Case 001?

Bottom-left :)

6 — What is the parent process PID in Case 001?

Lastly, top-left.

7 — What user-agent was employed by the adversary in Case 001?

Now, because we are looking for a string in a dump, we need to find strings loaded into memory. Without loading it, the program in question cannot use those. And looking at the reference, we can see what we are looking for right away.

Reference

Plugin to use

Help page

Running the plugin right away throws an error. To fix that, we can specify a directory with -o which we can write into according to the base help page.

Error

After running the command

./vol.py -f /Scenarios/Investigations/Investigation-1.vmem -o /tmp windows.memmap --pid 1640 --dump

and waiting for it to finish, we can see our dump.

Now we can use strings to investigate.

Inside less we can type -i to make it case-insensitive then search for the string user-agent

Hitting n a couple of times, we can see what we are looking for.

8 — Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

If we are looking for a particular domain, it makes sense to search for http

Constructed a regex for the domain we’re looking for, and we got ourselves the answer, which is yes.

Case 2 — That Kind of Hurt my Feelings

You have been informed that your corporation has been hit with a chain of ransomware that has been hitting corporations internationally. Your team has already retrieved the decryption key and recovered from the attack. Still, your job is to perform post-incident analysis and identify what actors were at play and what occurred on your systems. You have been provided with a raw memory dump from your team to begin your analysis.

The memory file is located in /Scenarios/Investigations/Investigation-2.raw

9 — What suspicious process is running at PID 740 in Case 002?

Utilizing pstree again, we can see something really standing out.

Answer is highlighted above.

10 — What is the full path of the suspicious binary in PID 740 in Case 002?

As you can see, there’s no path in pstree

Searching for the keyword “path” in reference page, we reach the plugin dlllist

To filter results, we should pipe out to grep by reason of we’re looking for a specific pid

Dlllist with grep

We found our answer quickly.

11 — What is the parent process of PID 740 in Case 002?

From the pstree output before. It would be tasksche.exe

12 — What is the suspicious parent process PID connected to the decryptor in Case 002?

The question is referring to the PID of tasksche.exe which is 1940

13 — From our current information, what malware is present on the system in Case 002?

If it’s not distinctive enough that we are dealing with wannacry here, you can search wannadecryptor which will give out the result anyway.

14 — What DLL is loaded by the decryptor used for socket creation in Case 002?

Nothing was conspicuous, so basically I searched every DLL from the output above :) and found out the answer is WS2_32.dll

15 — What mutex can be found that is a known indicator of the malware in question in Case 002?

You should know the drill by now :) search keyword, find which plugin to use, look up help page for the plugin.

Using the same PID, we can’t see anything stand out.

Our second option would be to search for parent PID

And to filter results only by PID I’m using Perl regex flag with the PID

We found our answer: MsWinZonesCacheCounterMutexA

16 — What plugin could be used to identify all files loaded from the malware working directory in Case 002?

The last question is a simple one. From the reference, it’s windows.filescan

That was it! Hope it was clear, thank you for reading.