NintendoHunt

(Write-up)

This is more like a guide to obtain the answers. I believe this way is more appropriate in the learning journey.

Overview

You have been hired as a digital forensics investigator to investigate a potential security breach at a company. The company has recently noticed unusual network activity and suspects that there may be a malicious process running on one of their computers. Your task is identifying the malicious process and gathering information about its activity.

Supportive Tools

Volatility 2

Choosing an Appropriate Profile for Volatility

I spent a long time researching what profile might be possible for Volatility because it won’t work unless there is a profile. I tried imageinfo plugin but that took forever. So, after a bit of googling, I found that kdgbscan plugin can produce the same results (some say it is more accurate). It produced seven Windows profiles, I tried them all, and found Win10x64_17134 is the most stable.

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_14393 (6.4.14393 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_14393
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)


**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_17134 (6.4.17134 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_17134
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_10586 (6.4.10586 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_10586
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_16299 (6.4.16299 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_16299
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

**************************************************
Instantiating KDBG using: Unnamed AS Win2016x64_14393 (6.4.14393 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2016x64_14393
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_17763 (6.4.17763 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_17763
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_15063 (6.4.15063 64bit)
Offset (V)                    : 0xf800ca7bd520
Offset (P)                    : 0x23bd520
KdCopyDataBlock (V)           : 0xf800ca661aac
Block encoded                 : Yes
Wait never                    : 0x884376060069106d
Wait always                   : 0x1a44169299d84a0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_15063
Version64                     : 0xf800ca7c0d50 (Major: 15, Minor: 17134)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 17134.1.amd64fre.rs4_release.180
PsActiveProcessHead           : 0xfffff800ca7cd410 (157 processes)
PsLoadedModuleList            : 0xfffff800ca7d41f0 (189 modules)
KernelBase                    : 0xfffff800ca419000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff800c9714000 (CPU 0)

Questions

1 - What is the process ID of the currently running malicious process?

PID 8560 svchost.exe because usually svchost.exe is parented by services.exe. However, this process was not. It was parented by explorer.exe which is unusual.

Answer: 8560

2 - What is the md5 hash hidden in the malicious process memory?

I dumped 8560 process. Then I used `strings -n 32 8560.dmp` command to print to a minimum of 32 chars (MD5), then I skimmed through and noticed

t.h.e. fl.ag.is. M2ExOTY5N2YyOTA5NWJjMjg5YTk2ZTQ1MDQ2Nzk2ODA="

I decoded this base64 string and obtained the md5 hash, which is 3a19697f29095bc289a96e4504679680

Answer: 3a19697f29095bc289a96e4504679680

3 - What is the process name of the malicious process parent?

This is from the result of question#1, where the parent process is explorer.exe.

Answer: explorer.exe

4 - What is the MAC address of this machine's default gateway?

Usually, network information in Windows memory dumps can be obtained from the SYSTEM hive in the registry. However, this dump does not have the SYSTEM hive, but the SOFTWARE hive. I googled how to obtain the default gateway’s MAC address.

It is in the Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged key.

And, voila, I have it.

Answer: 00:50:56:fe:d8:07

5 - What is the name of the file that is hidden in the alternative data stream?

This can be solved using mftparser plugin. I output the mftparser in a separate text file, then I used egrep command to search for text files with three chars.

Answer: yes.txt

6 - What is the full path of the browser cache created when the user visited "www.13cubed.com" ?

Same methodology from the previous question. I grepped for 13cubed.

Answer: C:\Users\CTF\AppData\Local\Packages\MICROS~1.MIC\AC\#!001\MICROS~1\Cache\AHF2COV9\13cubed[1].htm