Window Pains 4

Challenge:

We want to see if any other machines are infected with this malware. Using the memory dump file from Window Pains, submit the SHA1 checksum of the malicious process.

Submit the flag as flag{SHA1 hash}.

CAUTION Practice good cyber hygiene! Use an isolated VM to download/run the malicious process. While the malicious process is relatively benign, if you're using an insecurely-configured Windows host, it may be possible for someone to compromise your machine if they can reach you on the same network.

Solution:

We identified the PID for the malicious process in the Window Pains 3 challenge as 8180 and leveraged Volatility to dump the files related to that process:

~/Tools/volatility3/vol.py -qf physmemraw windows.dumpfiles.DumpFiles --pid 8180

Volatility 3 Framework 2.0.0
                      
Cache	FileObject	FileName	Result

ImageSectionObject	0x9a077f6d01a0	sechost.dll	file.0x9a077f6d01a0.0x9a077f0ddb20.ImageSectionObject.sechost.dll.img
ImageSectionObject	0x9a07857d4280	userinit.exe	file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img
ImageSectionObject	0x9a0784c4e590	cryptsp.dll	file.0x9a0784c4e590.0x9a0784bbca20.ImageSectionObject.cryptsp.dll.img
ImageSectionObject	0x9a0784c6fa60	icuin.dll	file.0x9a0784c6fa60.0x9a07849e6600.ImageSectionObject.icuin.dll.img
ImageSectionObject	0x9a0784c6f740	icuuc.dll	file.0x9a0784c6f740.0x9a07849e4660.ImageSectionObject.icuuc.dll.img
...

All that was left to do was calculate the SHA1 hash for userinit.exe and submit the flag:

$ shasum  file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img

The accepted flag was, flag{962d96f30c8f126cbcdee6eecc5e50c3a408402b}