Window Pains 4
Challenge:
We want to see if any other machines are infected with this malware. Using the memory dump file from Window Pains, submit the SHA1 checksum of the malicious process.
Submit the flag as
flag{SHA1 hash}
.CAUTION Practice good cyber hygiene! Use an isolated VM to download/run the malicious process. While the malicious process is relatively benign, if you're using an insecurely-configured Windows host, it may be possible for someone to compromise your machine if they can reach you on the same network.
Solution:
We identified the PID for the malicious process in the Window Pains 3 challenge as 8180
and leveraged Volatility to dump the files related to that process:
~/Tools/volatility3/vol.py -qf physmemraw windows.dumpfiles.DumpFiles --pid 8180
Volatility 3 Framework 2.0.0
Cache FileObject FileName Result
ImageSectionObject 0x9a077f6d01a0 sechost.dll file.0x9a077f6d01a0.0x9a077f0ddb20.ImageSectionObject.sechost.dll.img
ImageSectionObject 0x9a07857d4280 userinit.exe file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img
ImageSectionObject 0x9a0784c4e590 cryptsp.dll file.0x9a0784c4e590.0x9a0784bbca20.ImageSectionObject.cryptsp.dll.img
ImageSectionObject 0x9a0784c6fa60 icuin.dll file.0x9a0784c6fa60.0x9a07849e6600.ImageSectionObject.icuin.dll.img
ImageSectionObject 0x9a0784c6f740 icuuc.dll file.0x9a0784c6f740.0x9a07849e4660.ImageSectionObject.icuuc.dll.img
...
All that was left to do was calculate the SHA1 hash for userinit.exe
and submit the flag:
$ shasum file.0x9a07857d4280.0x9a07843b6a90.ImageSectionObject.userinit.exe.img
The accepted flag was, flag{962d96f30c8f126cbcdee6eecc5e50c3a408402b}
Leave a comment