Parsing Memory Forensics with OtterCTF and familiarity with the Volatility

 3r3393930. 3r3-31. 3r3393917. Hi, Habr! 3r33939. 3r33915.  3r3393930. 3r3393917. OtterCTF recently ended (for those interested - Link 3r3179. To ctftime), which this year I, as a person fairly tightly connected with iron, was frankly pleased - there was a separate category of Memory Forensics, which, in essence, was an operational dump analysis of memory. I want to parse it in this post, for all who are interested - welcome under cat. 3r33939.
3r3179. 3r33915.  3r3393930. 3r314. Introduction 3r33914. 3r33915.  3r3393930. 3r3393917. Perhaps, Habré already had articles describing work with Volatility, but, unfortunately, I did not find them. If not right - throw a link to me in the comments. This article pursues two goals - to show how senseless all attempts by the administrator to protect the system are if the attacker has a memory dump and to acquaint readers with the most beautiful, in my opinion, tool. And, of course, share experiences. Enough water, let's get started! 3r33939. 3r33915.  3r3393930.
Acquaintance with the tool
3r33915.  3r3393930. 3r3393917. Parsing Memory Forensics with OtterCTF and familiarity with the Volatility 3r33939. 3r33915.  3r3393930. 3r3393917. Volatility -
open-sorce
a community framework that develops. Written on the second python and works with a modular architecture - there is a so-called. plug-ins that you can connect for analysis, and you can even write the missing ones yourself. A complete list of plugins that are available out of the box can be viewed using volatility -h . 3r33939. 3r33915.  3r3393930. 3r3393917. Because of the python, the tool is cross-platform, so problems with running under some popular OS on which there is a python should not arise. The framework supports a huge number of profiles (in the understanding of Volatility - the systems from which the dump was taken): from popular Windows-Linux-MacOs to "directly" written off dd-dumps and dumps of virtual machines (both QEMU and VirtualBox). In my opinion, a very good set. 3r33939. 3r33915.  3r3393930.
The power of this tool is really amazing - I stumbled upon it at the time of debugging my kernel for ARM, and it perfectly analyzed what I gave him at the entrance of r3r3782. 3r3393917. As a bonus - support for almost any address space imaginable. 3r33915.  3r3393930. It seems that PR has turned out a little more than originally planned. Let's try to do the analysis itself. 3r33939. 3r33915.  3r3393930.

Basic information and surface analysis

3r33915.  3r3393930. 3r3393917. 3r33939. 3r33915.  3r3393930. 3r3393917. For those who want to do all the manipulations in the course of the article - a link to 3r361. Mega with the image or with wget: 3r33915.  3r3393930.
  3r33880. wget https://transfer.sh/AesNq/OtterCTF.7z    3r39595. 3r33915.  3r3393930. 3r3393917. So, the image in our hands, you can start the analysis. First of all, you need to understand from which system the dump was taken. For this, volatility has a great    plugin. imageinfo    . Just run    3r33915.  3r3393930.  
  3r33880. $ volatility -f% image_name% imageinfo    3r39595. 3r33915.  3r3393930. 3r3393917. In our case, the exhaust will be approximately as follows: 3r3393918. 3r33915.  3r3393930.  
  3r33880. Volatility Foundation Volatility Framework ???r3r3930. INFO: volatility.debug: Determining profile based on KDBG search
Suggested Profile (s): Win7SP1x6? Win7SP0x6? Win2008R2SP0x6? Win2008R2SP1x64_2341? Win2008R2SP1x6? Win7SP1x64_23418
AS Layer1: WindowsAMD64PagedMemory (Kernel AS)
AS Layer2: FileAddressSpace (% path% /% image_name%)
PAE type: No PAE
DTB: 0x187000L
KDBG: 0xf80002c430a0L
Number of Processors: 2
Image Type (Service Pack): 1
KPCR for CPU 0: 0xfffff80002c44d00L
KPCR for CPU 1: 0xfffff880009ef000L
KUSER_SHARED_dаta: 0xfffff78000000000L
Image date and time: 2018-08-???:34:22 UTC + 0000
Image local date and time: 2018-08-???:34:22 +0300 3r39595. 3r33915.  3r3393930. 3r3393917. So, we received almost exhaustive information about our dump - presumably, from which OS it was made (sorted in order of probability), the local date and time at the time of the removal of the dump, addressing and much more. So, we realized that we face a dump of Windows 7 Service Pack 1 x64. You can dig deep into! 3r33939. 3r33915.  3r3393930. 3r33112. What's the password 3r33915.  3r3393930. 3r3393917. 3r3117. 3r33939. 3r33915.  3r3393930.
Since this is a kind of raitap, I will give the formulation of the problem and then describe how to solve it with the help of volatility. 3r33915.  3r3393930. The first task is to get the user password
3r3393917. To begin with, we will understand which users were in the system and, at the same time, we will try to get their passwords. The passwords themselves are harder to get, and therefore we hope that we are not a very clever person and we’ll manage to open the hash from his password. It remains to get it! To do this, try to look 3r3908. _CMHIVE - As a rule, there you can always find something interesting while running Windows. To do this, simply connect the plugin hivelist , while specifying Win7 in the profile: 3r33918. 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 hivelist
Volatility Foundation Volatility Framework ???r3r3930. Virtual Physical Name
------------------ ----------------------
0xfffff8a00377d2d0 0x00000000624162d0 ?? C: System Volume InformationSyscache.hve
0xfffff8a00000f010 0x000000002d4c1010[no name]3r3393930. 0xfffff8a000024010 0x000000002d50c010 REGISTRYMACHINESYSTEM
0xfffff8a000053320 0x000000002d5bb320 REGISTRYMACHINEHARDWARE
0xfffff8a000109410 0x0000000029cb4410 SystemRootSystem32ConfigSECURITY
0xfffff8a00033d410 0x000000002a958410 DeviceHarddiskVolume1BootBCD
0xfffff8a0005d5010 0x000000002a983010 SystemRootSystem32ConfigSOFTWARE
0xfffff8a001495010 0x0000000024912010 SystemRootSystem32ConfigDEFAULT
0xfffff8a0016d4010 0x00000000214e1010 SystemRootSystem32ConfigSAM
0xfffff8a00175b010 0x00000000211eb010 ?? C: WindowsServiceProfilesNetworkServiceNTUSER.DAT
0xfffff8a00176e410 0x00000000206db410 ?? C: WindowsServiceProfilesLocalServiceNTUSER.DAT
0xfffff8a002090010 0x000000000b92b010 ?? C: UsersRickntuser.dat
0xfffff8a0020ad410 0x000000000db41410 ?? C: UsersRickAppDataLocalMicrosoftWindowsUsrClass.dat 3r39595. 3r33915.  3r3393930. 3r3393917. Perfectly! We supposedly got the username and, at the same time, made sure that the SYSTEM and SAM we needed were already loaded into memory. Now just get the hashes and go through: 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0016d4010
Volatility Foundation Volatility Framework ???r3r3930. Administrator: 500: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 :::
Guest: 501: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 :::
Rick: 1000: aad3b435b51404eeaad3b435b51404ee: 518172d012f97d3a8fcc089615283940 ::: 3r39595. 3r33915.  3r3393930. 3r3393917. As a result, we have three users - 3r3908. Administrator (31d6cfe0d16ae931b73c59d7e0c089c0) , 3r3908. Guest (31d6cfe0d16ae931b73c59d7e0c089c0) and our 3r3908. Rick (518172d012f97d3a8fcc089615283940) . Windows 7 hashes are NTLM and really long to sort through them. I can say that I have been doing this for almost a day on a gaming video card and have not come to anything. Therefore, you can go in a simpler way and try to break through with mimikatz . It is not always a panacea and does not always work, but, but if it works, it always gives the result. Here that volatility universality comes in handy - there is a custom plugin mimikatz . Download to any convenient folder and then when starting, specify the path to this folder: 3r33915.  3r3393930.
  3r33880. $ volatility --plugins =% path_to_folders_ with_plug% -f OtterCTF.vmem --profile = Win7SP1x64 mimikatz    3r39595. 3r33915.  3r3393930. 3r3393917. And immediately get the user password:    3r33915.  3r3393930.  
  3r33880. Volatility Foundation Volatility Framework ???r3r3930. Module User Domain Password
-------- ---------------- ---------------- ---------- ------------------------------
wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter
wdigest WIN-LO6FAF3DTFE $ WORKGROUP 3r39595. 3r33915.  3r3393930.

General Info 3r33914. 3r33915.  3r3393930. 3r3393917. 3r3208. 3r33939. 3r33915.  3r3393930.

The task is to get the IP address and computer name
3r3393917. Now that we know who we are, we need to understand where we are. That is, it would be good to know our IP address and the name of the machine In the case of an IP address, everything is simple - we look at the list of connections at the time of dump using 3r3908. netstcan : 3r33915.  3r3393930.
Listing [/b]
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 netscan
Volatility Foundation Volatility Framework ???r3r3930. Offset (P) Pid Owner Created
0x7d60f010 UDPv???.0.0:1900 *: * 2836 BitTorrent.exe 2018-08-???:27:17 UTC + 0000
0x7d62b3f0 UDPv???.???:6771 *: * 2836 BitTorrent.exe 2018-08-???:27:22 UTC + 0000
0x7d62f4c0 UDPv???.0.1:62307 *: * 2836 BitTorrent.exe 2018-08-???:27:17 UTC + 0000
0x7d62f920 UDPv???.???:62306 *: * 2836 BitTorrent.exe 2018-08-???:27:17 UTC + 0000
0x7d6424c0 UDPv???.0.0:50762 *: * 4076 chrome.exe 2018-08-???:33:37 UTC + 0000
0x7d6b4250 UDPv6 :: 1: 1900 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 0000
0x7d6e3230 UDPv???.0.1:6771 *: * 2836 BitTorrent.exe 2018-08-???:27:22 UTC + 0000
0x7d6ed650 UDPv???.0.0.lt355 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d71c8a0 UDPv???.0.0 *: * 868 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d71c8a0 UDPv6 ::: 0 *: * 868 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d74a390 UDPv???.??? *: * 2624 bittorrentie.e 2018-08-???:27:24 UTC + 0000
0x7d7602c0 UDPv???.0.1 L en2846 *: * 2308 bittorrentie.e 2018-08-???:27:24 UTC + 0000
0x7d787010 UDPv???.0.0:65452 *: * 4076 chrome.exe 2018-08-???:33:42 UTC + 0000
0x7d789b50 UDPv???.0.0:50523 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d789b50 UDPv6 ::: 50523 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d92a230 UDPv???.0.0 Dive *: * 868 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d92a230 UDPv6 ::: 0 *: * 868 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7d9e8b50 UDPv???.0.0:20830 *: * 2836 BitTorrent.exe 2018-08-???:27:15 UTC + 0000
0x7d9f4560 UDPv???.0.0 Dive *: * 3856 WebCompanion.e 2018-08-???:34:22 UTC + 0000
0x7d9f8cb0 UDPv???.0.0:20830 *: * 2836 BitTorrent.exe 2018-08-???:27:15 UTC + 0000
0x7d9f8cb0 UDPv6 ::: 20830 *: *  2836 BitTorrent.exe 2018-08-???:27:15 UTC + 0000
0x7d8bb390 TCPv???.0.0:???.0.0 Delay LISTENING 4 System
0x7d8bb390 TCPv6 ::: 9008 ::: 0 LISTENING 4 System
0x7d9a9240 TCPv???.0.0:???.???r3r3930 vast LISTENING 4 System. 0x7d9a9240 TCPv6 ::: 8733 ::: 0 LISTENING 4 System
0x7d9e19e0 TCPv???.0.0:???.0.0 Delay LISTENING 2836 BitTorrent.exe
0x7d9e19e0 TCPv6 ::: 20830 ::: 0 LISTENING 2836 BitTorrent.exe
0x7d9e1c90 TCPv???.0.0:???.0.0 Delay LISTENING 2836 BitTorrent.exe
0x7d42ba90 TCPv4 -: ???.??? delay CLOSED 2836 BitTorrent.exe
0x7d6124d0 TCPv???.???:???.???:7575 CLOSED 708 LunarMS.exe
0x7d62d690 TCPv???.???:???.???:8999 CLOSED 2836 BitTorrent.exe
0x7d634350 TCPv6 -: ???db: c41a: 80fa: ffff: 38db: c41a: 80fa: ffff: 0 CLOSED 2836 BitTorrent.exe
0x7d6f27f0 TCPv???.???:???.???:34674 CLOSED 2836 BitTorrent.exe
0x7d704010 TCPv???.???:???.???:6881 CLOSED 2836 BitTorrent.exe
0x7d708cf0 TCPv???.???:???.???:371847 CLOSED 2836 BitTorrent.exe
0x7d729620 TCPv4 -: ???.???:24578 CLOSED 2836 BitTorrent.exe
0x7d72cbe0 TCPv???.???:???.???:80 CLOSED 3496 Lavasoft.WCAss
0x7d7365a0 TCPv???.???:???.???:80 CLOSED 3856 WebCompanion.e
0x7d81c890 TCPv???.???:???.???:60405 CLOSED 2836 BitTorrent.exe
0x7d8fd530 TCPv???.???:???.???:80 CLOSED 3496 Lavasoft.WCAss
0x7d9cecf0 TCPv???.???:???.???:2997 CLOSED 2836 BitTorrent.exe
0x7d9d7cf0 TCPv???.???:???.???:59163 CLOSED 2836 BitTorrent.exe
0x7daefec0 UDPv???.0.0 Dive *: * 3856 WebCompanion.e 2018-08-???:34:22 UTC + 0000
0x7daefec0 UDPv6 ::: 0 *: * 3856 WebCompanion.e 2018-08-???:34:22 UTC + 0000
0x7db83b90 UDPv???.0.0 Dive *: * 3880 WebCompanionIn 2018-08-???:33:30 UTC + 0000
0x7db83b90 UDPv6 ::: 0 *: * 3880 WebCompanionIn 2018-08-???:33:30 UTC + 0000
0x7db9cdd0 UDPv???.0.0 *: * * 2844 WebCompanion.e 2018-08-???:30:05 UTC + 0000
0x7db9cdd0 UDPv6 ::: 0 *: * 2844 WebCompanion.e 2018-08-???:30:05 UTC + 0000
0x7dc2dc30 UDPv???.0.0:50879 *: * 4076 chrome.exe 2018-08-???:30:41 UTC + 0000
0x7dc2dc30 UDPv6 ::: 50879 *: * 4076 chrome.exe 2018-08-???:30:41 UTC + 0000
0x7dc83810 UDPv???.0.0.lt355 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7dc83810 UDPv6 ::: 5355 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7dd82c30 UDPv???.0.0 thin355 *: * 620 svchost.exe 2018-08-???:26:38 UTC + 0000
0x7df00980 UDPv???.0.0 Wake *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7df00980 UDPv6 ::: 0 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7df04cc0 UDPv???.0.0. De355 *: * 620 svchost.exe 2018-08-???:26:38 UTC + 0000
0x7df04cc0 UDPv6 ::: 5355 *: * 620 svchost.exe 2018-08-???:26:38 UTC + 0000
0x7df5f010 UDPv???.0.0.l5175 ​​*: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7dfab010 UDPv???.0.0:58383 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7dfab010 UDPv6 ::: 58383 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7e12c1c0 UDPv???.0.0 *: * 3880 WebCompanionIn 2018-08-???:33:27 UTC + 0000
0x7e163a40 UDPv???.0.0 Dive *: * 3880 WebCompanionIn 2018-08-???:33:27 UTC + 0000
0x7e163a40 UDPv6 ::: 0 *: * 3880 WebCompanionIn 2018-08-???:33:27 UTC + 0000
0x7e1cf010 UDPv???.???:137 *: * 4 System 2018-08-???:26:35 UTC + 0000
0x7e1da010 UDPv???.???:138 *: * 4 System 2018-08-???:26:35 UTC + 0000
0x7dc4ad30 TCPv???.0.0:???.0.0 delay LISTENING 500 lsass.exe
0x7dc4ad30 TCPv6 ::: 49155 ::: 0 LISTENING 500 lsass.exe
0x7dc4b370 TCPv???.0.0:???.0.0 Delay LISTENING 500 lsass.exe
0x7dd71010 TCPv???.0.0:???.???r3r3930 Part LISTENING 4 System. 0x7dd71010 TCPv6 ::: 445 ::: 0 LISTENING 4 System
0x7ddca6b0 TCPv???.0.0:???.0.0 delay LISTENING 492 services.exe
0x7ddcbc00 TCPv???.0.0:???.0.0 delay LISTENING 492 services.exe
0x7ddcbc00 TCPv6 ::: 49156 ::: 0 LISTENING 492 services.exe
0x7de09c30 TCPv???.0.0:???.???l3r3930 win Lnitening 396 wininit.exe. 0x7de09c30 TCPv6 ::: 49152 ::: 0 LISTENING 396 wininit.exe
0x7de0d7b0 TCPv???.0.0:???.0.0 Delay LISTENING 396 wininit.exe
0x7de424e0 TCPv???.0.0:???.???r3r3930 delay LISTENING 808 svchost.exe. 0x7de45ef0 TCPv???.0.0:???.???r3r3930 delay LISTENING 808 svchost.exe. 0x7de45ef0 TCPv6 ::: 49153 ::: 0 LISTENING 808 svchost.exe
0x7df3d270 TCPv???.0.0:???.???r3r3930 delay LISTENING 868 svchost.exe. 0x7df3eef0 TCPv???.0.0:???.???r3r3930 delay LISTENING 868 svchost.exe. 0x7df3eef0 TCPv6 ::: 49154 ::: 0 LISTENING 868 svchost.exe
0x7e1f6010 TCPv???.0.0:???.???r3r3930 delay LISTENING 712 svchost.exe. 0x7e1f6010 TCPv6 ::: 135 ::: 0 LISTENING 712 svchost.exe
0x7e1f8ef0 TCPv???.0.0:???.???r3r3930 delay LISTENING 712 svchost.exe. 0x7db000a0 TCPv4 -: ???.???:32645 CLOSED 2836 BitTorrent.exe
0x7db132e0 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn
0x7dbc3010 TCPv6 -: ???: d418: 80fa: ffff: 4847: d418: 80fa: ffff: 0 CLOSED 4076 chrome.exe
0x7dc4bcf0 TCPv4 -: ???.??? Play CLOSED 3? 4 ???? 3r3393930. 0x7dc83080 TCPv???.???:???.???:19761 CLOSED 2836 BitTorrent.exe
0x7dd451f0 TCPv???.???:???.??? Cur1414 CLOSED 2836 BitTorrent.exe
0x7ddae890 TCPv4 -: ???.???:8999 CLOSED 2836 BitTorrent.exe
0x7ddff010 TCPv4 ???.131:???.???:80 CLOSED 3856 WebCompanion.e
0x7e0057d0 TCPv???.???:???.??? Cur 1413 CLOSED 2836 BitTorrent.exe
0x7e0114b0 TCPv???.???:???.???:8306 CLOSED 2836 BitTorrent.exe
0x7e042cf0 TCPv???.???:???.???:52103 CLOSED 2836 BitTorrent.exe
0x7e08a010 TCPv???.???:???.???:20133 CLOSED 2836 BitTorrent.exe
0x7e092010 TCPv???.???:???.???:13155 CLOSED 2836 BitTorrent.exe
0x7e094b90 TCPv???.???:???.???:55125 CLOSED 2836 BitTorrent.exe
0x7e09ba90 TCPv6 -: ???f0: 181b: 80fa: ffff: 68f0: 181b: 80fa: ffff: 0 CLOSED 2836 BitTorrent.exe
0x7e0a8b90 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn
0x7e0d6180 TCPv???.???:???.???:32815 CLOSED 2836 BitTorrent.exe
0x7e108100 TCPv???.???:???.???天1240 CLOSED 2836 BitTorrent.exe
0x7e124910 TCPv???.???:???.??? CLOSED 2836 BitTorrent.exe
0x7e14dcf0 TCPv???.???:???.???:11627 CLOSED 2836 BitTorrent.exe
0x7e18bcf0 TCPv???.???:???.???:21011 CLOSED 2836 BitTorrent.exe
0x7e1f7ab0 TCPv4 -: ???.???r3393930. 0x7e48d9c0 UDPv6 fe80 :: b06b: a531: ec88: 457f: 1900 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 0000
0x7e4ad870 UDPv???.0.1:1900 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 0000
0x7e511bb0 UDPv???.0.0:60005 *: * 620 svchost.exe 2018-08-???:34:22 UTC + 0000
0x7e5dc3b0 UDPv6 fe80 :: b06b: a531: ec88: 457f: 546 *: * 808 svchost.exe 2018-08-???:33:28 UTC + 0000
0x7e7469c0 UDPv???.0.0:50878 *: * 4076 chrome.exe 2018-08-???:30:39 UTC + 0000
0x7e7469c0 UDPv6 ::: 50878 *: * 4076 chrome.exe 2018-08-???:30:39 UTC + 0000
0x7e77cb00 UDPv???.0.0:50748 *: * 4076 chrome.exe 2018-08-???:30:07 UTC + 0000
0x7e77cb00 UDPv6 ::: 50748 *: * 4076 chrome.exe 2018-08-???:30:07 UTC + 0000
0x7e79f3f0 UDPv???.0.0. De3535 *: * 4076 chrome.exe 2018-08-???:29:35 UTC + 0000
0x7e7a0ec0 UDPv???.??? *: * 4076 chrome.exe 2018-08-???:29:35 UTC + 0000
0x7e7a0ec0 UDPv6 ::: 5353 *: * 4076 chrome.exe 2018-08-???:29:35 UTC + 0000
0x7e7a3960 UDPv???.0.0 Dive *: * 3880 WebCompanionIn 2018-08-???:33:30 UTC + 0000
0x7e7dd010 UDPv6 :: 1: 58340 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 0000
0x7e413a40 TCPv4 -: 0 -: 0 CLOSED 708 LunarMS.exe
0x7e415010 TCPv???.???:???.???:10589 CLOSED 2836 BitTorrent.exe
0x7e4202d0 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn
0x7e45f110 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn
0x7e4cc910 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn 3r3393930. 0x7e512950 TCPv???.???:???.???:13905 CLOSED 2836 BitTorrent.exe
0x7e521b50 TCPv4 -: 0 -: 0 CLOSED 708 LunarMS.exe
0x7e5228d0 TCPv???.??? Low???.???Cl2727 CLOSED 2836 BitTorrent.exe
0x7e52f010 TCPv???.???:???.???:46392 CLOSED 2836 BitTorrent.exe
0x7e563860 TCPv???.???Cl???.???:25384 CLOSED 2836 BitTorrent.exe
0x7e572cf0 TCPv???.??? Low???.???:11627 CLOSED 2836 BitTorrent.exe
0x7e5d6cf0 TCPv???.???:???.???:49420 CLOSED 2836 BitTorrent.exe
0x7e71b010 TCPv???.???:???.???:6881 CLOSED 2836 BitTorrent.exe
0x7e71d010 TCPv???.???:???.???:1045 CLOSED 2836 BitTorrent.exe
0x7e74b010 TCPv???.???:???.??? Adjust6565 CLOSED 2836 BitTorrent.exe
0x7e78b7f0 TCPv???.???:???.???:80 CLOSED 3880 WebCompanionIn
0x7e7ae380 TCPv???.???:???.???:8999 CLOSED 2836 BitTorrent.exe
0x7e7b0380 TCPv6 -: ???: d418: 80fa: ffff: 4847: d418: 80fa: ffff: 0 CLOSED 2836 BitTorrent.exe
0x7e7b9010 TCPv???.???:???.???:25128 CLOSED 2836 BitTorrent.exe
0x7e94b010 TCPv???.???:???.???:13905 CLOSED 2836 BitTorrent.exe
0x7e9ad840 TCPv???.???:???.??? Adjust6299 CLOSED 2836 BitTorrent.exe
0x7e9bacf0 TCPv???.???:???.??? CLOSED 2836 BitTorrent.exe
0x7eaac5e0 TCPv???.???:???.???:80 CLOSED 3856 WebCompanion.e
0x7eab4cf0 TCPv4 -: ???.??? sublayn 2836 BitTorrent.exe
0x7fb9cec0 UDPv???.???:1900 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 0000
0x7fb9d430 UDPv???.0.1:58341 *: * 164 svchost.exe 2018-08-???:28:42 UTC + 000 3r39595. 3r33939. 3r33939. 3r33915.  3r3393930. 3r3393917. IP 3r3908. ???.131 found. Of course, this is IP on the local network, but, unfortunately, you can’t pull it out of the dump anymore - in order to get an external IP you need more than just a dump. Now we get the name of the company. To do this, just read the registry branch SYSTEM: 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001ControlComputerNameComputerName'
Volatility Foundation Volatility Framework ???r3r3930. Legend: (S) = Stable (V) = Volatile
3r3393930. ----------------------------
Registry: REGISTRYMACHINESYSTEM
Key name: ComputerName (S)
Last updated: 2018-06-???:23:00 UTC + 0000
3r3393930. Subkeys:
3r3393930. Values:
REG_SZ: (S) mnmsrvc
REG_SZ ComputerName: (S) WIN-LO6FAF3DTFE 3r39595. 3r33915.  3r3393930. 3r3393917. Super, we got the name of the company 3r3r8908. WIN-LO6FAF3DTFE . 3r33939. 3r33915.  3r3393930. 3r33411. Play Time 3r33915.  3r3393930. 3r3393917. 3r31616. 3r33939. 3r33915.  3r3393930.
The user likes to play old video games. It is required to find the name of his favorite game and the IP address of its server
3r3393917. Just look at the exhaust netcat in the previous step and see weird processes - 3r3908. LunarMS.exe . Google is really a video game. You can also find the IP-address with which the connection is open - 3r3908. ???.102 3r3909. 3r33939. 3r33915.  3r3393930. 3r33434. Name game 3r33915.  3r3393930.
We know that the user is logged in to the channel Lunar-3. But what is the account name? 3r33782. 3r3393917. Since the user is logged into this channel, the name should simply be in the form of plain-text in the dump. We do 3r3908. strings and get the flag: 3r33915.  3r3393930.
  3r33880. $ strings OtterCTF.vmem | grep Lunar-3 -A 2 -B 3
disabled
mouseOver
keyFocused
Lunar-3
0tt3r8r33z3
Sound /UI.img /
- 3r3309. c + Yt
tb + Y4c + Y
b + YLc + Y
Lunar-3
Lunar-4
L (dNVxdNV
3r3393915.  3r3393930. 3r3393917. Of all the lines most reminiscent of the flag 0tt3r8r33z3 . We try and really - this is it! 3r33939. 3r33915.  3r3393930. 3r33469. Silly Rick 3r33915.  3r3393930. 3r3393917. 3r37474. 3r33939. 3r33915.  3r3393930.
Our user always forgets his password, so he uses the password manager and simply copies the correct password when you need to enter. Maybe you can find out something? 3r33782. 3r3393917. Judging by the wording, you just need to get the contents of the clipboard. Volatility has the answer to this - the plugin. clipboard . We check and see the password: 3r33915.  3r3393930.
  3r38080. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 clipboard
Volatility Foundation Volatility Framework ???r3r3930. Session WindowStation Format Handle Object Data
---------- ------------- ------------------ --------- --------- ------------------ ----------------------- ---------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M @ il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0 3r39595. 3r33915.  3r3393930. 3r?500. Hide and Seek 3r33915.  3r3393930. 3r3393917. 3r33939. 3r33915.  3r3393930.
The reason for the brakes of the computer in a virus that has long been sitting in the system. Maybe you can find it? Be careful, you only have three attempts to pass this flag! 3r33782. 3r3393917. Well, if we have three attempts, then we will be careful, as advised to us =) 3r33915.  3r3393930. 3r3393917. First, get a list of all processes using pslist : 3r33915.  3r3393930.
Listing [/b]
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 pslist
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ------ ------------------------------
0xfffffa8018d44740 System ??? 411 ------ ???-08-???:26:03 UTC + 0000
0xfffffa801947e4d0 smss.exe ??? 30 ------ ???-08-???:26:03 UTC + 0000
0xfffffa801a0c8380 csrss.exe ??? ??? 2018-08-???:26:10 UTC + 0000
0xfffffa80198d3b30 csrss.exe ??? ??? 2018-08-???:26:11 UTC + 0000
0xfffffa801a2ed060 wininit.exe ??? ??? 2018-08-???:26:11 UTC + 0000
0xfffffa801aaf4060 winlogon.exe ??? ???? 2018-08-???:26:11 UTC + 0000
0xfffffa801ab377c0 services.exe ??? ??? 2018-08-???:26:12 UTC + 0000
0xfffffa801ab3f060 lsass.exe ??? ??? 2018-08-???:26:12 UTC + 0000
0xfffffa801ab461a0 lsm.exe ??? ??? 2018-08-???:26:12 UTC + 0000
0xfffffa8018e3c890 svchost.exe ??? ??? 2018-08-???:26:16 UTC + 0000
0xfffffa801abbdb30 vmacthlp.exe ??? ??? 2018-08-???:26:16 UTC + 0000
0xfffffa801abebb30 svchost.exe ??? ??? 2018-08-???:26:17 UTC + 0000
0xfffffa801ac2e9e0 svchost.exe ??? ??? 2018-08-???:26:18 UTC + 0000
0xfffffa801ac31b30 svchost.exe ??? ??? 2018-08-???:26:18 UTC + 0000
0xfffffa801ac4db30 svchost.exe ??? ??? 2018-08-???:26:18 UTC + 0000
0xfffffa801ac753a0 audiodg.exe ??? ??? 2018-08-???:26:19 UTC + 0000
0xfffffa801ac97060 svchost.exe ??? ??? 2018-08-???:26:20 UTC + 0000
0xfffffa801acd37e0 svchost.exe ??? ??? 2018-08-???:26:21 UTC + 0000
0xfffffa801ad5ab30 spoolsv.exe ??? ??? 2018-08-???:26:22 UTC + 0000
0xfffffa801ad718a0 svchost.exe ??? ??? 2018-08-???:26:23 UTC + 0000
0xfffffa801ae0f630 VGAuthService. ??? ??? 2018-08-???:26:25 UTC + 0000
0xfffffa801ae92920 vmtoolsd.exe ??? ??? 2018-08-???:26:27 UTC + 0000
0xfffffa8019124b30 WmiPrvSE.exe ??? ??? 2018-08-???:26:39 UTC + 0000
0xfffffa801afe7800 svchost.exe ??? ??? 2018-08-???:26:42 UTC + 0000
0xfffffa801ae7f630 dllhost.exe ??? ??? 2018-08-???:26:42 UTC + 0000
0xfffffa801aff3b30 msdtc.exe ??? ??? 2018-08-???:26:43 UTC + 0000
0xfffffa801b112060 WmiPrvSE.exe ??? ??? 2018-08-???:26:51 UTC + 0000
0xfffffa801b1e9b30 taskhost.exe ??? ??? 2018-08-???:26:57 UTC + 0000
0xfffffa801b232060 sppsvc.exe ??? ??? 2018-08-???:26:58 UTC + 0000
0xfffffa801b1fab30 dwm.exe ??? ??? 2018-08-???:27:04 UTC + 0000
0xfffffa801b27e060 explorer.exe ??? ??? 2018-08-04 UT + 0000
0xfffffa801b1cdb30 vmtoolsd.exe ??? ??? 2018-08-???:27:06 UTC + 0000
0xfffffa801b290b30 BitTorrent.exe ??? ??? 2018-08-???:27:07 UTC + 0000
0xfffffa801b2f02e0 WebCompanion.e ??? -------- ???-08-???:27:07 UTC + ???-08-???:33:33 UTC + 0000
0xfffffa801b3aab30 SearchIndexer. ??? ??? 2018-08-???:27:14 UTC + 0000
0xfffffa801b4a7b30 bittorrentie.e ??? ??? 2018-08-???:27:19 UTC + 0000
0xfffffa801b4c9b30 bittorrentie.e ??? ??? 2018-08-???:27:21 UTC + 0000
0xfffffa801b5cb740 LunarMS.exe ??? ??? 2018-08-???:27:39 UTC + 0000
0xfffffa801988c2d0 PresentationFo ??? ??? 2018-08-???:27:52 UTC + 0000
0xfffffa801b603610 mscorsvw.exe ??? ??? 2018-08-???:28:42 UTC + 0000
0xfffffa801a6af9f0 svchost.exe ??? ??? 2018-08-???:28:42 UTC + 0000
0xfffffa801a6c2700 mscorsvw.exe ??? ??? 2018-08-???:28:43 UTC + 0000
0xfffffa801a6e4b30 svchost.exe ??? ??? 2018-08-???:28:44 UTC + 0000
0xfffffa801a4e3870 chrome.exe ??? ??? 2018-08-???:29:30 UTC + 0000
0xfffffa801a4eab30 chrome.exe ??? ??? 2018-08-???:29:30 UTC + 0000
0xfffffa801a502b30 chrome.exe ??? ??? 2018-08-???:29:31 UTC + 0000
0xfffffa801a4f7b30 chrome.exe ??? ??? 2018-08-???:29:32 UTC + 0000
0xfffffa801aa00a90 chrome.exe ??? ??? 2018-08-???:29:51 UTC + 0000
0xfffffa801a7f98f0 chrome.exe ??? ??? 2018-08-???:31:15 UTC + 0000
0xfffffa801b486b30 Rick And Morty ??? ??? 2018-08-???:32:55 UTC + 0000
0xfffffa801a4c5b30 vmware-tray.ex ??? ??? 2018-08-???:33:02 UTC + 0000
0xfffffa801b18f060 WebCompanionIn ??? ??? 2018-08-???:33:07 UTC + 0000
0xfffffa801a635240 chrome.exe ??? ??? 2018-08-???:33:38 UTC + 0000
0xfffffa801a5ef1f0 chrome.exe ??? ??? 2018-08-???:33:41 UTC + 0000
0xfffffa801b08f060 sc.exe ??? -------- ???-08-???:33:47 UTC + ???-08-???:33:48 UTC + 0000
0xfffffa801aeb6890 sc.exe ??? -------- ???-08-???:33:48 UTC + ???-08-???:33:48 UTC + 0000
0xfffffa801aa72b30 sc.exe ??? -------- ???-08-???:33:48 UTC + ???-08-???:33:48 UTC + 0000
0xfffffa801ac01060 sc.exe ??? -------- ???-08-???:33:49 UTC + ???-08-???:34:03 UTC + 0000
0xfffffa801aad1060 Lavasoft.WCAss ??? ??? 2018-08-04 UTC + 0000
0xfffffa801a6268b0 WebCompanion.e ??? ??? 2018-08-???:34:05 UTC + 0000
0xfffffa801b1fd960 notepad.exe ??? ??? 2018-08-???:34:10 UTC + 0000
0xfffffa801a572b30 cmd.exe ??? -------- ???-08-???:34:22 UTC + ???-08-???:34:22 UTC + 0000
0xfffffa801a6643d0 conhost.exe ??? ??? 2018-08-???:34:22 UTC + ???-08-???:34:22 UTC + 0000 3r39595. 3r33939. 3r33939. 3r33915.  3r3393930. 3r3393917. Hmm. Somehow not very conveniently analyzed. We have another plugin - pstree , which displays the processes in the form of a tree (which, in general, is logical): 3r33915.  3r3393930.
Listing [/b]
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa801b27e060: explorer.exe ??? ???-08-???:27:04 UTC + 0000
. 0xfffffa801b486b30: Rick And Morty ??? ???-08-???:32:55 UTC + 0000
0xfffffa801a4c5b30: vmware-tray.ex ??? ???-08-???:33:02 UTC + 0000
. 0xfffffa801b2f02e0: WebCompanion.e ??? ------ 2018-08-???:27:07 UTC + 0000
. 0xfffffa801a4e3870: chrome.exe ??? ???-08-???:29:30 UTC + 0000
0xfffffa801a4eab30: chrome.exe ??? ???-08-???:29:30 UTC + 0000
0xfffffa801a5ef1f0: chrome.exe ??? ???-08-???:33:41 UTC + 0000
0xfffffa801aa00a90: chrome.exe ??? ???-08-???:29:51 UTC + 0000
0xfffffa801a635240: chrome.exe ??? ???-08-???:33:38 UTC + 0000
0xfffffa801a502b30: chrome.exe ??? ???-08-???:29:31 UTC + 0000
0xfffffa801a4f7b30: chrome.exe ??? ???-08-???:29:32 UTC + 0000
0xfffffa801a7f98f0: chrome.exe ??? ???-08-???:31:15 UTC + 0000
. 0xfffffa801b5cb740: LunarMS.exe ??? ???-08-???:27:39 UTC + 0000
. 0xfffffa801b1cdb30: vmtoolsd.exe ??? ???-08-???:27:06 UTC + 0000
. 0xfffffa801b290b30: BitTorrent.exe ??? ???-08-???:27:07 UTC + 0000
0xfffffa801b4c9b30: bittorrentie.e ??? ???-08-???:27:21 UTC + 0000
0xfffffa801b4a7b30: bittorrentie.e ??? ???-08-???:27:19 UTC + 0000
0xfffffa8018d44740: System ??? ???-08-???:26:03 UTC + 0000
. 0xfffffa801947e4d0: smss.exe ??? ???-08-???:26:03 UTC + 0000
0xfffffa801a2ed060: wininit.exe ??? ???-08-???:26:11 UTC + 0000
. 0xfffffa801ab377c0: services.exe ??? ???-08-???:26:12 UTC + 0000
0xfffffa801afe7800: svchost.exe ??? ???-08-???:26:42 UTC + 0000
0xfffffa801ae92920: vmtoolsd.exe ??? ???-08-???:26:27 UTC + 0000
0xfffffa801a572b30: cmd.exe ??? ------ 2018-08-???:34:22 UTC + 0000
0xfffffa801ae0f630: VGAuthService. ??? ???-08-???:26:25 UTC + 0000
0xfffffa801abbdb30: vmacthlp.exe ??? ???-08-???:26:16 UTC + 0000
0xfffffa801aad1060: Lavasoft.WCAss ??? ???-08-???:33:49 UTC + 0000
0xfffffa801a6af9f0: svchost.exe ??? ???-08-???:28:42 UTC + 0000
0xfffffa801ac2e9e0: svchost.exe ??? ???-08-???:26:18 UTC + 0000
0xfffffa801ac753a0: audiodg.exe ??? ???-08-???:26:19 UTC + 0000
0xfffffa801ae7f630: dllhost.exe ??? ???-08-???:26:42 UTC + 0000
0xfffffa801a6c2700: mscorsvw.exe ??? ???-08-???:28:43 UTC + 0000
0xfffffa801b232060: sppsvc.exe ??? ???-08-???:26:58 UTC + 0000
0xfffffa801abebb30: svchost.exe ??? ???-08-???:26:17 UTC + 0000
0xfffffa801ad718a0: svchost.exe ??? ???-08-???:26:23 UTC + 0000
0xfffffa801ac31b30: svchost.exe ??? ???-08-???:26:18 UTC + 0000
0xfffffa801b1fab30: dwm.exe ??? ???-08-???:27:04 UTC + 0000
0xfffffa801988c2d0: PresentationFo ??? ???-08-???:27:52 UTC + 0000
0xfffffa801b603610: mscorsvw.exe ??? ???-08-???:28:42 UTC + 0000
0xfffffa8018e3c890: svchost.exe ??? ???-08-???:26:16 UTC + 0000
0xfffffa8019124b30: WmiPrvSE.exe ??? ???-08-???:26:39 UTC + 0000
0xfffffa801b112060: WmiPrvSE.exe ??? ???-08-???:26:51 UTC + 0000
0xfffffa801ad5ab30: spoolsv.exe ??? ???-08-???:26:22 UTC + 0000
0xfffffa801ac4db30: svchost.exe ??? ???-08-???:26:18 UTC + 0000
0xfffffa801a6e4b30: svchost.exe ??? ???-08-???:28:44 UTC + 0000
0xfffffa801acd37e0: svchost.exe ??? ???-08-???:26:21 UTC + 0000
0xfffffa801b1e9b30: taskhost.exe ??? ???-08-???:26:57 UTC + 0000
0xfffffa801ac97060: svchost.exe ??? ???-08-???:26:20 UTC + 0000
0xfffffa801b3aab30: SearchIndexer. ??? ???-08-???:27:14 UTC + 0000
0xfffffa801aff3b30: msdtc.exe ??? ???-08-???:26:43 UTC + 0000
. 0xfffffa801ab3f060: lsass.exe ??? ???-08-???:26:12 UTC + 0000
. 0xfffffa801ab461a0: lsm.exe ??? ???-08-???:26:12 UTC + 0000
0xfffffa801a0c8380: csrss.exe ??? ???-08-???:26:10 UTC + 0000
. 0xfffffa801a6643d0: conhost.exe ??? ???-08-???:34:22 UTC + 0000
0xfffffa80198d3b30: csrss.exe ??? ???-08-???:26:11 UTC + 0000
0xfffffa801aaf4060: winlogon.exe ??? ???-08-???:26:11 UTC + 0000
0xfffffa801b18f060: WebCompanion ??? ???-08-???:33:07 UTC + 0000
. 0xfffffa801aa72b30: sc.exe ??? ------ 2018-08-???:33:48 UTC + 0000
. 0xfffffa801aeb6890: sc.exe ??? ------ 2018-08-???:33:48 UTC + 0000
. 0xfffffa801a6268b0: WebCompanion.e ??? ???-08-???:34:05 UTC + 0000
. 0xfffffa801b08f060: sc.exe ??? ------ 2018-08-???:33:47 UTC + 0000
. 0xfffffa801ac01060: sc.exe ??? ------ 2018-08-???:33:49 UTC + 0000
0xfffffa801b1fd960: notepad.exe ??? ???-08-???:34:10 UTC + 0000 3r39595. 3r33939. 3r33939. 3r33915.  3r3393930. 3r3393917. Yeah! There are suspicious lines 3r33915.  3r3393930.
  3r33880. 0xfffffa801b486b30: Rick And Morty ??? ???-08-???:32:55 UTC + 0000
0xfffffa801a4c5b30: vmware-tray.ex??? ???-08-???:33:02 UTC + 0000 3r39595. 3r33915.  3r3393930. 3r3393917. As we see, the process with PID 3820 generates a process with PID 3720. The reason to analyze both. First we get a list of dll-libraries that use processes: 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 dlllist -p 3820
Volatility Foundation Volatility Framework ???r3r3930. ************************************************** **********************
Rick And Morty pid: 3820 3r3393930. Command line: "C: TorrentsRick And Morty season 1 download.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
3r3393930. Base Size LoadCount Path
------------------ ------------------ -------------- ---- ---- 3r3309. 0x0000000000400000 0x56000 0xffff C: TorrentsRick And Morty season 1 download.exe
0x00000000776f0000 0x1a9000 0xffff C: WindowsSYSTEM32ntdll.dll
0x0000000075210000 0x3f000 0x3 C: WindowsSYSTEM32wow64.dll
0x00000000751b0000 0x5c000 0x1 C: WindowsSYSTEM32wow64win.dll
0x00000000751a0000 0x8000 0x1 C: WindowsSYSTEM32wow64cpu.dll 3r39595. 3r33915.  3r3393930. 3r3393917. So. Exe in a folder with torrents? Kind of weird. Also 3r3908. ntdll.dll also does not inspire confidence. Let's try to get a list of dll, which uses the process 3720: 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 dlllist -p 3720
Volatility Foundation Volatility Framework ???r3r3930. ************************************************** **********************
vmware-tray.ex pid: 3720
Command line: "C: UsersRickAppDataLocalTempRarSFX0vmware-tray.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
3r3393930. Base Size LoadCount Path
------------------ ------------------ -------------- ---- ---- 3r3309. 0x0000000000ec0000 0x6e000 0xffff C: UsersRickAppDataLocalTempRarSFX0vmware-tray.exe
0x00000000776f0000 0x1a9000 0xffff C: WindowsSYSTEM32ntdll.dll
0x0000000075210000 0x3f000 0x3 C: WindowsSYSTEM32wow64.dll
0x00000000751b0000 0x5c000 0x1 C: WindowsSYSTEM32wow64win.dll
0x00000000751a0000 0x8000 0x1 C: WindowsSYSTEM32wow64cpu.dll 3r39595. 3r33915.  3r3393930. 3r3393917. Wow. But this is not normal at all. So, the first assumption is that this is exactly the Trojan we are looking for. Lets process memdump and analyze it with any decompiler: 3r3393918. 3r33915.  3r3393930.
  3r33880. $ volatility -f OtterCTF.vmem --profile = Win7SP1x64 memdump -p 3720 --dump-dir =% folder_where_save_damp%
Volatility Foundation Volatility Framework ???r3r3930. Process (V) ImageBase Name Result
------------------ ------------------ -------------- ------ ------
0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe 3r39595. 3r33915.  3r3393930. 3r3393917. The process of analyzing dumps has already been described more than once in habr, and in other sources, so I will not repeat, especially since this extortioner is written in .NET, so it is not difficult to analyze. If you still need to - write in the comments, add this part. Now just say. that it really was the desired trojan. 3r33939. 3r33915.  3r3393930. 3r33737. Bit by Bit and Graphics is for the weak 3r33915.  3r3393930.
Find the address of the bitcoin wallet of the attacker who infected the computer with a virus! 3r33782. 3r3393917. During the analysis from the previous paragraph, one could easily notice the address 3r3908. 1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M which is the flag. Similarly, from the same binary you can get a picture with the flag for another task, so I put them in one point 3r33918. 3r33915.  3r3393930.

Recovery

3r33915.  3r3393930. 3r3393917. 3r3r7777. 3r33939. 3r33915.  3r3393930.
Extortionist encrypted files. Help the user to restore access to them! 3r33782. 3r3393917. In fact, this task also relates to a binary, but I put it in a separate paragraph, because it very much resembles the analyst’s everyday life of various Malvaris and it will be useful to show the whole process. Open the binary and find the function 3r3908. CreatePassword . In my opinion, this "LJ" is no accident: 3r33915.  3r3393930.
  3r33816. public string CreatePassword (int length)
{
StringBuilder stringBuilder = new StringBuilder (); 3r3393930. Random random = new Random (); 3r3393930. while (0 < length--)
{
stringBuilder.Append ( "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 * = & & /!?"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]);
}.
return stringBuilder.ToString ();
}

 3r3393930. 3r3393917. As we see, the password is really random. But we know the regular degeneration abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 *! = &? & / which satisfies our password. Now, if there is a password creation function, there should be a function for its use somewhere: D 3r33915.  3r3393930. 3r3393917. A little flipping through, we find it: 3r33918. 3r33915.  3r3393930.
  3r33816. public void startAction ()
{
string password = this.CreatePassword (15); 3r3393930. string str = " Desktop "; 3r3393930. string location = this.userDir + this.userName + str; 3r3393930. this.SendPassword (password); 3r3393930. this.encryptDirectory (location, password); 3r3393930. this.messageCreator (); 3r3393930.} 3r39595. 3r33915.  3r3393930. 3r3393917. Well, already something new, now we know that the password length is 15 characters. Let's try to pull it out of the process dump and immediately see how bad everything is: `3r33918. 3r33915.  3r3393930.
  3r33880. $ strings 3720.dmp> analyze.txt && wc -l
1589147 analyze.txt 3r39595. 3r33915.  3r3393930. 3r3393917. Not bad. You can, of course, sit cross handles, but this is somehow too much. Let's apply some black magic! 3r33939. 3r33915.  3r3393930.
  3r33880. $ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14} $ 'analyze.txt | grep -vE 'Systems | Key | Java | Align | Driver | printer | MCLN | object | software | enough | Afd | enable | System | UUUU | Pos | SU | text | Body | Buffer | Length | match | Document | Un | On | tal | ing | ype | ign | Info | Instance | id32 | p1 | l1 | File | Store | Selector | Available | Dll | Call | Make | maker | Init | Target | Put | Get | Requires | Column | 0a1 | 0h1 | 0u1 | 0Z1 | Params | resolve | 0w1 | 0L1 | 0000000000000 | Month | ByName | 0000 | 000 | 2018 | GUI | Command | long | status | Permission | IL | Il | Nil | web | NID | Runtime | es | Lower | Delayed | Transition | Bus | Flags | Image | Memory | Window | Loader | Manage | Class | Sink | Sys | Wow | MM | Create '| uniq | wc -l
2915 3r3909. 3r39595. 3r33915.  3r3393930. 3r3393917. The team looks scary, but stands a bit peering at it and it becomes crystal clear. If this is not the case - again, kick in the comments, sort by bricks. In the meantime, we have reduced the number from a million to some miserable three thousand. Let's see what these lines are: 3r3393918. 3r33915.  3r3393930.
  3r33880. $ grep -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{14} $ 'analyze.txt | grep -vE 'Systems | Key | Java | Align | Driver | printer | MCLN | object | software | enough | Afd | enable | System | UUUU | Pos | SU | text | Body | Buffer | Length | match | Document | Un | On | tal | ing | ype | ign | Info | Instance | id32 | p1 | l1 | File | Store | Selector | Available | Dll | Call | Make | maker | Init | Target | Put | Get | Requires | Column | 0a1 | 0h1 | 0u1 | 0Z1 | Params | resolve | 0w1 | 0L1 | 0000000000000 | Month | ByName | 0000 | 000 | 2018 | GUI | Command | long | status | Permission | IL | Il | Nil | web | NID | Runtime | es | Lower | Delayed | Transition | Bus | Flags | Image | Memory | Window | Loader | Manage | Class | Sink | Sys | Wow | MM | Create '| uniq | less
444444440444444
66666FFFFFFFFFF
444444444444433
CLIPBRDWNDCLASS
utav4823DF041B0
aDOBofVYUNVnmp7
444444440444444
66666FFFFFFFFFF
444444444444433
ffnLffnLffnpffm
lemeneoepeqerep
3r3909. 3r39595. 3r33915.  3r3393930. 3r3393917. Unfortunately, here I did not come up with an elegant solution, and therefore further logical reasoning. As we remember from the moment of the reverse, our binary contains the public key b03f5f7f11d50a3a . Well, let's try to find it in our almost 3K lines with our hands. Well, or not at all :) For this, let's change our team a bit: 3r33915.  3r3393930.
  3r33880. $ grep $ -E '^.[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/]{15} $ 'analyze.txt | grep -vE 'Systems | Key | Java | Align | Driver | printer | MCLN | object | software | enough | Afd | enable | System | UUUU | Pos | SU | text | Body | Buffer | Length | match | Document | Un | On | tal | ing | ype | ign | Info | Instance | id32 | p1 | l1 | File | Store | Selector | Available | Dll | Call | Make | maker | Init | Target | Put | Get | Requires | Column | 0a1 | 0h1 | 0u1 | 0Z1 | Params | resolve | 0w1 | 0L1 | 0000000000000 | Month | ByName | 0000 | 000 | 2018 | GUI | Command | long | status | Permission | IL | Il | Nil | web | ID | Runtime | es | Lower | Delayed | Transition | Bus | Flags | Image | Memory '| uniq | less
ssssssssssssssss
b03f5f7f11d50a3a
CryptoStreamMode
ContainerControl
ICryptoTransform
encryptDirectory
MSTaskListWClass
ssssssssssssssss
`ubugukupuvuxuzu
PAQARASATAUAVAWA
MRNRORPRQRRRSRTR
D! E! F! G! H! I! J! K! 3r3393930.
3r39595. 3r33915.  3r3393930. 3r3393917. So, judging by this conclusion, the key is somewhere at the top of the previous output. There are not so many first lines that look like a key, and here you really have to use the ancient spell BruteForce 3r33915.  3r3393930. 3r3393917. 3r3903. 3r33939. 3r33915.  3r3393930. 3r3393917. It is clear that not all the lines in our sample are keys - moreover, not everyone is like him. So the number of options is even stronger. We try in a row and in the second version we find the key aDOBofVYUNVnmp7 which is the flag. 3r33939. 3r33915.  3r3393930. 3r3393913. Instead of concluding r3r3914. 3r33915.  3r3393930. 3r3393917. Thank you for reading my article to the end. If there are any shoals or shortcomings - please write in the comments, I will try to fix everything. These are not all the tasks that were associated with this image. I continue to solve this series and as I progress I will add new solutions. I hope everyone made something new for themselves. Also, if everything is okay, then after a while I will be able to run a flag checker for these tasks and the curious will be able to solve it themselves, and then, if something does not work out, take a look at my solutions. All good: 3 r3r3918. 3r33939. 3r3393930. 3r3393930. 3r3393930. 3r3393923. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r32424. 3r3393930. 3r33939. 3r3393930. 3r3393930. 3r3393930. 3r3393930.
+ 0 -

Add comment