RedLine CTF Writeup

Ali Alaa
4 min readJun 18, 2023

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is RedLine writeup for CyberDefenders platform’s challenge.

This is a Memory forensics challenge and if you wanna find more about this topic you can try RedLine challenge.

So, lets start….

General data about image after run “windows.info

Kernel Base 0xf8076221a000
DTB 0x1ad000
Symbols file: — — — —
CDBE0A583–1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf80762e29398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 4
SystemTime 2023–05–21 23:02:39
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995

First Question: What is the name of the suspicious process?

I executed volatility3 command

py.exe .\vol.py -f .\MemoryDump.mem windows.pslist

but it gave all data in not well order way so, I executed

py.exe .\vol.py -f .\MemoryDump.mem windows.pstree

then I output data to external txt file to read it well as all process came with process id and parent process id and PIDs came under related PPID.

I analysis all PPID with all child PID and I found 2 are suspicious processes

parent suspicious process

Here we go, the answer is : oneetx.exe

Second Question: What is the child process name of the suspicious process?

I got it under “oneetx.exe ”parent process

child suspicious process

Here we go, the answer is : rundll32.exe

Third Question: What is the memory protection applied to the suspicious process memory region?

Here to know what protection memory used I executed malfind plugin.

*What malfind does is it finds a suspicious VAD memory region that has PAGE_EXECUTE_READWRITE memory protection in a process

py.exe .\vol.py -f .\MemoryDump.mem windows.malfind

then I output data to external txt file

malfind result

Here we go, the answer is : PAGE_EXECUTE_READWRITE

Forth Question: What is the name of the process responsible for the VPN connection?

I saw a process called “tun2socks.exe” I suspected it and guessed its a tunnel to socket and I run “windows.pstree” to see its parent process and here what I found

Process result

I tried to find out if “outline” is a VPN or not ?and here what I found

Outline VPN

Here we go, the answer is : outline.exe

Fifth Question: What is the attacker’s IP address?

Here I executed “netscan” to find all connections

py.exe .\vol.py -f .\MemoryDump.mem windows.netscan
main process

When I executed “pstree” plugin I found this is main process that initiated tun2socks.exe and here is the ip related to parent process.

Here we go, the answer is : 77.91.124.20

Sixth Question: Based on the previous artifacts. What is the name of the malware family?

From main title of challenge I guessed its related to redline stealer.

Here we go, the answer is : RedLine Stealer

Seventh Question: What is the full URL of the PHP file that the attacker visited?

After I dump process “oneetx.exe” with its PID 5896 with this command

py.exe .\vol.py -f .\MemoryDump.mem -o "dump "windows.memmap --dump --pid 5896

Here what I found in it

Visited URL

Here we go, the answer is : http://77.91.124.20/store/games/index.php

Eighth Question: What is the full path of the malicious executable?

From same dumped process “oneetx.exe” I searched for main process name in it and here what I found

Here we go, the answer is : C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--