Hello dudes,
I hope to find you well.
This is Ali Alaa and this is RedLine writeup for CyberDefenders platform’s challenge.
This is a Memory forensics challenge and if you wanna find more about this topic you can try RedLine challenge.
So, lets start….
General data about image after run “windows.info”
Kernel Base 0xf8076221a000
DTB 0x1ad000
Symbols file: — — — —
CDBE0A583–1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf80762e29398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 4
SystemTime 2023–05–21 23:02:39
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995
First Question: What is the name of the suspicious process?
I executed volatility3 command
py.exe .\vol.py -f .\MemoryDump.mem windows.pslist
but it gave all data in not well order way so, I executed
py.exe .\vol.py -f .\MemoryDump.mem windows.pstree
then I output data to external txt file to read it well as all process came with process id and parent process id and PIDs came under related PPID.
I analysis all PPID with all child PID and I found 2 are suspicious processes
Here we go, the answer is : oneetx.exe
Second Question: What is the child process name of the suspicious process?
I got it under “oneetx.exe ”parent process
Here we go, the answer is : rundll32.exe
Third Question: What is the memory protection applied to the suspicious process memory region?
Here to know what protection memory used I executed malfind plugin.
*What malfind does is it finds a suspicious VAD memory region that has PAGE_EXECUTE_READWRITE memory protection in a process
py.exe .\vol.py -f .\MemoryDump.mem windows.malfind
then I output data to external txt file
Here we go, the answer is : PAGE_EXECUTE_READWRITE
Forth Question: What is the name of the process responsible for the VPN connection?
I saw a process called “tun2socks.exe” I suspected it and guessed its a tunnel to socket and I run “windows.pstree” to see its parent process and here what I found
I tried to find out if “outline” is a VPN or not ?and here what I found
Here we go, the answer is : outline.exe
Fifth Question: What is the attacker’s IP address?
Here I executed “netscan” to find all connections
py.exe .\vol.py -f .\MemoryDump.mem windows.netscan
When I executed “pstree” plugin I found this is main process that initiated tun2socks.exe and here is the ip related to parent process.
Here we go, the answer is : 77.91.124.20
Sixth Question: Based on the previous artifacts. What is the name of the malware family?
From main title of challenge I guessed its related to redline stealer.
Here we go, the answer is : RedLine Stealer
Seventh Question: What is the full URL of the PHP file that the attacker visited?
After I dump process “oneetx.exe” with its PID 5896 with this command
py.exe .\vol.py -f .\MemoryDump.mem -o "dump "windows.memmap --dump --pid 5896
Here what I found in it
Here we go, the answer is : http://77.91.124.20/store/games/index.php
Eighth Question: What is the full path of the malicious executable?
From same dumped process “oneetx.exe” I searched for main process name in it and here what I found
Here we go, the answer is : C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe
At the end ,
I hope you enjoyed this writeup ❤️.