# RedLine Lab (CyberDefenders) by 0xF4y3d ![0xF4y3d](https://hackmd.io/_uploads/SkV--g1aC.png =200x) - [Introduction](#Introduction) - [Challenge](#Challenge) - [Steps](#Steps) - [Conclusion](#Conclusion) ## Introduction :::info Hello and welcome! This is Eng. Mohamed Fayed (<font color=#f00>0xf4y3d</font>) with a new write-up. ::: :::warning Be cautious, as we are about to dive into the world of Memory Forensics, uncovering malicious processes and actions hidden in volatile memory. ::: :::danger This challenge serves as an introduction to Memory Forensics, designed to help you understand the methodology and how to begin exploring the world of memory forensics. It’s educational, so don’t worry if you're new to this. ::: ## Challenge :::info [RedLine Lab Challenge - CyberDefenders](https://cyberdefenders.org/blueteam-ctf-challenges/redline/) ::: :::warning ### Scenario: As a member of the Blue Team, your mission is to analyze a memory dump using Redline and Volatility tools. Your objective is to trace the steps of an attacker on a compromised machine and identify how they managed to bypass the Network Intrusion Detection System (NIDS). You'll need to identify the malware family used in the attack and mitigate any traces or footprints left by the attacker. ### Tools: - Volatility ::: ## Steps - [General Routine](##Routine) - [Q1](##Q1) - [Q2](##Q2) - [Q3](##Q3) - [Q4](##Q4) - [Q5](##Q5) - [Q6](##Q6) - [Q7](##Q7) - [Q8](##Q8) > For your knowledge This challenge we would be using volatility3 framework so if you haven't installed it GO NOW AND INSTALL IT !!!! > You can check this notion page for the installation section in my [Notion page](https://mohamed-tarek-fayed.notion.site/Volatility3-797d1a60b8d34b158919ac1cff5a3011) > Note That we will be using this page as a cheat sheet and I will be updating it with the things I learn as I get more experienced regarding memory forensics ### Routine as I always try to do, I would cover the routine I do when investigating a memory dump. **Firstly** I would try to know the version of the Operating System I am working with ```bash python vol.py -f MemoryDump.mem windows.info ``` ![image](https://hackmd.io/_uploads/rJH3zZypR.png) okay, From here we can know that 1. It's a 64-bit operating system (`Is64Bit=True`). 2. The system time of the capture is `2023-05-21 23:02:39`, which can help us build a timeline. 3. The OS is Windows 10 (`NtMajorVersion=10`). **Secondly** I will spectate the processes running, as if there was a malicious activity, it would most definitely have a process running ```bash python vol.py -f MemoryDump.mem windows.pslist ``` we would get these fields for each process - PID - PPID - ImageFileName - Offset(V) - Threads - Handles - SessionId - Wow64 - CreateTime - ExitTime - File output Well I got a lot of processes and I couldn't catch the suspicious one **My next go to would be the pstree** I will try out the plugin pstree to get a more detailed overview over the running processes and their hierarchy and the spawned processes under each process ```bash python vol.py -f MemoryDump.mem windows.pstree ``` Well, we will find here a different view of the process :::info a process with no * before it and other processes with one or more * before it, So what does this mean?? :::danger The order of the ‘PID’ column is now sorted by a process and its associated child processes. However to make the visualization clearer for the user, each child process is assigned a ' * ' before its PID’, each subsequent child process receives an additional ' * ' prefixed to the PID ::: The other thing that would be interesting here would be the path of the process, legitimate processes would run from paths like: - Windows\System32\ So I can invert my search to look for entries that doesn't have system32 in its path as follows ```bash python vol.py -f MemoryDump.mem windows.pstree | grep -iv System32 ``` and start inspecting the remaining process and the processes they spawn if there was anything suspicious what is also interesting is that most malware processes you will find running from the temp So what I like to do is search for the enteries that has ==Temp== in its path as follows: ```bash python vol.py -f MemoryDump.mem windows.pstree | grep -i temp ``` and investigate the outup I have, and Voila ![image](https://hackmd.io/_uploads/S1A7GfJ60.png) a process named ==oneetx.exe== pops up, So I search it on google ![image](https://hackmd.io/_uploads/ByuvffyaR.png) Yep no need to dive deeper definitely this is a malicous process Now let's see our questions ### <font color="#AC19C9">Q1</font> >What is the name of the suspicious process? We got it through our routine check up there :::spoiler Answer: oneetx.exe ::: ### <font color="#AC19C9">Q2</font> >What is the child process name of the suspicious process? Now let's go back to the original output of the pstree to see the process and its descendants ![image](https://hackmd.io/_uploads/BypR4fyaR.png) So rundll32.exe would be the descendant process :::spoiler Answer: rundll32.exe ::: what we can also do is filter the output of the pstree to only have the PID of the oneetx.exe process. we already know from this image that the PIDs associated with it are 5480 and 5896 ![image](https://hackmd.io/_uploads/S1A7GfJ60.png) so we can run this command ```bash python vol.py -f MemoryDump.mem windows.pstree --pid 5896 5480 ``` ![image](https://hackmd.io/_uploads/HyxZ8M1a0.png) and we get the same result ### <font color="#AC19C9">Q3</font> >What is the memory protection applied to the suspicious process memory region? The protection method can be found in the malfind plugin, This displays a list of processes that Volatility suspects may contain injected code based on the header information displayed in hex. ```bash python vol.py -f MemoryDump.mem windows.malfind ``` ![image](https://hackmd.io/_uploads/H147OMypA.png) The protection field here is PAGE_EXECUTE_READWRITE, This means the process has execute, read and write permissions, which is exactly what a malware would need. :::spoiler Answer: PAGE_EXECUTE_READWRITE ::: ### <font color="#AC19C9">Q4</font> >What is the name of the process responsible for the VPN connection? Well, for this I am going to use the netscan plugin to scan the memory image for all network artifacts ```bash python vol.py -f MemoryDump.mem windows.netscan ``` and after inspecting the connections for a while I noticed a specific process that I thought "it might be it" ![image](https://hackmd.io/_uploads/SkevsG1TA.png) ![image](https://hackmd.io/_uploads/S1Jcaf1pC.png) So I searched it and found the following from the first link ![image](https://hackmd.io/_uploads/Sy0csGkTR.png) So apparently it is associated with VPN services, So how about we look for it in the pstree using its PID? ```bash python vol.py -f MemoryDump.mem windows.pstree --pid 4628 ``` ![image](https://hackmd.io/_uploads/rJgV3fyaR.png) So it appears to be a child process of Outline.exe which is our main process responsible for the VPN connection :::spoiler Answer: Outline.exe ::: ### <font color="#AC19C9">Q5</font> >What is the attacker's IP address? using netscan plugin and searching for the oneetx.exe process ```bash python vol.py -f MemoryDump.mem windows.netscan | greb oneetx ``` ![image](https://hackmd.io/_uploads/B13Apfy6C.png) So here is our contacted IP !! :::spoiler Answer: 77.91.124.20 ::: ### <font color="#AC19C9">Q6</font> >Based on the previous artifacts. What is the name of the malware family? as a good practice I submitted the IP to virustotal to check it ![image](https://hackmd.io/_uploads/rJLmEXkaA.png) Well of course it is malicious, but I notice an interesting piece of info ![image](https://hackmd.io/_uploads/HyPINmJaA.png) redline stealer is a well known malware family and appaerantly it is the answer we are looking for in our question ![image](https://hackmd.io/_uploads/B1or8Xy6C.png) :::spoiler Answer: redline stealer ::: ### <font color="#AC19C9">Q7</font> >What is the full URL of the PHP file that the attacker visited? The idea that came to my mind was that the php visited must belong to the attacker's domain so I searched the strings of the memorydump for entries having the IP of the attacker in them ```terminal strings MemoryDump.mem | grep 77.91.124.20 ``` ![image](https://hackmd.io/_uploads/BkXQY7y6A.png) and Voila here is our URL :::spoiler Answer: `http://77.91.124.20/store/games/index.php` ::: ### <font color="#AC19C9">Q8</font> >What is the full path of the malicious executable? as we saw in the very beginning the path can be found with the pstree plugin as follows: ```terminal python vol.py -f MemoryDump.mem windows.pstree ``` ![image](https://hackmd.io/_uploads/By8597kT0.png) and here is our path \Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe we will just have to put the c: before it :::spoiler Answer: C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe ::: ## Conclusion Woaah what a journey, so that settles it for us 😊😊😊 We have worked with Volatility to uncover the critical insights of the memorydump we had to get what we needed to identify our attacker and his malware. This case is a proof for the importance of memory forensics and its impact, as any malicious activity must lleave a trace in the memory, so It is your job to get this trace and investigate it. I hope you found this walk-through informative and engaging. If you have any questions or need further assistance, feel free to reach out. I'm always happy to help! 😊