Personal WebsiteGithubLinkedIn

BlackEnergy

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

For this challenge we will use both Volatility 2 and Volatility 3.

Q1. Which volatility profile would be best for this machine?

We can find the correct profile using the kdbgscan plugin.

$ volatility_2.5.linux.standalone/volatility_2.5_linux_x64 -f CYBERDEF-567078-20230213-171333.raw kdbgscan 
Volatility Foundation Volatility Framework 2.5
**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x8054cde0
Offset (P)                    : 0x54cde0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP3x86
Version64                     : 0x8054cdb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab)     : 2600.xpsp.080413-2111
PsActiveProcessHead           : 0x80561358 (25 processes)
PsLoadedModuleList            : 0x8055b1c0 (104 modules)
KernelBase                    : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x8054cde0
Offset (P)                    : 0x54cde0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP2x86
Version64                     : 0x8054cdb8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab)     : 2600.xpsp.080413-2111
PsActiveProcessHead           : 0x80561358 (25 processes)
PsLoadedModuleList            : 0x8055b1c0 (104 modules)
KernelBase                    : 0x804d7000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)

Answer

Q2. How many processes were running when the image was acquired?

The pslist plugin lists out the processes of a system.

There are total 25 processes. 6 of the processes have 0 threads. This means that these 6 processes have been terminated.

So, the total number of running processes is 19.

Answer

Q3. What is the process ID of cmd.exe?

We can grep the list of processes for cmd.exe.

Answer

Q4. What is the name of the most suspicious process?

We can find this suspicious process rootkit.exe because of it's name and also because it's child process is cmd.exe.

Answer

Q5. Which process shows the highest likelihood of code injection?

Let's look for malicious processes using the malfind plugin.

We can dump the output into a file.

The md5sum command gives us the MD5 hash of the file.

Let's search this hash in VirusTotal.

We can see that the process is vulnerable to DLL injection.

Answer

Q6. There is an odd file referenced in the recent process. Provide the full path of that file.

The handles plugin gives us the open handles in a process including the files.

We can also check the strings in the file that we saved earlier.

Answer

Q7. What is the name of the injected dll file loaded from the recent process?

The ldrmodules plugin can be used to list the loaded modules (DLLs) in a process, and it can also be used to detect unlinked/hidden DLLs.

We can see 3 DLL lists: InLoad, InInit, and InMem which indicate whether a module has been loaded into memory, initialized, or is currently in the process memory.

The msxml3r.dll is not linked to any of the three ldr modules. That makes it the most suspicious.

Answer

Q8. What is the base address of the injected dll?

We have already found the answer in a previous question when we used malfind plugin

Answer

Last updated

Was this helpful?