search
Personal WebsiteGithubLinkedIn

Redline

circle-exclamation

Always open malware in a secure environment like a VM.

circle-info

We will be using the REMnuxarrow-up-right distribution which is specifically made for reverse engineering.

circle-info

For this challenge we will be using Volatility 3arrow-up-right.

hashtag

Q1. What is the name of the suspicious process?

  • Once we have downloaded the file, we can analyse it using volatility.

  • Let's begin by searching for malicious processes using the windows.malfind plugin.

$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.malfind
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished                                                                                              
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm

5896    oneetx.exe      0x400000        0x437fff        VadS    PAGE_EXECUTE_READWRITE  56      1       Disabled
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 01 00 00 ........        4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
7540    smartscreen.ex  0x2505c140000   0x2505c15ffff   VadS    PAGE_EXECUTE_READWRITE  1       1       Disabled
48 89 54 24 10 48 89 4c H.T$.H.L
24 08 4c 89 44 24 18 4c $.L.D$.L
89 4c 24 20 48 8b 41 28 .L$.H.A(
48 8b 48 08 48 8b 51 50 H.H.H.QP
48 83 e2 f8 48 8b ca 48 H...H..H
b8 60 00 14 5c 50 02 00 .`..\P..
00 48 2b c8 48 81 f9 70 .H+.H..p
0f 00 00 76 09 48 c7 c1 ...v.H..        48 89 54 24 10 48 89 4c 24 08 4c 89 44 24 18 4c 89 4c 24 20 48 8b 41 28 48 8b 48 08 48 8b 51 50 48 83 e2 f8 48 8b ca 48 b8 60 00 14 5c 50 02 00 00 48 2b c8 48 81 f9 70 0f 00 00 76 09 48 c7 c1

  • There are two processes namely oneetx.exe and smartscreen.ex.

  • oneetx.exe is a malicious process, related to Amadey dropper malware.

hashtag

Q2. What is the child process name of the suspicious process?

  • We can check the child process using the pslist plugin and then grep for 5896.

  • We can see that the rundll32.exe process has the process id of oneetx.exe as it's ppid.

hashtag

Q3. What is the memory protection applied to the suspicious process memory region?

  • This already found this when we used the malfind plugin.

hashtag

Q4. What is the name of the process responsible for the VPN connection?

  • Let's look at all the running processes.

  • The tun2socket.exe is responsible for making VPN connections. It's parent has the pid of 6724.

hashtag

Q5. What is the attacker's IP address?

  • We can use netscan plugin to scan for network artifacts.

  • The oneetx.exe process has the foreign address of 77.91.124.20.

hashtag

Q6. Based on the previous artifacts. What is the name of the malware family?

  • If we search up the IP address that we found, we can get information including the name and delivery method.

hashtag

Q7. What is the full URL of the PHP file that the attacker visited?

  • Let's dump all the strings into a text file.

hashtag

Q8. What is the full path of the malicious executable?

  • To get the full path, we can use the filescan plugin.

Last updated