# Redline

{% hint style="warning" %}
Always open malware in a secure environment like a VM.
{% endhint %}

{% hint style="info" %}
We will be using the [REMnux](https://remnux.org/) distribution which is specifically made for reverse engineering.
{% endhint %}

{% hint style="info" %}
For this challenge we will be using [Volatility 3](https://www.volatilityfoundation.org/releases-vol3).
{% endhint %}

##

> Q1. What is the name of the suspicious process?

* Once we have downloaded the file, we can analyse it using `volatility`.
* Let's begin by searching for malicious processes using the `windows.malfind` plugin.

```
$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.malfind
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished                                                                                              
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm

5896    oneetx.exe      0x400000        0x437fff        VadS    PAGE_EXECUTE_READWRITE  56      1       Disabled
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 01 00 00 ........        4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
7540    smartscreen.ex  0x2505c140000   0x2505c15ffff   VadS    PAGE_EXECUTE_READWRITE  1       1       Disabled
48 89 54 24 10 48 89 4c H.T$.H.L
24 08 4c 89 44 24 18 4c $.L.D$.L
89 4c 24 20 48 8b 41 28 .L$.H.A(
48 8b 48 08 48 8b 51 50 H.H.H.QP
48 83 e2 f8 48 8b ca 48 H...H..H
b8 60 00 14 5c 50 02 00 .`..\P..
00 48 2b c8 48 81 f9 70 .H+.H..p
0f 00 00 76 09 48 c7 c1 ...v.H..        48 89 54 24 10 48 89 4c 24 08 4c 89 44 24 18 4c 89 4c 24 20 48 8b 41 28 48 8b 48 08 48 8b 51 50 48 83 e2 f8 48 8b ca 48 b8 60 00 14 5c 50 02 00 00 48 2b c8 48 81 f9 70 0f 00 00 76 09 48 c7 c1                               
```

* There are two processes namely `oneetx.exe` and `smartscreen.ex`.
* `oneetx.exe` is a malicious process, related to Amadey dropper malware.

##

> Q2. What is the child process name of the suspicious process?

* We can check the child process using the `pslist` plugin and then `grep` for 5896.

```
$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.pslist | grep "5896"
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output
5896    8844    oneetx.exe      0xad8189b41080  5       -       1       True    2023-05-21 22:30:56.000000      N/A     Disabled
7732    5896    rundll32.exe    0xad818d1912c0  1       -       1       True    2023-05-21 22:31:53.000000      N/A     Disabled
```

* We can see that the `rundll32.exe` process has the process id of `oneetx.exe` as it's `ppid`.

##

> Q3. What is the memory protection applied to the suspicious process memory region?

* This already found this when we used the `malfind` plugin.

```
$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.malfind
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished                                                                                              
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm

5896    oneetx.exe      0x400000        0x437fff        VadS    PAGE_EXECUTE_READWRITE  56      1       Disabled
4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 01 00 00 ........        4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
```

##

> Q4. What is the name of the process responsible for the VPN connection?

* Let's look at all the running processes.

```
└─$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.pstree              
Volatility 3 Framework 2.4.1
Progress:  100.00               PDB scanning finished                        
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

--snip--;
*** 6724        3580    Outline.exe     0xad818e578080  0       -       1       True    2023-05-21 22:36:09.000000      2023-05-21 23:01:24.000000 
**** 4224       6724    Outline.exe     0xad818e88b080  0       -       1       True    2023-05-21 22:36:23.000000      2023-05-21 23:01:24.000000 
**** 4628       6724    tun2socks.exe   0xad818de82340  0       -       1       True    2023-05-21 22:40:10.000000      2023-05-21 23:01:24.000000 
--snip--;
```

* The `tun2socket.exe` is responsible for making VPN connections. It's parent has the `pid` of 6724.

##

> Q5. What is the attacker's IP address?

* We can use `netscan` plugin to scan for network artifacts.

```
$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.netscan | grep -i "oneetx.exe"
Progress:  100.00               PDB scanning finished                     
Offset  Proto   LocalAddr       LocalPort       ForeignAddr     ForeignPort     State   PID     Owner   Created

0xad818de4aa20  TCPv4   10.0.85.2       55462   77.91.124.20    80      CLOSED  5896    oneetx.exe      2023-05-21 23:01:22.000000 
0xad818e4a6900  UDPv4   0.0.0.0 0       *       0               5480    oneetx.exe      2023-05-21 22:39:47.000000 
0xad818e4a6900  UDPv6   ::      0       *       0               5480    oneetx.exe      2023-05-21 22:39:47.000000 
0xad818e4a9650  UDPv4   0.0.0.0 0       *       0               5480    oneetx.exe      2023-05-21 22:39:47.000000 
```

* The `oneetx.exe` process has the foreign address of `77.91.124.20`.

##

> Q6. Based on the previous artifacts. What is the name of the malware family?

* If we search up the IP address that we found, we can get information including the name and delivery method. 

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FPd4SkA7bQequljLIW0hc%2Fredline%20stealer.png?alt=media&#x26;token=c817a247-cbae-47dd-849b-93ae191b9557" alt=""><figcaption></figcaption></figure>

##

> Q7. What is the full URL of the PHP file that the attacker visited?

* Let's dump all the strings into a text file.

```
$ strings MemoryDump.mem > strings.txt    
```

```
$ grep -Eo 'https?://[^[:space:]]+' strings.txt | grep -i "77.91.124.20"
http://77.91.124.20/
http://77.91.124.20/store/gamel
http://77.91.124.20/
http://77.91.124.20/DSC01491/
http://77.91.124.20/DSC01491/
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/index.php
```

##

> Q8. What is the full path of the malicious executable?

* To get the full path, we can use the `filescan` plugin.

```
$ volatility3-2.4.1/vol.py -f MemoryDump.mem windows.filescan | grep -i "oneetx.exe"
0xad818d436c70.0\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe  216
0xad818da36c30  \Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe  216
0xad818ef1a0b0  \Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe  216
```