BlackEnergy Write-up

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

Instructions:

  • Uncompress the lab (pass: cyberdefenders.org)

  • ZIP SHA-256: 69b66c302d7efeb4d191aee2b4cb98262554dff8

  • ZIP Size: 57 MB

Link: https://cyberdefenders.org/blueteam-ctf-challenges/blackenergy/

Medium: https://medium.com/@GLITCHGC/blackenergy-write-up-f022bdfaf93c

Questions:

1. Which volatility profile would be best for this machine?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw imageinfo

Answer: WinXPSP2x86

2. How many processes were running when the image was acquired?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

There are 25 operations, but only 19 are running

Answer: 19

3. What is the process ID of cmd.exe?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

Answer: 1960

4. What is the name of the most suspicious process?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

Answer: rootkit.exe

5. Which process shows the highest likelihood of code injection?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw malfind

Look for Flags!

Answer: svchost.exe

6. There is an odd file referenced in the recent process. Provide the full path of that file.

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw handles --pid 880 -t file

Answer: C:\WINDOWS\system32\drivers\str.sys

7. What is the name of the injected dll file loaded from the recent process?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw ldrmodules --pid 880

Answer: msxml3r.dll

8. What is the base address of the injected dll?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw malfind

Answer: 0x980000

You Can Find me Here!

Blog: https://g1it0h.gitbook.io/glitch/

Linkedin: https://www.linkedin.com/in/glitchgc/

Facebook: https://www.facebook.com/GLITC.GC/

Tryhackme: https://tryhackme.com/p/GLITCH1GC

PreviousGrabThePhisher Write-upNextPhishing

Last updated