GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • Questions:
  • 1. Which volatility profile would be best for this machine?
  • 2. How many processes were running when the image was acquired?
  • 3. What is the process ID of cmd.exe?
  • 4. What is the name of the most suspicious process?
  • 5. Which process shows the highest likelihood of code injection?
  • 6. There is an odd file referenced in the recent process. Provide the full path of that file.
  • 7. What is the name of the injected dll file loaded from the recent process?
  • 8. What is the base address of the injected dll?
  • You Can Find me Here!
  1. WRITEUPS
  2. CyberDefenders Labs

BlackEnergy Write-up

PreviousGrabThePhisher Write-upNextPhishing

Last updated 6 months ago

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

Instructions:

  • Uncompress the lab (pass: )

  • ZIP SHA-256: 69b66c302d7efeb4d191aee2b4cb98262554dff8

  • ZIP Size: 57 MB

Link:

Medium:

Questions:

1. Which volatility profile would be best for this machine?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw imageinfo

Answer: WinXPSP2x86

2. How many processes were running when the image was acquired?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

There are 25 operations, but only 19 are running

Answer: 19

3. What is the process ID of cmd.exe?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

Answer: 1960

4. What is the name of the most suspicious process?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw pslist

Answer: rootkit.exe

5. Which process shows the highest likelihood of code injection?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw malfind

Look for Flags!

Answer: svchost.exe

6. There is an odd file referenced in the recent process. Provide the full path of that file.

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw handles --pid 880 -t file

Answer: C:\WINDOWS\system32\drivers\str.sys

7. What is the name of the injected dll file loaded from the recent process?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw ldrmodules --pid 880

Answer: msxml3r.dll

8. What is the base address of the injected dll?

Command: .\\volatility_2.6_win64_standalone.exe -f C:\\Users\\MalwareLab\\Desktop\\CYBERDEF-567078-20230213-171333.raw malfind

Answer: 0x980000

You Can Find me Here!

Blog: /

Linkedin:

Facebook:

Tryhackme:

https://g1it0h.gitbook.io/glitch
https://www.linkedin.com/in/glitchgc/
https://www.facebook.com/GLITC.GC/
https://tryhackme.com/p/GLITCH1GC
cyberdefenders.org
https://cyberdefenders.org/blueteam-ctf-challenges/blackenergy/
https://medium.com/@GLITCHGC/blackenergy-write-up-f022bdfaf93c