THE DFIR BLOG
Menu

Blog

Hack the box - Reminiscent

7/29/2019

 
Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.

Note: Find and Decode the source of the malware to find the flag. The reading the email file we know following information

Filename: resume.zip
IP: http://10.10.99.55:8080/resume.zip

Used following command to analyze the process
Picture
Found some suspicious stuff
Picture
Used netscan plugin to analyze the network connection and identified that process powershell is connecting to the Malicious IP address found the email. The malicious process is powershell 2752.
Picture
Lets perform a filescan and see if we can find the resume file in the memory.
Picture
We have some hits - lets dump them out and do strings on them.
Picture
Lets do strings on the dumped files.
Picture
There is some data in Base 64 - lets use cyberchef to decode it.
Picture
The output of base 64 has another base64 encoding in it. Looks like someone is running powershell
Picture
Finally we got some readable text and I can see the flag HTB{$_j0G_y0uR_M3m0rY_$}  in it.

Picture

    Subscribe to Newsletter

    Mac Forensics
    Windows Forensics
    Forensic Tools

    Categories

    All
    Attack
    Bash
    Bigdata
    CISSP
    Corporate
    Ctf
    Data
    Digital Forensics
    Docker
    EDR
    Forensics
    Hacking
    Hadoop
    HDFS
    Health Care
    Linux
    Memory
    Network
    Network Forensics
    PCIP
    SQL
    Windows
    Wireshark

    Archives

    August 2024
    July 2024
    January 2023
    October 2019
    September 2019
    July 2019
    June 2019
    May 2019
    March 2019
    April 2018
    March 2018
    February 2018
    July 2017
    June 2017
    May 2017
    November 2015
    October 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me