Command & Control level 3

root-me challenge: Berthier, the antivirus software didn’t find anything. It’s up to you now.

Try to find the malware in the memory dump. The validation flag is the md5 checksum of the full path of the executable. The uncompressed memory dump md5 hash is e3a902d4d44e0f7bd9cb29865e0a15de


┌──(kali㉿kali)-[~/Downloads/volatility3]
└─$ ./vol.py -f ch2.dmp windows.pstree
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished                        
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

4       0       System  0x87978b78      103     3257    N/A     False   2013-01-12 16:38:09.000000      N/A
* 308   4       smss.exe        0x88c3ed40      2       29      N/A     False   2013-01-12 16:38:09.000000      N/A
404     396     csrss.exe       0x8929fd40      9       469     0       False   2013-01-12 16:38:14.000000      N/A
456     396     wininit.exe     0x892ac2b8      3       77      0       False   2013-01-12 16:38:14.000000      N/A
* 560   456     services.exe    0x896294c0      6       205     0       False   2013-01-12 16:38:16.000000      N/A
** 904  560     svchost.exe     0x89852918      17      409     0       False   2013-01-12 16:38:24.000000      N/A
*** 2496        904     dwm.exe 0x87ad44d0      5       77      1       False   2013-01-12 16:40:25.000000      N/A
** 1172 560     svchost.exe     0x898b2790      15      475     0       False   2013-01-12 16:38:27.000000      N/A
** 3352 560     svchost.exe     0x89f3d2c0      9       141     0       False   2013-01-12 16:40:58.000000      N/A
** 928  560     svchost.exe     0x8986b030      26      869     0       False   2013-01-12 16:38:24.000000      N/A
** 3624 560     svchost.exe     0x89f1d3e8      14      348     0       False   2013-01-12 16:41:22.000000      N/A
** 1712 560     spoolsv.exe     0x8a0f9c40      14      338     0       False   2013-01-12 16:38:58.000000      N/A
** 1968 560     vmtoolsd.exe    0x8a1d84e0      6       220     0       False   2013-01-12 16:39:14.000000      N/A
** 2352 560     taskhost.exe    0x87ac0620      8       149     1       False   2013-01-12 16:40:24.000000      N/A
** 692  560     svchost.exe     0x8962f030      10      353     0       False   2013-01-12 16:38:21.000000      N/A
** 1084 560     svchost.exe     0x898911a8      10      257     0       False   2013-01-12 16:38:26.000000      N/A
** 448  560     VMUpgradeHelpe  0x8a1f5030      4       89      0       False   2013-01-12 16:39:21.000000      N/A
*** 468 448     csrss.exe       0x88d03a00      10      471     1       False   2013-01-12 16:38:14.000000      N/A
**** 2600       468     conhost.exe     0x87a9c288      1       35      1       False   2013-01-12 16:40:28.000000      N/A
**** 3228       468     conhost.exe     0x87c595b0      2       54      1       False   2013-01-12 16:44:50.000000      N/A
**** 2168       468     conhost.exe     0x954826b0      2       49      1       False   2013-01-12 16:55:50.000000      N/A
*** 500 448     winlogon.exe    0x892ced40      3       111     1       False   2013-01-12 16:38:14.000000      N/A
** 832  560     svchost.exe     0x89805420      19      435     0       False   2013-01-12 16:38:23.000000      N/A
*** 1720        832     audiodg.exe     0x87c90d40      5       117     0       False   2013-01-12 16:58:11.000000      N/A
** 1220 560     AvastSvc.exe    0x898a7868      66      1180    0       False   2013-01-12 16:38:28.000000      N/A
** 1612 560     TPAutoConnSvc.  0x9542a030      9       135     0       False   2013-01-12 16:39:23.000000      N/A
*** 2568        1612    TPAutoConnect.  0x87ae2880      5       146     1       False   2013-01-12 16:40:28.000000      N/A
** 1872 560     sppsvc.exe      0x88cded40      4       143     0       False   2013-01-12 16:39:02.000000      N/A
** 336  560     wlms.exe        0x9541c7e0      4       45      0       False   2013-01-12 16:39:21.000000      N/A
** 1748 560     svchost.exe     0x8a102748      18      310     0       False   2013-01-12 16:38:58.000000      N/A
** 2900 560     SearchIndexer.  0x898fbb18      13      636     0       False   2013-01-12 16:40:38.000000      N/A
** 3176 560     wmpnetwk.exe    0x87bd35b8      9       240     0       False   2013-01-12 16:40:48.000000      N/A
** 764  560     svchost.exe     0x897b5c20      7       263     0       False   2013-01-12 16:38:23.000000      N/A
* 584   456     lsm.exe         0x8962f7e8      10      142     0       False   2013-01-12 16:38:16.000000      N/A
* 576   456     lsass.exe       0x896427b8      6       566     0       False   2013-01-12 16:38:16.000000      N/A
2548    2484    explorer.exe    0x87ac6030      24      766     1       False   2013-01-12 16:40:27.000000      N/A
* 2720  2548    AvastUI.exe     0x87b784b0      14      220     1       False   2013-01-12 16:40:31.000000      N/A
* 2660  2548    VMwareTray.exe  0x87b82438      5       80      1       False   2013-01-12 16:40:29.000000      N/A
* 1232  2548    taskmgr.exe     0x95495c18      6       116     1       False   2013-01-12 16:42:29.000000      N/A
* 3152  2548    cmd.exe         0x87bf7030      1       23      1       False   2013-01-12 16:44:50.000000      N/A
** 3144 3152    winpmem-1.3.1.  0x87cbfd40      1       23      1       False   2013-01-12 16:59:17.000000      N/A
* 1136  2548    iexplore.exe    0x9549f678      18      454     1       False   2013-01-12 16:57:44.000000      N/A
** 3044 1136    iexplore.exe    0x87d4d338      37      937     1       False   2013-01-12 16:57:46.000000      N/A
* 2676  2548    VMwareUser.exe  0x87aa9220      8       190     1       False   2013-01-12 16:40:30.000000      N/A
* 2772  2548    iexplore.exe    0x87b6b030      2       74      1       False   2013-01-12 16:40:34.000000      N/A
** 1616 2772    cmd.exe 0x89898030      2       101     1       False   2013-01-12 16:55:49.000000      N/A
* 2744  2548    StikyNot.exe    0x898fe8c0      8       135     1       False   2013-01-12 16:40:32.000000      N/A
* 3452  2548    swriter.exe     0x87c6a2a0      1       19      1       False   2013-01-12 16:41:01.000000      N/A
** 3512 3452    soffice.exe     0x87ba4030      1       28      1       False   2013-01-12 16:41:03.000000      N/A
*** 3564        3512    soffice.bin     0x87b8ca58      12      400     1       False   2013-01-12 16:41:05.000000      N/A
3556    3544    soffice.bin     0x95483d18      0       -       1       False   2013-01-12 16:41:05.000000      2013-01-12 16:41:39.000000

Apparently there is cmd.exe (PID 3152) RUNNING AS child of explorer.exe (PID 2548). Trying the most common place to find registry keys for persistence:

┌──(kali㉿kali)-[~/Downloads/volatility3]
└─$ ./vol.py -f ../root-me/forensic/ch2.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished                        
Last Write Time Hive Offset     Type    Key     Name    Data    Volatile

-       0x8b20c008      Key     ?\Software\Microsoft\Windows\CurrentVersion\Run -               -
...
-       0x90cab9d0      Key     ?\Software\Microsoft\Windows\CurrentVersion\Run -               -
2013-01-12 14:13:19.000000      0x9670e9d0      REG_SZ  \??\C:\Users\John Doe\ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Run   RESTART_STICKY_NOTES    "C:\Windows\System32\StikyNot.exe"      False
2013-01-12 14:13:19.000000      0x9670e9d0      REG_SZ  \??\C:\Users\John Doe\ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Run   IEPreload       ""C:\Users\John Doe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\iexplore.exe""     False
-       0x9670f9d0      Key     ?\Software\Microsoft\Windows\CurrentVersion\Run -               -

md5sum the full path.