TryHackMe

Forensics —Writeup

This is a memory dump of the compromised system, do some forensics kung-fu to explore the inside.

Task 1 : Volatility Forensics

1. Download the victim.zip
2. What is the Operating System of this Dump file? (OS name)

Ans: windows

3. What is the PID of SearchIndexer?

Ans: 2180

4. What is the last directory accessed by the user?

( The last folder name as it is?) Search using Date and time

Use shellbags command to Find for the Directory

./volatility -f victim1.raw --profile=Win7SP1x64 shellbags

Ans: Deleted_files

Task 2

1. There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)

The First One’s Protocol and Port

Ans: UDP:5005

2. Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3)

The First 3 PID we Found is the Answer

Ans: 1860;1820;2464

Task 3 — IOC Saga

1. ‘www.go****.ru' (write full url without any quotation marks)

Ans: www.goporn.ru

2. ‘www.i****.com' (write full url without any quotation marks)

Ans: www.ikaka.com

3. ‘www.ic******.com'

Ans: www.icsalabs.com

4. 202.***.233.*** (Write full IP)

Ans: 202.107.233.211

5. ***.200.**.164 (Write full IP)

Ans: 209.200.12.164

6. 209.190.***.***

Ans: 209.190.122.186

7. What is the unique environmental variable of PID 2464?

Ans: Answer is Highlighted in the above Picture 

Thankyou For Reading!!!
Happy Hacking!!
Author —  Karthikeyan N | Cyberw1ng

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!