Stealth Invasion
Personal Rating: Medium
Last updated
Personal Rating: Medium
Last updated
This forensics challenge teaches memory analysis on a memory dump. We start off with the file "memdump.elf". From the challenge description we know that a malicious Chrome extension was stealthily installed, masqueradnig as a useful productivity tool. An analyst was alarmed by unusual network activity.
This article shows some first things to do when you are starting with static memory analysis:
I started by extracting some basing information from the dump, mainly metadata and strings:
Scrolling through the extensive results, a password was found: _password="2ce2shi2009122";
When analyzing a memory image, one tool should come to mind immediately: Volatility. This memory analysis framework boasts impressive analysis capabilities, malware scans, file extraction and process lists, to name a few. I started by getting basic OS information:
From there, I concentrated on Chrome since it was mentioned in the challenge preface. I found the process ID of the Google Chrome parent process:
I then used memprocfs to mount the image as filesystem locally. The forensics flag was enabled to reconstruct files from the recovered NTFS data.
Searching through the data, we discover the user "selene". Guided by the questions required to solve the challenge, I enumerated potential malicious Chrome plugins. By searching for "\Users\selene" in the file "ntfs_files.txt" in Kate, I found this folder:
\0\Users\selene\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Suspicious contents were found in the folder
Back to volatility, I used it to extract all extension related files:
Investigating the results, this folder caught my eye:
\Users\selene\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nnjofihdjilebhiiemfmdlpbdkbjcpae\LOG
The log however did not contain enough information, so I opened the web logs that were created by the memprocfs forensics feature:
Most of the requests were to "drive.google.com".
In the output of filescan.txt that I generated earlier, I could grep for the log "000003.log". This was one of the log files that were found by searching for the suspicious extension. Most logs could not be recovered because they were ot loaded in memory when the dump was made. However, one of them was indeed buffered and could be obtained by this command, which returns all instances of the log file along with the virtual address of each one. The virtual address was also found by grepping for said log file in "filescan.txt".
The resulting log file contained the Eldoria Online password of the user selene.
What is the PID of the Original (First) Google Chrome process: 4080
-> Found with vol -f memdump.elf windows.pslist
What is the only Folder on the Desktop: malext
-> Found by mounting the image with memprocfs memprocfs -f memdump.elf -mount mnt/ and enabling the forensic feature
What is the Extention's ID (ex: hlkenndednhfkekhgcdicdfddnkalmdm): nnjofihdjilebhiiemfmdlpbdkbjcpae
-> sudo vol -f memdump.elf windows.filescan.FileScan | tee filescan.txt | grep Extension
After examining the malicious extention's code, what is the log filename in which the data is stored: ffffa708c79892d0-000003.log
-> vol -f memdump.elf windows.filescan.FileScan | tee filescan.txt & cat filescan.txt | grep Extension and search for the log
What is the URL the user navigated to: drives.google.com
-> This was to be found in the web logs that could be found in the mnt/forensics/web folder in the chrome history
What is the password of selene@rangers.eldoria.com: clip-mummify-proofs
-> vol -f memdump.elf windows.filescan.FileScan | tee filescan.txt & cat filescan.txt | grep 000003.log revealed the virtual memory address of the log file in 8 instances. Going through each of them, one was apparently cached and could be read. The password was inside. Reading the files was done with vol -f memdump.elf windows.dumpfiles.DumpFiles --virtaddr <virt memory address>
