Letter_from_the_madhouse

[Letter from the madhouse]

Summary

• Forensic. Memory.

Background Knowledges

• Command Reference · volatilityfoundation/volatility Wiki
  • Image Identification
    • imageinfo
  • Processes and DLLs
    • pslist
    • cmdscan
  • Process Memory
    • memdump

Tools

• Volatility
• file
• strings
• grep
• gpg

Description

• memory.dump is MS Windows 64bit memory dump file.
  • 
• Notice that suspicious processes are in pslist.
  • .\volatility_2.6_win64_standalone.exe -f .\memory.dmp --profile=Win7SP1x64 pslist
  • 
• Notice that Firefox process had been terminated.
  • .\volatility_2.6_win64_standalone.exe -f .\memory.dmp --profile=Win7SP1x64 cmdline
  • 
• Dump the memory of suspicious processes.
  • 
• Extract urls from 1240.dmp(firefox.exe).
  • strings -a 1240.dmp | grep ://
  • 
  • Got the suspicious link. https://pastebin.com/QRzneSW7
• Go to the suspicious link and get information from it.
  • It seems to be base64-encoded. strange_things.encoded
  • 
  • After base64-decoding and saving it in binary, use file command to recognize what strange_things.decoded is.
  • 
  • It is PGP RSA encrypted session key.
• To decrypt strange_things.decoded, we have to find secret key.
  • Extract strings about PGP key from 2836.dmp(notepad++.exe).
    • strings -a 2836.dmp | grep PGP
  • 
  • There must be PGP private key, so find out where it is in 2836.dmp.
    • strings -a 2836.dmp > strings.2836.dmp
  • 
  • Base64-decode and save it in binary. use file command to recognize what secretkey.decoded is.
  • 
  • It is PGP secret key.
• Decrypt strange_things.decoded with secretkey.decoded.
  • gpg --import secretkey.decoded
  • 
  • gpg --decrypt strange_things.decoded
  • 
• Aero{d46821ea020c13a9a42e16b03d9dcccc97e1d7fa16c8673a4ebde8597715967a}