i am stuck now at this challenge
what i have done was-
-used volatility
-found where the malware is
-from parent file got the base64 code
-decoded it and got a "ONELINE SUPER CODE"
You are in the right track, you only have to find it. Go back to volatility and use "pstree". The question is: Have you exhausted all "Powerful 1-liner"?
@KameB0Y
sorry i am a NOOB who got into this stuff a very short while ago
could you explain further what do you mean ?
i don't get what do you mean exactly with "exhaused" i mean i have found 2 of them one is really big other is a little smaller if that is what you wanted to ask me ?
Hey, if anyone's still stuck with this challenge here's my tips:
If you already got the lnk file, all that's left to do is to actually read the code and follow exactly what it's doing. Even if you're not familiar with this specific language, you can always look it up! There are some nice reference docs online.
Comments
@rotarydrone hi man can i PM you and you help me out a little
i have gotten to the code but i cant figure out what i am looking for !
Type your comment> @S4K4L04 said:
You are in the right track, you only have to find it. Go back to volatility and use "pstree". The question is: Have you exhausted all "Powerful 1-liner"?
@KameB0Y
sorry i am a NOOB who got into this stuff a very short while ago
could you explain further what do you mean ?
i don't get what do you mean exactly with "exhaused" i mean i have found 2 of them one is really big other is a little smaller if that is what you wanted to ask me ?
Type your comment> @S4K4L04 said:
I'll PM you.
Hey, if anyone's still stuck with this challenge here's my tips:
If you already got the lnk file, all that's left to do is to actually read the code and follow exactly what it's doing. Even if you're not familiar with this specific language, you can always look it up! There are some nice reference docs online.
What a great challenge. Very interesting!
Videos that helped me understand how to use Volatility:
Websites
https://www.andreafortuna.org/2018/03/02/volatility-tips-extract-text-typed-in-a-notepad-window-from-a-windows-memory-dump/
If you need some assistance please PM me.
Great challenge! I really loved this one
All by myself!!! Great challenge! I've learned a lot of stuff :-)
Thanks @Wolfstorm for those resources!
< Soli Deo Gloria >
I dump the powershell process, but i'm having trouble searching through it with strings. I also attempted to go to https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis but the post is no longer available
Too much rabbit holes... Can't believe I have went so far just basing on a simple hex editor :-)
i can't get the resume.zip from http://10.10.99.55:8080/resume.zip ... the server seem to be down