This page contains analysis of capture the flag (CTF) challenges and memory images utilizing the Xavier Memory Analysis Framework to automate analysis and reporting of each memory image. Text and problem descriptions are provided as verbatim as possible from the original sources to guide your memory analysis routines and orient to the analysis report by Xavier Memory Analysis Framework. Full analysis summaries are zipped using 7Zip with password infected. Source code to the Xavier Memory Analysis Framework repository used to produce these reports can be located on my github.

Magnet Forensics

Magnet Forensics "ran a weekly Capture the Flag (CTF) contest through December of 2020. Each month featured a different image and questions each week." - MagnetForensics Twitter

Learn More

Virtual Summit 2020 Windows Memory Image

Challenge Description: Magnet Forensics Windows Memory Analysis - May 2020. Answer the following questions:

  1. Which memory profile best fits the system?
  2. The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
  3. What is the md5 hash of the file which you recovered the password from?
  4. What is the birth object ID for the file which contained the password?
  5. What is the name of the user and their unique identifier which you can attribute the creation of the file document to? Format: #### (Name)
  6. What is the version of software used to create the file containing the password?
  7. What is the version of software used to create the file containing the password?
  8. What is the virtual memory address offset where the password string is located in the memory image?
  9. What is the physical memory address offset where the password string is located in the memory image?

  10. At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: "xxx.xxx.xx.xxx:xxx"
  11. What was the Local IP address and port number? same format as part 1
  12. What was the URL?
  13. What user was responsible for this activity based on the profile?
  14. How long was this user looking at this browser with this version of Chrome? format: X:XX:XX.XXXXX Hint: down to the last second

  15. What is the IPv4 address that myaccount.google.com resolves to?
  16. What is the canonical name (cname) associated with Part 1?

  17. What is the PID of the application where you might learn "how hackers hack, and how to stop them"? Format: #### Warning: Only 1 attempt allowed!
  18. What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX

SANS Forensics

SANS Memory Image Analysis of win7-32-nromanoff-memory-raw Twitter

Learn More

SANS Memory Image Analysis - win7-32-nromanoff-memory-raw

MemLabs

"MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics." - stuxnet999 Twitter

Learn More

MemLabs 1

Challenge Description: "My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash."


MemLabs 2

Challenge Description: "One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us."


MemLabs 3

Challenge Description: "A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?"


MemLabs 4

Challenge Description: "My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me."


MemLabs 5

Challenge Description: "We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement, "The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was." Also, he noticed his most loved application that he always used crashed every time he ran it. Was it a virus?"


MemLabs 6

Challenge Description: "We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet so that might be a good place to start."

CyberDefenders

"CyberDefenders is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need." - CyberDefenders.org Twitter

Learn More

DumpMe

Challenge Description: "One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions."


Injector

Challenge Description: "A company's web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. As a security analyst, you are tasked with mounting the image to determine how the system was compromised and the actions/commands the attacker executed."

Malware Analysis and Detection Engineering

"Malware Analysis and Detection Engineering is a one-stop guide to malware analysis that simplifies the topic by teaching you undocumented tricks used by analysts in the industry. You will be able to extend your expertise to analyze and reverse the challenges that malicious software throws at you."
"...The book provides comprehensive content in combination with hands-on exercises to help you dig into the details of malware dissection, giving you the confidence to tackle malware that enters your environment." - Oreilly.com

Learn More

Asprox botnet - Sample 14.1

Challenge Description: Malware sample relating to ASPROX botnet Fake E-ZPass Phishing Email detected to produce artifacts similar to the following:

  • Creates new process at C:\Users\user_name\AppData\Local\Temp\pavuensrqs.exe
  • Creates new file at C:\Users\user_name\AppData\Local\dvmfrvjh.exe
  • Creates new process in suspended state at C:\Windows\sysWoW64\svchost.exe
  • May create new registry persistence key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value C:\Users\user_name\AppData\Local\Temp\pavuensrqs.exe
NOTE: Your execution of the sample will likely generate artifacts similar but slightly different

Additional details can be found at:


SSDT Rootkit Example - Sample 14.2

Challenge Description: SSDT rootkit malware similar to Sample-11-7-ssdt-rootkit

NOTE: Your execution of the sample will likely generate artifacts similar but slightly different

Additional details can be found at:

  • Virus Total
  • Malware Analysis and Detection Engineering Chapter 11 "Stealth and Rootkits"
  • Malware Analysis and Detection Engineering Chapter 14 Pages 438-439


Network Socket Example - Sample 14.3

Challenge Description: Memory dump generated by "downloading a file using Internet Explorer from www.softpedia.com/get/Internet/Browsers/Internet-Explorer-11.shtml" The sole intention of this dump is to help you understand how to dissect and identify network connections." - Malware Analysis and Detection Engineering Page 439

NOTE: Your execution of the sample will likely generate artifacts similar but slightly different

Additional details can be found at: Malware Analysis and Detection Engineering Chapter 14 Page 439

inCTF International

'inCTF is India's Premier Hacking & Cyber Security contest organized by team bi0s, India's No.1 ranked CTF Team... InCTF's mission is to educate and promote a culture of online and technology safety and security.' - inctf.in/ Twitter

Learn More

Just Do It [2019]

Challenge Description: "Jake said that he hid the flag somewhere the in the computer and gave me the memory dump of the system. Can you help me in finding the flag?"


Notch It Up [2019]

Challenge Description: "I and my friend love playing with computers. So one day, my friend hid the flag in his computer and gave me the memory dump of the system. Now, the challenge is to get the flag. However, the only problem is that he is a master in hiding things. So I need your help! Look carefully. Everything that you find will lead you to the destination."


Investigation[2020]

Challenge Description: "We have found that some of the systems in our company have been compromised. We need your help to answer a few questions that our IR team wants answers for":

  1. When did Adam last use the Windoes calculator? (Answer should be in the format DD-MM-YYYY_HH:MM:SS. Timestamp in UTC.)
  2. How many times did Adam use Google Chrome in this system? (Answer should be the number.)

Investigation Continues [2020]

Challenge Description: "There are still some more questions that have come up. Provide the answers for them too:"

  1. When was the last time Adam entered an incorrect password to login? (Answer should be in the format DD-MM-YYYY_HH:MM:SS. Timestamp in UTC.)
  2. When was the file 1.jpg opened? (Answer should be in the format DD-MM-YYYY_HH:MM:SS. Timestamp in UTC.)
  3. When did Adam last use the taskbar to launch Chrome? (Answer should be in the format DD-MM-YYYY_HH:MM:SS. Timestamp in UTC.)

Malware Analyst's Cook Book

"A computer forensics "how-to" for fighting malicious code and analyzing incidents "
"With our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills." - Amazon.com

Learn More

be2

Challenge Description: "BlackEnergy 2 hooks 14 different SSDT functions-mostly related to controlling access to the Registry, processes, and virtual memory. The rootkit loads a driver named 00000B9D.sys, which contains the functions that a thread would execute before (or in lieu of) the legitimate function." - Page 652


coreflood

Challenge Description: Malware that injects code into the memory space of process Internet Explorer (pid 248). - Page 623


prolaco

Challenge Description: "To demonstrate how you can use psscan to find hidden processes, we'll focus on a malware sample known to antivirus vendors as Prolaco. This malware performs DKOM entirely from user mode, without loading any kernel drivers. It does so by using the ZwSystemDebugControl API in almost the exact manner described by Alex Ionescu on the OpenRCE website." - Page 587


sality

Challenge Description: "As you conduct investigations and find patterns among mutex names, add the mutex names to your artifact database. For example ..., you can see that variants of Sality will create a mutex such as Op1mutx9 or Ap1mutx7. Sality also creates one mutex for each process on the system named in the format [PROCESS]exeM_[PID]_. The PROCESS and PID fields vary per process, but the exeM_ part is consistent. Thus, you can add these criteria to your database" - Page 670


silentbanker

Challenge Description: "The [apihook] command ... shows how to use the apihooks plug-in against a memory dump infected with Silent Banker. The same command you typed to detect IAT and EAT hooks can detect the inline hooks that Silent Banker installs. ...[The] trojan has taken control of several networking and encryption functions in the Internet Explorer process. The hooks enable Silent Banker to steal login credentials, private key certificates, and cookies from websites. " - Page 643


stuxnet

Challenge Description: Memory dump of a system infected with infamous stuxnet worm


tigger

Challenge Description: "Another artifact that you will frequently see using malfind is the trampoline code created by API-hooking libraries such as Microsoft Detours, Mhook, and any malware using the same common technique of inline/trampoline-style redirection. [This example shows] the output of malfind on [a system infected with Tigger]. Tigger used yet another technique - an indirect jmp to the address stored at 0xd80000. The point is - regardless of the technique or instruction sets that the malware uses, it does not change the fact that the instructions exist in memory pages marked as executable and that do not already have files mapped into the region. Therefore, these memory segments stand out as suspicious and you can quickly identify them using Volatility with malfind." - Pages 623-625


zeus

Challenge Description: "Zeus-one of the most prevalent information-stealing malware families. Zeus has used the same method of code injection since 2006 to achieve a certain level of stealth and to hide from process listings. Zeus stole information from victim computers, compressed it, encrypted it, and sent it over the network to the attackers." - Pages 624, 84

DEFCON

"DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest." - DEFCON Twitter

Learn More

DEFCON DFIR CTF 2019 Windows Memory Forensics

Challenge Description: Windows Triage OS image from DEFCON 2019 (referenced from Peter M. Steward's Writeup). Answer the following questions:

  1. What profile is the most appropriate for this machine? (ex:Win10x86_14393
  2. What was the process ID of notepad.exe?
  3. Name the child process of wsccript.exe.
  4. What was the IP address of the machine at the time the RAM dump was created?
  5. Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?
  6. What process name is VCRUNTIME140.dll associated with?
  7. What is the md5 hash value of the potential malware on the system?
  8. What is the LM hash of the bobs account?
  9. What protections does the VAD note at 0xfffffa800577ba10 have?
  10. What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dfffff have?
  11. There was a VMS script run on the machine. What is the name of the script? (submit without file extension)
  12. An application was run at 2019-03-07 23:06L58 UTC, what is the name of the program? (Include extension)
  13. What was written in notepad.exe in the time of the memory dump?
  14. What is the shortname of the file at file record 59045?
  15. The box was exploited and is running meterpreter. What PID was infected?

OtterCTF

Otter CTF is a series of capture the flag challenges comprised of reverse engineering, memory forensics, digital host forensics, network, and steganography challenges.

Learn More

OtterCTF 2018 Windows Memory Forensics

Challenge Description: Answer the following questions:

  1. Play Time: Rick just loves to play some good old videogames. can you tell which game is he playing? whats the IP address of the server?
  2. General Info: Let's start easy - whats the PC's name and IP address?
  3. What's the Password?: you got a sample of rick's PC's memory. can you get his user password? format: CTF{...}
  4. Name Game: We know that the account was logged in to a channel called Lunar-3. what is the account name?
  5. Silly Rik: Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?
  6. Hide and Seek: The reason that we took rick's PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
  7. Bit 4 Bit: We've found out that the malware is a ransomware. Find the attacker's bitcoin address.
  8. Name Game 2: From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2} What's rick's character's name? format: CTF{...}
  9. Path to Glory: How did the malware got to rick's PC? It must be one of rick old illegal habits...
  10. Graphic's For the Weak: There's something fishy in the malware's graphics.
  11. Path to glory 2: Continue the search after the way that malware got in.
  12. Recovery: Rick got to have his files recovered! What is the random password used to encrypt the files?
  13. Closure: Now that you extracted the password from the memory, could you decrypt rick's files?

Securinets

"CTF Securinets Quals is an on-line jeopardy style CTF organized by Securinets Club." - Securinets CTF Twitter

Learn More

Rare to Win

Challenge Description: "I was browsing the web and suddenly my mouse started moving on it's own! I think I have a virus on my computer. UPDATE: I tired some AVs but didn't get a hit, looks like the hacker's payload is clean and undetectable.
flag: securinets{md5(full_path_to_virus)}
Author: bibiwars"