Analyse mémoire 1/5 - Exfiltration

Description

An FCSC agent starts their computer to brainstorm and jot down challenge ideas for next year. However, they reported that during startup, a strange red screen briefly appeared for just a second, then the system booted normally.

They were able to start working without any issues, but to ensure the problem isn’t caused by potential malware, we had them capture the system’s memory using the DumpIt tool. Analyze the memory and identify the malware attempting to exfiltrate the document:

• the process running the malware
• the address and port of the attacker-controlled server

The flag is in the format FCSC{<process_name>:<process_id>:<remote_ip_address>:<remote_port>:<protocol_used>} where:

• <process_name> is the name of the process running the malware,
• <process_id> is the Process ID (PID) of the malware,
• <remote_ip_address> is the IP address of the attacker-controlled server,
• <remote_port> is the port used on the attacker-controlled server, and
• <protocol_used> is the protocol used to communicate with the attacker’s server (TCP or UDP).

For example: FCSC{malware.exe:512:51.255.68.182:21:UDP}.

This challenge is part of a serie that should be solved sequentially:

• Analyse mémoire 1/5 - Exfiltration
• Analyse mémoire 2/5 - Origine de la menace
• Analyse mémoire 3/5 - Où est le pansement ?
• Analyse mémoire 4/5 - Un échelon de plus dans la chaîne
• Analyse mémoire 5/5 - Le commencement