Ransomémoire 2/3 - Début d’investigation

Resolution

In this part, we are trying to first find the PID of the process that executed svchost.exe (5540), which is 6424 (VBoxTray.exe) that we have already seen earlier as it contains a Meterpreter shellcode.

We will dump the memory section that contains the shellcode using the windows.malfind module.

$ python3 vol.py -f fcsc.dmp windows.malfind --pid 6424 --dump

By searching for the constants in the shellcode, we can think that it is the assembly code of migrate.asm.

However, upon closer inspection, we can see that in our code, the line mov rdi, rax is actually an xchg rax, rdi.

This means that it corresponds to the assembly code present in migrate_tcp_x64.rb.

All that’s left is to find the port, for which we will use string/grep.

$ strings -el ransomemoire/shellcode_ransomemoire.bin | grep "tcp" -C 2
[...]
tcp://:8080

Flag

FCSC{6424:tcp:8080}