Tags: forensics memorydump volatility darkcomet
Rating:
# Attaaaaack8
## Background
Q8. What is the Attacker's C2 domain name and port number ? (domain name:port number)
example : crew{abcd.com:8080}
Author : 0xSh3rl0ck
## Find the flag
Armed with Attaaaaack2 - 7's information, we could guess that the `runddl.exe` is a ***keylogger*** malware, as we found that it'll retrieve the status of the keyboard (Attaaaaack7).
If it's a keylogger, all the key strokes should send to a Command and Control (C2) server and exfiltrate all the key strokes.
So, we can try to find all outbound connections and see if it's any weird domains/IP addresses.
However, in volatility2, besides plugin `netscan` (Which is the output of `netstat`), other listing network connection related plugins are Windows XP and 2003 only.
I also tried to perform dynamic analysis, which running the `runddl.exe` in a sandbox environment. However, I got "Runtime error 216"...
**Then, I upload and run it in [any.run](https://any.run/) online malware sandbox:**
But nothing weird...
**Finally, re-dumped the `runddl.exe` via `dumpfiles` (Not `procdump`), and uploaded to [virustotal.com](www.virustotal.com):**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|22:44:21(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw dumpfiles --dump-dir=runddl -Q 0x000000003ea44038
[...]
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|22:44:41(HKT)]
└> mv runddl/file.None.0x8436b6f0.img runddl/runddl.exe
```
**In the "Behavior" tab, we can see it's "Network Communication":**
In "Memory Pattern Urls", it's an URL pattern found in the memory of the executable.
Hence, `test213.no-ip.info:1604` is the C2 server.
- **Flag: `crew{test213.no-ip.info:1604}`**
