Tags: forensics memorydump volatility darkcomet
Rating:
# Attaaaaack9
## Background
Q9. Seems that there is Keylogger, can you find it's path ?
example : `crew{C:\Windows\System32\abc.def}`
Author : 0xSh3rl0ck
## Find the flag
I was stucked at this challenge for a very long time.
I then decided to Google ""test213.no-ip.info" keylogger", and I found [this malware analysis blog](http://www.tekdefense.com/news/tag/malware-analysis):
So, this malware is DarkComet RAT (Remote Access Trojan).
In the blog, the bloger found that the keylogger has an offline option, so that the malware will continue to log keystroke to a **local file** that can then be picked up by the attacker as they want.
**In our volatility2 `filescan`, we can see that there's a weird `.dc` log file:**
```shell
0x000000003fcb3350 8 0 -W-r-- \Device\HarddiskVolume1\Users\0xSh3rl0ck\AppData\Roaming\dclogs\2023-02-20-2.dc
```
**We can also dump that file:**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.09|12:53:01(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw dumpfiles --dump-dir=runddl -Q 0x000000003fcb3350
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fcb3350 None \Device\HarddiskVolume1\Users\0xSh3rl0ck\AppData\Roaming\dclogs\2023-02-20-2.dc
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.09|12:53:31(HKT)]
└> cat runddl/file.None.0x84273670.dat
:: Administrator: C:\Windows\System32\cmd.exe (9:04:57 PM)
:: Start menu (9:05:01 PM)
no
:: Untitled - Notepad (9:10:54 PM)
=[<-]
:: Clipboard Change : size = 27 Bytes (9:10:54 PM)
C:\Users\0xSh3rl0ck\Desktop
```
- **Flag: `crew{C:\Users\0xSh3rl0ck\AppData\Roaming\dclogs\2023-02-20-2.dc}`**
