CTFtime.org

Attaaaaack12

by siunam / siunam

Tags: forensics memorydump volatility darkcomet 

Rating:

# Attaaaaack12

## Background

Q12. What is the strange handle used by the malware ?

example : crew{the name of the handle}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142946.png)

## Find the flag

**In the blog that we've found in Attaaaaack9, it has a section that finds the mutants:**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709130104.png)

```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.09|13:01:21(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw handles -p 300 -t Mutant
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Pid Handle Access Type Details
---------- ------ ---------- ---------- ---------------- -------
0x843b0728 300 0x58 0x1f0001 Mutant
0x843b0b28 300 0x5c 0x1f0001 Mutant
0x842eb8b8 300 0x170 0x1f0001 Mutant DC_MUTEX-KHNEW06
[...]
```

- **Flag: `crew{DC_MUTEX-KHNEW06}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack12).

Comments