CyberDefenders — NintendoHunt Writeup

a1l4m
4 min readAug 25, 2023

memory | volatility | Windows

Background

Scenario:

You have been hired as a soc analyst to investigate a potential security breach at a company. The company has recently noticed unusual network activity and suspects that there may be a malicious process running on one of their computers. Your task is identifying the malicious process and gathering information about its activity.

Details:

Category: endpoint forensics

Difficulty: Difficult

What is the process ID of the currently running malicious process?

This one is simple as you just need to run pstree plugin, and there is something that going to grab your attention which is svchost.exe (system process) is running under explorer.exe (application process).

vol -f memdump.mem window.pstree

pstree output

You going to notice that all of them are not active except one.

What is the md5 hash hidden in the malicious process memory?

It may same simple: dump the process > so strings for some keywords (hash, md5, hidden etc.…), I even tried to limit the search with -n 32 and used this regex which will grep for md5 specifically grep -E -o '\\b[0-9a-fA-F]{32}\\b'

Note:
-E:
Enables extended regular expressions.
-o: Only prints the matching part of the line.
\b: Represents a word boundary, ensuring that the MD5 hash is not part of a larger word
[0–9a-fA-F]{32}: Matches exactly 32 characters, which can be any combination of digits (0–9) or letters (a-f, A-F) that form an MD5 hash.

But the thing is the size of the process after I dumped it nearly 800mb lol. So, there was no way for me to get the hash with strings and grep for the common keywords here.

So, i just give up on it, as I didn’t see any other way to get it. And when i saw the writeup it says this, use strings and you going to come across this section :”

hash of the injected process

What is the process name of the malicious process parent?

We already got it from the first one.

What is the MAC address of this machine’s default gateway?

After dumping the SOFTWARE, SYSTEM Hive, to check multiple paths like HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Class{4D36E972-E325-11CE-BFC1-08002BE10318 and SYSTEM\\CurrentControlSet001\\Services\\tcpip6\\parameters which give me this Mac Address 00 0c 29 39 20 49 but then i realized it was asking for default gateway mac address not the machine.

Then i dumped SOFTWARE Hive, and inject regripper with it then searching for gateway mac, got me this

regripper output

What is the name of the file that is hidden in the alternative data stream?

I used filescan plugin to see all the txt documents that are on the machine, but i have just found a file named test.txt, nothing more. I tried to look at $LogFile and $MFT data but no luck.

After a little bit of search about alternate data streams.

I have found that to create them, you will be using a command like this.

Alternate Data Streams creation

And first thing comes in my head, is to use strings and grep for this pattern. We got notepad.exe also we got type and we got “:” so earlier we have seen test.txt in the desktop, and after reading the content of it using MFT, it was Hella sus for me tbh.

MFT record for test.txt

so, I thought maybe he is using test.txt to create the alternative data stream. I used this command.strings -el memdump.mem | grep -i “test.txt:*” and I have found the guy named yes.txt.

output of strings

Note: I have searched with yes.txt in the MFT files after that, and I have found it actually lol, and it was the one that contains “Oooh… could this be a flag”

What is the full path of the browser cache created when the user visited “www.13cubed.com"?

To get an idea where edge store its cache, I have used this command with filescan plugin.

filescan output

So, all we need to do now is to find the location of where 13cubed is exactly logged.

I have found that there is a Png logo of 13cubed site in this folder \\IQDBNKYD but I tried to submit the answer with this path, but it wasn’t right :”

At this point I didn’t know where to go, I have checked the first hint, it says Run Volatility "mftparser" plugin to analyze for potential MFT entries in memory.

MFT record

okay, so after searching there I have found it.

That’s it for now, Cya geeks.

--

--