We’re testing our Memory Analysis package (currently in beta) against various challenges available online.

We found this challenge on Hack The Box, so credit goes to them for creating it.

The scenario is as follows:

“A non-technical client recently purchased a used computer for personal use from a stranger they encountered online. Since acquiring the computer, the client has been using it without making any changes, specifically not installing or uninstalling any software. However, they have begun experiencing issues related to internet connectivity. This includes receiving error messages such as “Server Not Found” and encountering difficulties with video streaming. Despite these problems, checks with the Windows Network Troubleshooter indicate no issues with the internet connection itself. The client has provided a memory image and disk artifacts for investigation to determine if there are any underlying issues causing these problems.”

The challenge includes several questions. We begin by identifying the suspicious process and examining the mutex it creates. To confirm that the mutex is associated with the malware, we decompile the application directly within the memory dump, analyze its anti-debugging technique, and observe one of the files it opens on disk. Using the AD1 Format package, we can access the disk artifacts to inspect the config.ini file accessed by the malware and extract the FQDN of the target website.