Now we get the offset of system file,
WKT when we explore registry there were many directories, it may change for some pc. So we will go one by one directory using printkey plugin👇

By doing these step by step we will find the required file, I skipped 1 step, you do this by ur own👇

Sorry I forgot to tell the about captured memory file,
It's from otterctf.com
Login and see in memory forensics section

Or

Direct dwnld from

https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ

If u really have any doubts
Contact me
@Etf_Zan_bot ( bot )
@zincster ( id )
I will try to respond fast😐

There will CTF on April-May,
Those who will get passed ,will be chosen for private channel.

Ok hold your beers 🍻 guyz,
If you are following otterctf no worries,
If not I will begin with the question too.

1. In the above given dump file ( otterctf.vmem)
The user used to play a online game, and u need to find the game name and it's server ip address.

How will u do, think?

Answer:-
Do netscan using volatility

2.Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?


Answer :-
Use clipboard plugin

3. There's a malware in the dump file, now you need to track the malware.

Let's begin


Normally hackers make the malware to run in background, so let's check if there's any hidden processes using psxview plugin.

In most cases, both pslist and psscan will show False for malware, but here some special case😑

4. So let's use pstree plugin, which will show the running process in tree format.

And here we can see 2 suspicious process ( guessing as it might be malware )

Vmware-tray
Rick and monty

Because pid of Rick and monty matches with ppid of vmware-tray.

Pid - process id
Ppid - parent Pid

Vmware-tray is common process in vmwares . Name doesn't look suspicious.
Let's check where the file exists.

5. Let's use filescan module to check where does that actual file exists.

Now we can see that the file doesn't in vmware directory at all. It's in the most common malware directory "tmp".

Now it's sure that it is a virus.
To make sure 100% , dump that file to your device and scan it in the virus total. ( use dumpmem plugin or any suitable to dump ) .

6.You can also analyse the 2nd suspicious , we found Rick and Morty file. Let's do that quick as same as above process

Watch out this carefully,
That stupid Rick dwnlded this file for torrent 😂.
This is also contain malware,
Dump this also again and check in virus total.

It's time to sleep, see you guys at next time.