SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

APT Malware and Memory Challenge

The memory image contains real APT malware launched against a test system. Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions.

DOWNLOAD LINK FOR MEMORY IMAGE:http://dfir.to/APT-Memory-Image

Questions:

  1. What is the Process ID of the rogue process on the system?
  2. Determine the name of the rogue file that is found in the process (PID) that contains the rogue process found in the above question.
  3. How is the malware achieving persistence on the system?
  4. What is the filename of the file that is hiding the presence of the malware on the system?
  5. What is the name of the ISP that hosts the network where the malware is communicating with?
Solution can be found here: http://digital-forensics.sans.org/blog/2014/02/08/apt-memory-and-malware-analysis-solution

 

2 Comments

Posted December 09, 2013 at 8:30 PM | Permalink | Reply

Kirby

Got the results, but can't seem to enter them. Question 3 (the checkboxes) says it requires and answer. Checks don't count?

Thx

Posted December 09, 2013 at 8:50 PM | Permalink | Reply

Tyler

I have been trying to post my answers, but it keeps saying #3 requires an answer despite there being one. Is there an issue with the answer form?

Post a Comment






Captcha

* Indicates a required field.