The memory image contains real APT malware launched against a test system. Your job? Find it.
The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions.
DOWNLOAD LINK FOR MEMORY IMAGE: http://dfir.to/APT-Memory-Image
- What is the Process ID of the rogue process on the system?
- Determine the name of the rogue file that is found in the process (PID) that contains the rogue process found in the above question.
- How is the malware achieving persistence on the system?
- What is the filename of the file that is hiding the presence of the malware on the system?
- What is the name of the ISP that hosts the network where the malware is communicating with?
Solution can be found here: http://digital-forensics.sans.org/blog/2014/02/08/apt-memory-and-malware-analysis-solution