DESCRIPTION
You have been given a memory dump of the computer that was acquired from the hacker.Also an encrypted file was found on the USB stick that was attached to the PC
QUESTION
Memory dump and secret file has been uploaded to:
Download the archive, unzip and analyze.
SOLUTION
TrueCrypt running on machine
Volatility extracts truecrypt passphrase: 67Nj9kL11wQ.P-r5RmsDDx
Vola scan
root@cboekali-100:~# volatility -f memory.dump --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa800cd20870:System 4 0 84 507 2020-11-06 08:57:55 UTC+0000
. 0xfffffa800dc0d930:smss.exe 256 4 2 29 2020-11-06 08:57:55 UTC+0000
0xfffffa800cd5b060:wininit.exe 388 332 3 74 2020-11-06 08:57:56 UTC+0000
. 0xfffffa800ea3d720:services.exe 484 388 6 186 2020-11-06 08:57:56 UTC+0000
.. 0xfffffa800ed7e9c0:svchost.exe 1280 484 8 160 2020-11-06 08:57:58 UTC+0000
.. 0xfffffa800eea1b10:SearchIndexer. 1684 484 11 609 2020-11-06 08:58:03 UTC+0000
.. 0xfffffa800ec6a900:spoolsv.exe 1044 484 12 269 2020-11-06 08:57:58 UTC+0000
.. 0xfffffa800eb72b10:svchost.exe 900 484 12 279 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800eb10550:svchost.exe 672 484 6 256 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800ebedb10:svchost.exe 548 484 20 572 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800ebd6b10:svchost.exe 988 484 5 106 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800eb6d600:svchost.exe 812 484 17 428 2020-11-06 08:57:57 UTC+0000
... 0xfffffa800ef16570:dwm.exe 1952 812 3 72 2020-11-06 08:58:02 UTC+0000
.. 0xfffffa800ed1b5d0:svchost.exe 1200 484 11 266 2020-11-06 08:57:58 UTC+0000
.. 0xfffffa800ec7db10:svchost.exe 1092 484 17 300 2020-11-06 08:57:58 UTC+0000
.. 0xfffffa800eb3eb10:svchost.exe 724 484 18 449 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800ebc73f0:svchost.exe 932 484 27 929 2020-11-06 08:57:57 UTC+0000
.. 0xfffffa800eadbb10:svchost.exe 604 484 9 352 2020-11-06 08:57:57 UTC+0000
... 0xfffffa800cf5e060:WmiPrvSE.exe 3472 604 5 117 2020-11-06 09:01:58 UTC+0000
.. 0xfffffa800eef7b10:taskhost.exe 1896 484 9 198 2020-11-06 08:58:02 UTC+0000
.. 0xfffffa800f1636a0:svchost.exe 272 484 13 353 2020-11-06 08:59:59 UTC+0000
. 0xfffffa800ea40b10:lsass.exe 492 388 6 571 2020-11-06 08:57:56 UTC+0000
. 0xfffffa800e102790:lsm.exe 500 388 9 194 2020-11-06 08:57:56 UTC+0000
0xfffffa8016fff060:csrss.exe 340 332 9 330 2020-11-06 08:57:56 UTC+0000
0xfffffa800ef1e4b0:explorer.exe 1964 1944 19 729 2020-11-06 08:58:02 UTC+0000
. 0xfffffa801d3e5060:calc.exe 2916 1964 3 73 2020-11-06 08:58:21 UTC+0000
. 0xfffffa800e300470:putty.exe 2900 1964 1 72 2020-11-06 08:58:19 UTC+0000
. 0xfffffa800ee99880:TrueCrypt.exe 2324 1964 4 249 2020-11-06 08:59:09 UTC+0000
. 0xfffffa800f201060:notepad.exe 2936 1964 1 57 2020-11-06 08:58:25 UTC+0000
. 0xfffffa800ef2bb10:StikyNot.exe 120 1964 8 137 2020-11-06 08:58:03 UTC+0000
0xfffffa800f049550:firefox.exe 824 1848 60 1079 2020-11-06 08:58:10 UTC+0000
. 0xfffffa800f231b10:firefox.exe 2668 824 0 ------ 2020-11-06 08:58:15 UTC+0000
. 0xfffffa800f162b10:firefox.exe 2208 824 18 306 2020-11-06 08:58:12 UTC+0000
. 0xfffffa800f233b10:firefox.exe 2660 824 18 303 2020-11-06 08:58:15 UTC+0000
. 0xfffffa800f04eb10:firefox.exe 2076 824 9 277 2020-11-06 08:58:11 UTC+0000
. 0xfffffa800f196b10:firefox.exe 3344 824 5 157 2020-11-06 09:01:53 UTC+0000
. 0xfffffa800cec7b10:firefox.exe 1760 824 15 273 2020-11-06 09:00:18 UTC+0000
. 0xfffffa800f199b10:firefox.exe 2424 824 18 310 2020-11-06 08:58:13 UTC+0000
. 0xfffffa8014356810:firefox.exe 2744 824 35 478 2020-11-06 08:59:02 UTC+0000
. 0xfffffa800e9efb10:firefox.exe 3056 824 18 307 2020-11-06 08:58:43 UTC+0000
0xfffffa80152b7060:csrss.exe 400 380 8 436 2020-11-06 08:57:56 UTC+0000
0xfffffa800ea0eb10:winlogon.exe 440 380 3 113 2020-11-06 08:57:56 UTC+0000
Shell
Download TrueCrypt 7.2
Decrypt with the password
root@cboekali-100:~/memory**# cat /mnt/file.txt
Visit this url: https://pastebin.com/XAKBsNEN
Shell
URL has the flag.