Instructions
We want to see if any other machines are infected with this malware. Using the memory dump file from Window Pains, submit the SHA1 checksum of the malicious process.
Submit the flag as flag{SHA1 hash}.
CAUTION Practice good cyber hygiene! Use an isolated VM to download/run the malicious process. While the malicious process is relatively benign, if you’re using an insecurely-configured Windows host, it may be possible for someone to compromise your machine if they can reach you on the same network.
Prerequisites
Python requirements.txt:
volatility3
yara-python
pycryptodome
capstone
Solution
Use the DLL list function of volatility to list and dump the DLLs associated with our malicious process. Calculate the sha1sum for the userinit executable.
flag{f1fed7aca78502c041dba20e63e2e3fde07d0777}