CTFtime.org

Attaaaaack10

by siunam / siunam

Tags: forensics memorydump volatility darkcomet 

Rating:

# Attaaaaack10

## Background

Q10. we think that the malware uses persistence technique can you detect it ?

example : crew{Scheduled_tasks} (first letter of the first word is uppercase and the first letter of other is lowercase)

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142932.png)

## Find the flag

**In the [blog](http://www.tekdefense.com/news/tag/malware-analysis) that we've found in Attaaaaack9, the DarkComet malware has a persistence mechanism:**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709213926.png)

With that said, the persistence mechanism is modifying the registry key, so that everytime when the victim logged in, it'll run `runddl32.exe`.

- **Flag: `crew{Registry_keys}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack10).

Comments