Tags: forensics memorydump volatility darkcomet 

Rating:

# Attaaaaack11

## Background

Q11. can you find the key name and it's value ?

example : crew{CurrentVersion_ProductName}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142939.png)

## Find the flag

**When I was searching ""test213.no-ip.info" keylogger" in Attaaaaack9, I also came across with [this Jupyter note](https://notebook.community/adricnet/dfirnotes/examples/Rekall%20demo%20-%20DarkComet%20analysis%20by%20TekDefense%20-%20Jupyter%20slides):**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709130813.png)

**In there, the memory dump's registry key has something weird:**

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230709130915.png)

```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.09|13:05:47(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \??\C:\Users\0xSh3rl0ck\ntuser.dat
Key name: Run (S)
Last updated: 2023-02-20 19:03:40 UTC+0000

Subkeys:

Values:
REG_SZ MicroUpdate : (S) C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe
----------------------------
Registry: \REGISTRY\USER\S-1-5-20
Key name: Run (S)
Last updated: 2009-07-14 04:34:14 UTC+0000
[...]
```

The `HKCU` `Run` key has a value called `MicroUpdate`.

- **Flag: `crew{Run_MicroUpdate}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack11).