True Secrets

Description

Our cybercrime unit has been investigating a well-known APT group for several months. The group has been responsible for several high-profile attacks on corporate organizations. However, what is interesting about that case, is that they have developed a custom command & control server of their own. Fortunately, our unit was able to raid the home of the leader of the APT group and take a memory capture of his computer while it was still powered on. Analyze the capture to try to find the source code of the server.

For this CTF there was provided a zipped file with .raw extension.

Examining the file with strings command revealed multiple informations about location on Windows system, e.g. C:\Windows\system32\. This and information in the description indicates that this file is a memory capture of Windows system.

To process this file we can use Volatility framework 😊

At first we need to determine the system profile...