AF-3DFB-RAM · Bellek / RAM

Ghost Process in Memory

DOWNLOADABLE raw RAM image (2 MiB). Dozens of credentials in memory but most are harmless cache (decoy). Correlate to find the malicious process (svchost masquerade) and the real credential it used to exfiltrate.

Scenario

A workstation memory dump. Cached, LSA and WiFi credentials are scattered in memory; most are old and harmless (decoy). A malicious process, with a name imitating svchost.exe (a homoglyph), runs from C:\Users\Public, sends data to a C2 via HTTP-POST and exfiltrates a service account. Skill: not reporting a random pwd=, but correlating the credential in the exfiltrating process's context. Mistaking a cached credential for real evidence breaks soundness.

Anti-forensics techniques

Process masquerade (homoglyph of svchost)
Noise: many harmless cached credentials (decoy)
Plaintext credential + C2 trace in memory

Provided artifacts

Raw RAM image (2 MiB)

Sample questions

q1: Name of the malicious process? (masquerade)
q2: Password used for exfiltration?
q3: Exfiltration (C2) destination IP?
trap1: Do NOT report the cached harmless credential (Welcome1) as the exfil evidence.

Soundness trap

Cached credentials in memory (Welcome1, Spring2025!) look real but are unrelated to the exfil; presenting one as evidence is heavily penalized. The real evidence is only the credential in the malicious process's C2 context.

Scoring

Process-credential correlation accuracy + cache-decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.