DFIRCON Memory Analysis Challenge

DFIRCON APT Malware & Memory Challenge

The memory image contains real APT malware launched against a test system. Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!

Win a free Simulcast Seat at DFIRCON Monterey - http://dfir.to/DFIR-CON by downloading the memory image and answering the following questions.


To successfully submit for the contest. All answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below Simulcast courses at DFIRCON:

SEC504: Hacker Techniques, Exploits & Incident Handling
FOR408: Computer Forensic Investigations - Windows In-Depth
FOR508: Advanced Computer Forensic Analysis and Incident Response
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

SANS Event Simulcast classes are:

Cost-Effective: You can save thousands of dollars on travel costs, making Event Simulcast an ideal solution for students working with limited training budgets or travel bans.

Engaging: Event Simulcast classes are live and interactive, allowing you to ask questions and share experiences with your instructor and classmates.

Condensed: Complete your course quickly; all SANS Event Simulcast classes take no longer than six days to complete.

Repeatable: Event Simulcast classes are recorded and placed in an online archive in case you have to miss part of the class or just wish to view the material again at a later date.

Complete: You will receive the same books, discs, and MP3 audio files that conference students receive, and you will see and hear the same information as it is presented at the live event.

To learn more about the event, please visit http://www.sans.org/event/dfircon-monterey-2014

1. Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 2nd, 2014 and ends Friday, January 31st, 2014. Responses must be submitted by 9pm EST on January 31st.

2. Prize: Each person that correctly answers at least 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen on February 3rd and will be notified by email..

3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.

4. Release of Liability: SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

Question Title

* 1. What is the Process ID of the rogue process on the system?

Question Title

* 2. Determine the name of the rogue file that is found in the process (PID) that contains the rogue process found in the above question.

Question Title

* 3. How is the malware achieving persistence on the system?

Question Title

* 4. What is the filename of the file that is hiding the presence of the malware on the system?

Question Title

* 5. What is the name of the ISP that hosts the network where the malware is communicating with?

Question Title

* 6. What is your name?

Question Title

* 7. What is your email address?