Memory Analysis — Ransomware | Blue Team Labs Online Writeup
The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
Welcome! This writeup goes over how to use volatility to perform file forensics on a memory capture file, and analyze the extracted files for Ransomware. Before going into this lab, I would like to thank BTLO (Blue Team Labs Online) for such a wonderful platform to practice Blue Team Labs. Here you can find the link for the lab: Memory Analysis — Ransomware
Introduction
“Volatility is a free memory forensics tool developed and maintained by Volatility labs. Regarded as the gold standard for memory forensics in incident response, Volatility is wildly expandable via a plugins system and is an invaluable tool for any Blue Teamer.”
Download Volatility using the links:
Some useful commands in volatility
- Image Info:
$ volatility -f memory.vmem imageinfo
2. Show Running Process at the time of memory capture:
$ volatility -f memory.vmem pslist
3. List all the Processes:
$ volatility -f memory.vmem psscan
4. Parent and Child Process:
$ volatility -f memory.vmem pstree
5. Hidding Process:
$ volatility -f memory.vmem psxview
6. Connections:
$ volatility -f memory.vmem connscan
7. Command Lines:
$ volatility -f memory.vmem cmdline
8. Dumping Process:
$ volatility -f memory.vmem procdump -p <PID> — dump-dir
9. Scan all files:
$ volatility -f memory.vmem filescan
After knowing these basic volatility commands, Let’s get into the lab challenges.
Challenge Submission
First of all, let’s download the memory dump zip file given in the challenge, extract it using the password: btlo and run the .vmem file using volatility.
Que.1: Run “vol.py -f infected.vmem — profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
Use the command
$ vol.py -f infected.vmem imageinfo
to get the information about the dump image.
Running the command
$vol.py -f infected.vmem — profile=Win7SP1x86 psscan
will list all the processes which are shown below:
From the result, the process @WanaDecryptor and or4qtckT.exe file are not known processes in the system which seems to be suspicious. As the or4qtckT.exe is an executable, @WanaDecryptor is the suspicious process required for this.
Ans: @WanaDecryptor
Que.2: What is the parent process ID for the suspicious process?
Since the executable among the two suspicious processes executes first and creates the processes, the process ID of .exe will be the parent process ID which is 2732.
Ans: 2732
Que.3: What is the initial malicious executable that created this process?
From Que.1 and Que.2, the malicious executable is or4qtckT.exe.
Ans: or4qtckT.exe
Que.4: If you drill down on the suspicious PID (vol.py -f infected.vmem — profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files.
To find the process used to delete files, let’s use the command
$ vol.py -f infected.vmem — profile=Win7SP1x86 psscan | grep 2732
to scan all the processes and filter the result with suspicious PID using the grep command.
From the above result, the process taskdl.exe is used to delete the files.
Ans: taskdl.exe
Que.5: Find the path where the malicious file was first executed
Now, we had known the malicious executable file was or4qtckT.exe, let’s determine the folder path from which the process executed, as well as the dlls used. To do this, we use the dlllist plugin as shown below:
$vol.py -f infected — profile=Win7SP1x86 dlllist| grep or4qtckT.exe
From this result, the path where the malicious file was first executed was C:\Users\hacker\Desktop\or4qtckT.exe
Ans: C:\Users\hacker\Desktop\or4qtckT.exe
Que.6: Can you identify what ransomware it is? (Do your research!)
To identify what ransomware it is, let’s use a simple google search for the suspicious processes.
The result shows the ransomware is WannaCry.
Ans: wannacry
Que.7: What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
To find the filename for the file with the ransomware public key which was used to encrypt the private key, let’s perform the filescan of the memory dump and filter the result having eky in the file using grep command as
$vol.py -f infected — profile=Win7SP1x86 filescan | grep eky
Ans: 00000000.eky
Conclusion
In this way, this room can be solved. I hope this write-up has been useful in some manner. Thank you for taking the time to read this. Have a good time and if you have any suggestions, please feel free to reach out to me. I will try my best to improve it in my next write-up.
!!! Thank you !!!
