Memory Analysis - Ransomware

This is part of the Digital Forensics challenges (retired) from Blue Team Labs Online

Link to the challenge : Blue Team Labs Online : Memory Analysis - Ransomware

Scenario

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!

Questions and Answers

Looking at the questions, I could see that it uses Volatility2 commands. I ran it with Volatility3 for a change, so the syntax varies slightly. Check out the Volatility section in Resources page for the Vol2→Vol3 cheat sheet.

Question 1

Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

python vol.py -f infected.vmem windows.psscan

  • There are quite a few processes which I haven't heard of, but 2 processes standout.

  • Initially, I thought it was "or4qtckT.exe" but the one that the challenge expects is "@WannaDecryptor"

@WanaDecryptor

Question 2

What is the parent process ID for the suspicious process?

  • You could see from the output of psscan that the parent ID (second column) of "@WannaDecryptor" is 2732.

  • Additionally, you can run the "pstree" plugin to view the parent-child relationship in a much better view.

python vol.py -f infected.vmem windows.pstree

2732

Question 3

What is the initial malicious executable that created this process?

  • From the previous outputs, we could see that the parent process is "or4qtckT.exe"

or4qtckT.exe

Question 4

If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

python vol.py -f infected.vmem windows.psscan | grep 2732

  • The output is a bit garbled, but we can see 4 processes listed in the output, out of which "taskdl.exe" is something I haven't come across till date.

  • A simple search tells us that it is a malicious program related WannaCry ransomware.

taskdl.exe

Question 5

Find the path where the malicious file was first executed

python vol.py -f infected.vmem windows.cmdline | grep 2732

  • Use the "cmdline" plugin and grep for the PID to find the path from where the process was executed.

  • Alternatively, we can use the "filescan" plugin and grep for the process to find its path.

C:\Users\hacker\Desktop\or4qtckT.exe

Question 6

Can you identify what ransomware it is? (Do your research!)

  • Previously when we searched for "taskdl.exe" we found it was related to WannaCry ransomware.

  • Also, we can search for those malicious processes that we identified earlier, and we can see it is indeed related to WannaCry ransomware.

WannaCry

Question 7

What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension) 

python vol.py -f infected.vmem windows.filescan | grep .eky

  • This exactly isn't the desired output, as the file has an ".ekyhed" extension.

  • Upon further research, I learned that we can use "handles" plugin to list the open handles of a malicious process and from that we could get hold of the file we are looking for. 

python vol.py -f infected.vmem windows.handles --pid 2732 | grep .eky

  • Grepping for the file extension will spit out the exact file we are looking for.

00000000.eky

PreviousBTLONextMemlabs

Last updated