Memory Analysis - Ransomware
This is part of the Digital Forensics challenges (retired) from Blue Team Labs Online
Last updated
This is part of the Digital Forensics challenges (retired) from Blue Team Labs Online
Last updated
Link to the challenge : Blue Team Labs Online : Memory Analysis - Ransomware
The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
Looking at the questions, I could see that it uses Volatility2 commands. I ran it with Volatility3 for a change, so the syntax varies slightly. Check out the Volatility section in Resources page for the Vol2→Vol3 cheat sheet.
Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
There are quite a few processes which I haven't heard of, but 2 processes standout.
Initially, I thought it was "or4qtckT.exe" but the one that the challenge expects is "@WannaDecryptor"
@WanaDecryptor
What is the parent process ID for the suspicious process?
You could see from the output of psscan that the parent ID (second column) of "@WannaDecryptor" is 2732.
Additionally, you can run the "pstree" plugin to view the parent-child relationship in a much better view.
2732
What is the initial malicious executable that created this process?
From the previous outputs, we could see that the parent process is "or4qtckT.exe"
or4qtckT.exe
If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
The output is a bit garbled, but we can see 4 processes listed in the output, out of which "taskdl.exe" is something I haven't come across till date.
A simple search tells us that it is a malicious program related WannaCry ransomware.
taskdl.exe
Find the path where the malicious file was first executed
Use the "cmdline" plugin and grep for the PID to find the path from where the process was executed.
Alternatively, we can use the "filescan" plugin and grep for the process to find its path.
C:\Users\hacker\Desktop\or4qtckT.exe
Can you identify what ransomware it is? (Do your research!)
Previously when we searched for "taskdl.exe" we found it was related to WannaCry ransomware.
Also, we can search for those malicious processes that we identified earlier, and we can see it is indeed related to WannaCry ransomware.
WannaCry
What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
This exactly isn't the desired output, as the file has an ".ekyhed" extension.
Upon further research, I learned that we can use "handles" plugin to list the open handles of a malicious process and from that we could get hold of the file we are looking for.
Grepping for the file extension will spit out the exact file we are looking for.
00000000.eky