For full text search please use the '?' prefix. e.g. ? Onboarding

Memory Analysis - Ransomware

  1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process? (3 points)

    First we follow the instructions here to install Volatility. Then we can run the command they suggest:

    $ python2 vol.py -f infected.vmem --profile=Win7SP1x86 psscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000be92b88 dwm.exe            1424    856 0x1e6d92e0 2021-01-31 18:01:12 UTC+0000
0x000000001dc0fd40 svchost.exe         688    496 0x1e6d9140 2021-01-31 18:01:11 UTC+0000
0x000000001dc22520 svchost.exe         736    496 0x1e6d9160 2021-01-31 18:01:11 UTC+0000
0x000000001dc33030 taskhsvc.exe       2968   2924 0x1e6d92c0 2021-01-31 18:02:20 UTC+0000
0x000000001dc58030 svchost.exe         856    496 0x1e6d91a0 2021-01-31 18:01:11 UTC+0000
0x000000001dc6d548 svchost.exe         896    496 0x1e6d91c0 2021-01-31 18:01:11 UTC+0000
0x000000001dc92a88 svchost.exe        1000    496 0x1e6d9200 2021-01-31 18:01:11 UTC+0000
0x000000001dca9030 svchost.exe        1068    496 0x1e6d9220 2021-01-31 18:01:12 UTC+0000
0x000000001dcd6030 spoolsv.exe        1196    496 0x1e6d9240 2021-01-31 18:01:12 UTC+0000
0x000000001dcd91c8 svchost.exe        2204    496 0x1e6d95e0 2021-01-31 18:03:14 UTC+0000
0x000000001dd07290 svchost.exe        1252    496 0x1e6d9280 2021-01-31 18:01:12 UTC+0000
0x000000001dd32cb0 taskhost.exe       1348    496 0x1e6d92a0 2021-01-31 18:01:12 UTC+0000
0x000000001df45030 csrss.exe           404    388 0x1e6d9040 2021-01-31 18:01:11 UTC+0000
0x000000001df5a450 svchost.exe        2380    496 0x1e6d9560 2021-01-31 18:03:15 UTC+0000
0x000000001df5f030 services.exe        496    396 0x1e6d9080 2021-01-31 18:01:11 UTC+0000
0x000000001df63030 winlogon.exe        460    388 0x1e6d90c0 2021-01-31 18:01:11 UTC+0000
0x000000001df72958 lsass.exe           504    396 0x1e6d90e0 2021-01-31 18:01:11 UTC+0000
0x000000001df74030 lsm.exe             512    396 0x1e6d9100 2021-01-31 18:01:11 UTC+0000
0x000000001df975b0 svchost.exe        2508    496 0x1e6d9420 2021-01-31 18:21:28 UTC+0000
0x000000001dfc25f8 conhost.exe        2976    404 0x1e6d94e0 2021-01-31 18:02:20 UTC+0000
0x000000001dfcf108 powercfg.exe       3304    496 0x1e6d9460 2021-01-31 18:23:23 UTC+0000   2021-01-31 18:24:24 UTC+0000
0x000000001dfe2b08 svchost.exe         620    496 0x1e6d9120 2021-01-31 18:01:11 UTC+0000
0x000000001e178968 csrss.exe           356    340 0x1e6d9060 2021-01-31 18:01:11 UTC+0000
0x000000001e1801f8 wininit.exe         396    340 0x1e6d90a0 2021-01-31 18:01:11 UTC+0000
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000
0x000000001ec3ea58 WmiPrvSE.exe       1296    620 0x1e6d9400 2021-01-31 18:01:14 UTC+0000
0x000000001ec424a0 svchost.exe        2032    496 0x1e6d93a0 2021-01-31 18:01:13 UTC+0000
0x000000001ec81d40 dllhost.exe        1740    496 0x1e6d9440 2021-01-31 18:01:14 UTC+0000
0x000000001ed0a030 SearchFilterHo     3008   2232 0x1e6d9620 2021-01-31 18:23:00 UTC+0000
0x000000001ed3d940 WmiPrvSE.exe        208    620 0x1e6d9520 2021-01-31 18:24:23 UTC+0000
0x000000001ed5ead8 SearchProtocol     2304   2232 0x1e6d9180 2021-01-31 18:01:18 UTC+0000
0x000000001ee6a030 explorer.exe       1456   1408 0x1e6d9300 2021-01-31 18:01:12 UTC+0000
0x000000001ee80a48 VGAuthService.     1560    496 0x1e6d9320 2021-01-31 18:01:12 UTC+0000
0x000000001eef9d40 vm3dservice.ex     1688   1456 0x1e6d9340 2021-01-31 18:01:12 UTC+0000
0x000000001ef04498 vmtoolsd.exe       1700   1456 0x1e6d9360 2021-01-31 18:01:12 UTC+0000
0x000000001ef11030 vmtoolsd.exe       1720    496 0x1e6d9380 2021-01-31 18:01:13 UTC+0000
0x000000001ef28a78 msdtc.exe          2044    496 0x1e6d93c0 2021-01-31 18:01:16 UTC+0000
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:9 UTC+0000
0x000000001efb5418 smss.exe            268      4 0x1e6d9020 2021-01-31 18:01:10 UTC+0000
0x000000001efc1d40 SearchIndexer.     2232    496 0x1e6d9260 2021-01-31 18:01:18 UTC+0000
0x000000001fcbc0f0 sppsvc.exe         2432    496 0x1e6d9580 2021-01-31 18:03:14 UTC+0000
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000
0x000000001fff1c40 System                4      0 0x00185000 2021-01-31 20:56:12 UTC+0000
0x000000001fff6920 System                4      0 0x00185000 2021-01-31 18:01:10 UTC+0000

    Answer: @WanaDecryptor

  2. What is the parent process ID for the suspicious process? (3 points)

    Answer: 2732

  3. What is the initial malicious executable that created this process? (3 points)

    We just need to look for the executable corresponding to the PPID:

    $ python2 vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep 2732
Volatility Foundation Volatility Framework 2.6.1
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:49 UTC+0000
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000

    Answer: or4qtckT.exe

  4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files (3 points)

    The other executable with the same PPID above is taskdl.exe.

    Answer: taskdl.exe

  5. Find the path where the malicious file was first executed (3 points)

    To view the path, we can use the cmdline plugin:

    $ python2 vol.py -f infected.vmem --profile=Win7SP1x86 cmdline | grep or4qtckT.exe
Volatility Foundation Volatility Framework 2.6.1
or4qtckT.exe pid:   2732
Command line : "C:\Users\hacker\Desktop\or4qtckT.exe"

    Answer: C:\Users\hacker\Desktop\or4qtckT.exe

  6. Can you identify what ransomware it is? (Do your research!) (2 points)

    If you follow cybersecurity at all, this is pretty obvious right away thanks to the @WanaDecryptor filename.

    Answer: WannaCry

  7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension) (3 points)

    The memdump plugin can be used to dump the contents of a process' memory. We can use this to dump the memory of the process that created the @WanaDecryptor file:

    $ python2 vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p 2732 --dump-dir=.
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing or4qtckT.exe [  2732] to 2732.dmp

    We can then use strings to find the filename:

    $ strings 2732.dmp | grep .eky
%08X.eky
%08X.eky
00000000.eky

    The first two are likely not it, and the third one wins!

    Answer: 00000000.eky

Tags

  1. volatilty (Private)
  2. retired (Private)
  3. 20 points (Private)
  4. medium (Private)