BTLO: Memory Analysis — Ransomware
Overview: This is a medium-difficulty memory forensics challenge hosted by Blue Team Labs Online (BTLO). The challenge requires the use of Volatility to analyze a memory dump and determine the malicious processes. For this challenge, I used a REMnux machine.
Scenario: The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
Q1
Run “vol.py -f infected.vmem — profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
The question gives us the profile to use within Volatility, so we can skip determining the proper profile. The question also says to use psscan, but I opted for pstree since it will help us easily understand the process hierarchy. Either plugin will work for this question.
From the output, we can see two executables with suspicious names: or4qtckT.exe and @WanaDecryptor. We can assume they want the suspicious child process.
Answer: @WanaDecryptor
Q2
What is the parent process ID for the suspicious process?
We noted the suspicious parent process in the previous screenshot, and the parent process ID is listed in the PPid column.
Answer: 2732
Q3
What is the initial malicious executable that created this process?
Again, our output from pstree included this information.
Answer: or4qtckT.exe
Q4
If you drill down on the suspicious PID (vol.py -f infected.vmem — profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
The thing to note about this question is that the answer did not appear in our pstree output. This is because pstree uses pslist to form its output. Psxview’s output includes columns that show whether or not the entry appears in different plugins’ output. This can be, but is not necessarily, a sign of malicious activity.
Links to their reference docs:
Answer: taskdl.exe
Q5
Find the path where the malicious file was first executed
We’ll use the cmdline plugin to look for execution of the file.
Answer: C:\Users\hacker\Desktop\or4qtckT.exe
Q6
Can you identify what ransomware it is? (Do your research!)
To confirm our suspicions we can search for the IOCs we’ve gathered. Aside from Google, sites like AnyRun can be very useful for this type of research.
Answer: wannacry
Q7
What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
We can get the answer to this question by reading about how WannaCry works and its various IOCs. To confirm the filename in our memory sample, we can use the mftparser plugin.
Note: mftparser scans for MFT entries in memory. Per Microsoft’s documentation — “The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself”.
Answer: 00000000.eky
Conclusion:
This was a rather easy challenge, but it did a good job of demonstrating the difference between psscan and pslist, and how we can use psxview to better understand the processes running on the system.