BlueTeamLabs: Memory Analysis - Ransomware

Overview

This is a medium-difficulty memory forensics challenge hosted by Blue Team Labs Online (BTLO). The challenge requires the use of Volatility to analyze a memory dump and determine the malicious processes. For this challenge, I used a REMnux machine.


Scenario

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!


Q1

Run “vol.py -f infected.vmem — profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

The question gives us the profile to use within Volatility, so we can skip determining the proper profile. The question also says to use psscan, but I opted for pstree since it will help us easily understand the process hierarchy. Either plugin will work for this question.

pstree output

From the output, we can see two executables with suspicious names: or4qtckT.exe and @WanaDecryptor. We can assume they want the suspicious child process.

Answer @WanaDecryptor

Q2

What is the parent process ID for the suspicious process?

We noted the suspicious parent process in the previous screenshot, and the parent process ID is listed in the PPid column.

Answer 2732

Q3

What is the initial malicious executable that created this process?

Again, our output from pstree included this information.

Answer or4qtckT.exe

Q4

If you drill down on the suspicious PID (vol.py -f infected.vmem — profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

psscan, filtered for the suspicious PID

psxview, filtered for brevity

The thing to note about this question is that the answer did not appear in our pstree output. This is because pstree uses pslist to form its output. Psxview’s output includes columns that show whether or not the entry appears in different plugins’ output. This can be, but is not necessarily, a sign of malicious activity.

Links to their reference docs:

pslist

pstree

psscan

psxview

Answer taskdl.exe

Q5

Find the path where the malicious file was first executed

We’ll use the cmdline plugin to look for execution of the file.

cmdlist, filtered for the malicious file

Answer C:\Users\hacker\Desktop\or4qtckT.exe

Q6

Can you identify what ransomware it is? (Do your research!)

To confirm our suspicions we can search for the IOCs we’ve gathered. Aside from Google, sites like AnyRun can be very useful for this type of research.

AnyRun listing for one of the suspicious files

Answer wannacry

Q7

What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

We can get the answer to this question by reading about how WannaCry works and its various IOCs. To confirm the filename in our memory sample, we can use the mftparser plugin.

mftparser, filtered for files ending in .eky

Note: mftparser scans for MFT entries in memory. Per Microsoft’s documentation — “The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself”.

Answer 00000000.eky

Conclusion

This was a rather easy challenge, but it did a good job of demonstrating the difference between psscan and pslist, and how we can use psxview to better understand the processes running on the system.