rootđź’€bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

What is Volatility??

Volatility is an open-source memory forensics framework used for incident response and malware analysis. Developed in Python, it allows investigators to analyze RAM dumps to uncover details about running processes, network connections, and other system activities. Volatility supports various operating systems including Windows, macOS, and Linux, and works with multiple memory dump formats. Key functionalities include scanning for processes, detecting hidden services, and recovering deleted files using specialized plugins. The framework is widely utilized by digital forensic experts for its comprehensive analysis capabilities and flexibility.

You can read more about it here

To install volatility 2 and volatility 3 on Linux, you can use this

Lets get started hehe

image

First Question

Run “vol.py -f infected.vmem –profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

command:python2 vol.py -f ../../../blue_team_labs/memory_forensics/BTLO\ Memory\ Analysis\ -\ Ransomware/infected.vmem windows.psscan.PsScan

image

Yeah that’s the suspicious process running

Answer:-@WanaDecryptor

Second Question

What is the parent process ID for the suspicious process?

We can tell from the output we got when we ran our command

image

Answer:-2732

Third Question

What is the initial malicious executable that created this process?

image

We can see from the above screenshot that the executable or4qtckT.exe has the said the PPID of @WanaDecryptor as its PID

Answer:-or4qtckT.exe

Fourth Question

If you drill down on the suspicious PID (vol.py -f infected.vmem –profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

command:python2 vol.py -f ../../../blue_team_labs/memory_forensics/BTLO\ Memory\ Analysis\ -\ Ransomware/infected.vmem --profile=Win7SP1x86 psscan | grep "2732"

image

That’s the process that’s used to delete files

Answer:-taskdl.exe

Fifth Question

Find the path where the malicious file was first executed

Since we know the malicious executable to be or4qtckT.exe, we can get the path using the filescan module

command:python2 vol.py -f ../../../blue_team_labs/memory_forensics/BTLO\ Memory\ Analysis\ -\ Ransomware/infected.vmem --profile=Win7SP1x86 filescan | grep "or4qtckT.exe"

image

Using volatility3 for this game a more accurate answer though

image

Answer:-\Users\hacker\Desktop\or4qtckT.exe

Sixth Question

Can you identify what ransomware it is? (Do your research!)

If you recall we found the process that’s used to delete files taskdl.exe, doing our research on this

image

Found the name of the ransomware

Answer:-WannaCry

Seventh Question

What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

To solve this question we’ll use the filescan module, since we know the extension we’ll just grep it out hehe

image

We got our answer

Answer:-00000000.eky

image

Till Next Time :xD



Back To Home