Ransomware Memory Forensics with Volatility

# Ransomware Memory Forensics with Volatility (Write-Up by Susanne Kloss) Investigation of volatile memory of a machine that might have become the target of a ransomware attack VMware memory dump and challenge came from Blue Teams Lab Online: https://blueteamlabs.online/home/challenge/memory-analysis-ransomware-7da6c9244d Investigation was done on Kali Linux VM. 1. **Installation of Volatility on Kali Linux** see: https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/ 2. **Download memory dump to Kali Linux machine and unzip** we need the 'infected.vmem' file 4. **Start investigation with Volatility - first find out the OS of the infected machine** *vol.py -f infected.vmem imageinfo* ![image](https://hackmd.io/_uploads/Sk0tbjxPa.png) -> use the finding Win7SP1x86 as --profile 4. **Find the suspicious process** *psscan* yields a list of all processes -> suspicious process is @WanaDecryptor 5. **Find the initial malicious executable that created this process** *pstree* gives a hierarchical list of the processes ![image](https://hackmd.io/_uploads/HkHwzigPT.png) -> @WanaDecryptor was created by 'or4qtckT.exe' 6. **Find process used to delete files** filter output of psscan for the suspicious PID ![image](https://hackmd.io/_uploads/r1JGNilwa.png) -> 'taskdl.exe' looks promising, -> look up online, e.g. https://www.mandiant.com/resources/blog/wannacry-malware-profile -> confirms that this is a file deletion tools used by WannaCry ransomware **7. Find path where the malicious file was first executed** *cmdline* filtered for malicious file 'or4qtckT.exe' gives commandline ![image](https://hackmd.io/_uploads/HybvSixva.png) -> Command line : "C:\Users\hacker\Desktop\or4qtckT.exe" 8. **Find filename for the file with the ransomware public key, .eky extension** First make a memory dump of the malicious parent process with PID 2732 Then scan with *string* for a file with .eky ![image](https://hackmd.io/_uploads/r1UPLsxDa.png) -> 00000000.eky 9. **Find out about more about the malicious executable and the ransomware it belongs to** or4qtckT -> https://any.run/report/91afb972e14584bc1e23802e2b26813f57b802689fe61a540fdaf162cecd7493/518ba9b3-51e5-4418-b1a7-487f317ab84f -> WannaCry ransomware ### Sources - https://blueteamlabs.online/home/challenge/memory-analysis-ransomware-7da6c9244d - https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/ - https://terguttac.medium.com/btlo-memory-analysis-ransomware-2523c2b5f864 - https://infosecwriteups.com/memory-analysis-ransomware-blueteamlabs-f49765cd5b9c - https://dannychild.com/btlo-challenge-memory-analysis-ransomware/