# Ransomware Memory Forensics with Volatility (Write-Up by Susanne Kloss)
Investigation of volatile memory of a machine that might have become the target of a ransomware attack
VMware memory dump and challenge came from Blue Teams Lab Online:
https://blueteamlabs.online/home/challenge/memory-analysis-ransomware-7da6c9244d
Investigation was done on Kali Linux VM.
1. **Installation of Volatility on Kali Linux**
see: https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/
2. **Download memory dump to Kali Linux machine and unzip**
we need the 'infected.vmem' file
4. **Start investigation with Volatility - first find out the OS of the infected machine**
*vol.py -f infected.vmem imageinfo*
![image](https://hackmd.io/_uploads/Sk0tbjxPa.png)
-> use the finding Win7SP1x86 as --profile
4. **Find the suspicious process**
*psscan* yields a list of all processes
-> suspicious process is @WanaDecryptor
5. **Find the initial malicious executable that created this process**
*pstree* gives a hierarchical list of the processes
![image](https://hackmd.io/_uploads/HkHwzigPT.png)
-> @WanaDecryptor was created by 'or4qtckT.exe'
6. **Find process used to delete files**
filter output of psscan for the suspicious PID
![image](https://hackmd.io/_uploads/r1JGNilwa.png)
-> 'taskdl.exe' looks promising,
-> look up online, e.g. https://www.mandiant.com/resources/blog/wannacry-malware-profile
-> confirms that this is a file deletion tools used by WannaCry ransomware
**7. Find path where the malicious file was first executed**
*cmdline* filtered for malicious file 'or4qtckT.exe' gives commandline
![image](https://hackmd.io/_uploads/HybvSixva.png)
-> Command line : "C:\Users\hacker\Desktop\or4qtckT.exe"
8. **Find filename for the file with the ransomware public key, .eky extension**
First make a memory dump of the malicious parent process with PID 2732
Then scan with *string* for a file with .eky
![image](https://hackmd.io/_uploads/r1UPLsxDa.png)
-> 00000000.eky
9. **Find out about more about the malicious executable and the ransomware it belongs to**
or4qtckT -> https://any.run/report/91afb972e14584bc1e23802e2b26813f57b802689fe61a540fdaf162cecd7493/518ba9b3-51e5-4418-b1a7-487f317ab84f
-> WannaCry ransomware
### Sources
- https://blueteamlabs.online/home/challenge/memory-analysis-ransomware-7da6c9244d
- https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/
- https://terguttac.medium.com/btlo-memory-analysis-ransomware-2523c2b5f864
- https://infosecwriteups.com/memory-analysis-ransomware-blueteamlabs-f49765cd5b9c
- https://dannychild.com/btlo-challenge-memory-analysis-ransomware/