Memory dump analysis
Last updated
Last updated
This task is about
ransomware live response
of aWin10x64_10586
memory dump usingvolatility2
orvolatility3
.
Please download and analyze a given Windows memory dump
from RESOURCES
using volatility
.
The password to unzip the file from RESOURCES
is infected
The memory profile you should use is Win10x64_10586
.
Please respond to the questions below:
find the ransomware
process
extract the ransomware
process volatility2 -f mem.vmem --profile xy procdump --pid xy --dump-dir .
or volatility3 -f mem.vmem windows.pslist.PsList --pid xy --dump
identify the type of ransomware
by using an online tool
. Document each of your steps.
if you could find the encryption key from the memory, would it be possible to decipher the data? Please explain
when exactly, (time, date) was the executable created on the disk? Use the mftparser plugin.
make assumptions relying on answers 1-5 on how the executable made its way to the machine. Justify your answer.
create a simple YARA rule to search for the ransomware on other systems. The rule must match the string RYUKTM and files smaller than 250 kilo bytes.
WARNING!!!
YOU ARE WORKING ON TRULY INFECTED MEMORY DUMP. TAKE GREAT CARE!
Let's scan the memory dump first to find suggested profiles:
To check the network connections I run the following command:
To check the processes I'll run the pstree command:
Next I'll run cmdline to find cmd arguments of a process
Now let's extract the binary of pid: 3496
This command didn't work for me!
md5sum *
Now let's use the mftparser plugin to see when the maliscious process was created
File was created on disk: 24-06-2021 23:00.51 UTC+000
I'll upload the maliscious binary to https://hybrid-analysis.com
After the analysis is finished we get links to different reports. The malwaresample is identified as the ryuk ransomware!
First let's do a yara scan with the default rules
For some reasons the volatility yarascan plugin didn't work for me. I get every time No suitable address space mapping found back. Maybe there's a problem with my virtual machine and I've to verify this later with another one.
I'll continue to scan the extracted binary now with the yara rules
Matching rule looks like this:
Let's create a custom yara rule based on the task description:
Now let's try a yarascan against the memory dump with volatility3volatility3 -f ./vmware-win-infected.vmem windows.vadyarascan.VadYaraScan --yara-rule ./myrule.yar
Didn't get any result back from yara scan in memorydump!
The ransomware process is keepass_instal.exe
The PID is 3496 and the extracted binary is executable.3496.exe
Sandbox Analysis Tools (eg. joe-security / virustotal) identify this executable as Ryuk malware
I don't think so. Using a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms serves both to encrypt the files and to protect the encryption key, making it impossible for a third party to decrypt the data.
File was created on disk: 24-06-2021 23:00.51 UTC+000
I took notice that keepass_instal.exe is a subprocess of explorer.exe and it is in the downloads directory of the user itself. Therefore I guess it must be downloaded and started by the user itself and was not dropped and executed by a malware.
Please find my YARA Rule above