📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Your Task
  • 3. Analysis with volatility
  • 4. Identify Malware sample
  • 5. YARA Scan
  • 6. Custom YARA Rule
  • 7. Answers

Was this helpful?

  1. Malware Analysis
  2. YARA

Memory dump analysis

PreviousTCP dump analysisNextDosfuscated Scripts

Last updated 3 years ago

Was this helpful?

1. Introduction

This task is about ransomware live response of a Win10x64_10586 memory dump using volatility2 or volatility3.

2. Your Task

Please download and analyze a given Windows memory dump from RESOURCES using volatility.

  • The password to unzip the file from RESOURCES is infected

  • The memory profile you should use is Win10x64_10586.

  • Please respond to the questions below:

  1. find the ransomware process

  2. extract the ransomware process volatility2 -f mem.vmem --profile xy procdump --pid xy --dump-dir . or volatility3 -f mem.vmem windows.pslist.PsList --pid xy --dump

  3. identify the type of ransomware by using an online tool. Document each of your steps.

  4. if you could find the encryption key from the memory, would it be possible to decipher the data? Please explain

  5. when exactly, (time, date) was the executable created on the disk? Use the mftparser plugin.

  6. make assumptions relying on answers 1-5 on how the executable made its way to the machine. Justify your answer.

  7. create a simple YARA rule to search for the ransomware on other systems. The rule must match the string RYUKTM and files smaller than 250 kilo bytes.

WARNING!!!

YOU ARE WORKING ON TRULY INFECTED MEMORY DUMP. TAKE GREAT CARE!

3. Analysis with volatility

Let's scan the memory dump first to find suggested profiles:

volatility2 -f vmware-win-infected.vmem imageinfo
volatility3 -f vmware-win-infected.vmem windows.info

To check the network connections I run the following command:

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 netscan
volatility3 -f vmware-win-infected.vmem windows.netscan

To check the processes I'll run the pstree command:

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 pstree
volatility3 -f vmware-win-infected.vmem windows.pstree

Next I'll run cmdline to find cmd arguments of a process

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 cmdline
volatility3 -f vmware-win-infected.vmem windows.cmdline

Now let's extract the binary of pid: 3496

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 procdump --pid 3496 --dump-dir .
volatility3 -f vmware-win-infected.vmem windows.dumpfiles --pid 3496

This command didn't work for me!

volatility3 -f vmware-win-infected.vmem windows.pslist.PsList --pid 3496 --dump

md5sum *

volatility2 -f vmware-win-infected.vmem mftparser >mftpars.txt
cat mftpars.txt| grep keepass

File was created on disk: 24-06-2021 23:00.51 UTC+000

4. Identify Malware sample

5. YARA Scan

First let's do a yara scan with the default rules

cd /opt/applic/yara-rules
volatility2 -f /home/hacker/Downloads/vmware-win-infected.vmem yarascan --yara-rule ./index.yar
wget https://raw.githubusercontent.com/colincowie/Yara-Rules/master/MALW/Ryuk.yar
wget https://raw.githubusercontent.com/advanced-threat-research/Yara-Rules/master/ransomware/RANSOM_Ryuk.yar
volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ryuk.yar
volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ransom_Ryuk.yar

For some reasons the volatility yarascan plugin didn't work for me. I get every time No suitable address space mapping found back. Maybe there's a problem with my virtual machine and I've to verify this later with another one.

I'll continue to scan the extracted binary now with the yara rules

yara Ryuk.yar executable.3496.exe
yara Ransom_Ryuk.yar executable.3496.exe

Matching rule looks like this:

rule RANSOM_RYUK_May2021 : ransomware
{
	meta:
		description = "Rule to detect latest May 2021 compiled Ryuk variant"
		author = "Marc Elias | McAfee ATR Team"
		date = "2021-05-21"
		hash = "8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a"
		version = "0.1"

	strings:
		$ryuk_filemarker = "RYUKTM" fullword wide ascii
		
		$sleep_constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 }
		$icmp_echo_constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 }
		
	condition:
		uint16(0) == 0x5a4d
		and uint32(uint32(0x3C)) == 0x00004550
		and filesize < 200KB
		and ( $ryuk_filemarker
		or ( $sleep_constants 
		and $icmp_echo_constants ))
}

6. Custom YARA Rule

Let's create a custom yara rule based on the task description:

rule ryuktm
{
 meta:
	description = "RYUKTM malware"
 strings:
	$ryuktm = "RYUKTM"
 condition:
	uint16(0) == 0x5a4d
	and filesize < 250KB
	and $ryuktm
}

Now let's try a yarascan against the memory dump with volatility3volatility3 -f ./vmware-win-infected.vmem windows.vadyarascan.VadYaraScan --yara-rule ./myrule.yar

Didn't get any result back from yara scan in memorydump!

7. Answers

  1. The ransomware process is keepass_instal.exe

  2. The PID is 3496 and the extracted binary is executable.3496.exe

  3. Sandbox Analysis Tools (eg. joe-security / virustotal) identify this executable as Ryuk malware

  4. I don't think so. Using a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms serves both to encrypt the files and to protect the encryption key, making it impossible for a third party to decrypt the data.

  5. File was created on disk: 24-06-2021 23:00.51 UTC+000

  6. I took notice that keepass_instal.exe is a subprocess of explorer.exe and it is in the downloads directory of the user itself. Therefore I guess it must be downloaded and started by the user itself and was not dropped and executed by a malware.

  7. Please find my YARA Rule above

Now let's use the plugin to see when the maliscious process was created

I'll upload the maliscious binary to

After the analysis is finished we get links to different reports. The malwaresample is identified as the !

mftparser
https://hybrid-analysis.com
ryuk ransomware
vmware-win-memory-dump-pw-infected.zipDropbox
Automated Malware Analysis Report for executable.3496.exe - Generated by Joe Sandbox
Logo