# Memory dump analysis ### 1. Introduction > This task is about `ransomware live response` of a `Win10x64_10586` memory dump using `volatility2` or `volatility3`. ### 2. Your Task Please download and analyze a given Windows `memory dump` from `RESOURCES` using `volatility`. {% embed url="" %} * The password to unzip the file from `RESOURCES` is `infected` * The memory profile you should use is `Win10x64_10586`. * Please respond to the questions below: 1. find the `ransomware` process 2. extract the `ransomware` process `volatility2 -f mem.vmem --profile xy procdump --pid xy --dump-dir .` or `volatility3 -f mem.vmem windows.pslist.PsList --pid xy --dump` 3. identify the type of `ransomware` by using an `online tool`. Document each of your steps. 4. if you could find the encryption key from the memory, would it be possible to decipher the data? Please explain 5. when exactly, (time, date) was the executable created on the disk? Use the mftparser plugin. 6. make assumptions relying on answers 1-5 on how the executable made its way to the machine. Justify your answer. 7. create a simple YARA rule to search for the ransomware on other systems. The rule must match the string RYUKTM and files smaller than 250 kilo bytes. **WARNING!!!** YOU ARE WORKING ON TRULY INFECTED MEMORY DUMP. TAKE GREAT CARE! ### 3. Analysis with volatility Let's scan the memory dump first to find suggested profiles: ``` volatility2 -f vmware-win-infected.vmem imageinfo ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F2rM8njJknmFRmHaEKqke%2Fvola01.png?alt=media\&token=fa2bf935-819a-494b-8cda-c76894561ee6) ``` volatility3 -f vmware-win-infected.vmem windows.info ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FffIIhYgD3PFthtinWKHc%2Fvola01-1.png?alt=media\&token=bcbb312a-e45c-4764-b51c-a475d2ed075c) To check the network connections I run the following command: ``` volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 netscan ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F7p5h9PjHD5qeMnP1wAK1%2Fvola02.png?alt=media\&token=ee1256ef-66e0-472f-b83b-63d1a3470469) ``` volatility3 -f vmware-win-infected.vmem windows.netscan ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F4B5YD3C8xgnMRSFik7ed%2Fvola02-2.png?alt=media\&token=a09e6cfd-ff89-4981-8bce-daea0da46281) To check the processes I'll run the pstree command: ``` volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 pstree ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FUSHe38RmHxa1rbaFWyaG%2Fvola04.png?alt=media\&token=c491828f-cbcf-4012-a69d-49fdb1b7b6bb) ``` volatility3 -f vmware-win-infected.vmem windows.pstree ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FhTOZZqKtc7Nc6zhUokgb%2Fvola03-3.png?alt=media\&token=81f99a83-ed37-43e9-a965-99586c09575e) Next I'll run cmdline to find cmd arguments of a process ``` volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 cmdline ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FmDmJVBBQYx9bmNqwuDfo%2Fvola05.png?alt=media\&token=4c1f4287-4d9b-4654-be06-25d9847c602e) ``` volatility3 -f vmware-win-infected.vmem windows.cmdline ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FcNAxp21k51k4c9jSgg2s%2Fvola04-4.png?alt=media\&token=0ffa2dab-baed-4334-8716-7b8019342522) Now let's extract the binary of pid: 3496 ``` volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 procdump --pid 3496 --dump-dir . ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FF8Iuxub2sAtvGb8xekQD%2Fvola06.png?alt=media\&token=10db01d4-d15c-4007-bc12-2b0fe666e96d) ``` volatility3 -f vmware-win-infected.vmem windows.dumpfiles --pid 3496 ``` This command didn't work for me! ``` volatility3 -f vmware-win-infected.vmem windows.pslist.PsList --pid 3496 --dump ``` `md5sum *` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FD99qwNg7a09zblBx6RC9%2Fmd5_01.png?alt=media\&token=67050358-dc21-40fc-a048-049e8a1562a4) Now let's use the [mftparser](https://andreafortuna.org/2017/08/21/volatility-my-own-cheatsheet-part-8-filesystem/) plugin to see when the maliscious process was created ``` volatility2 -f vmware-win-infected.vmem mftparser >mftpars.txt ``` ``` cat mftpars.txt| grep keepass ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FBaZG8tNeOjoHpQYs8TDB%2Fvola07.png?alt=media\&token=a83a826a-6825-4542-b370-544e022045e3) **File was created on disk: 24-06-2021 23:00.51 UTC+000** ### 4. Identify Malware sample I'll upload the maliscious binary to [https://hybrid-analysis.com ](https://hybrid-analysis.com)

After the analysis is finished we get links to different reports. The malwaresample is identified as the [ryuk ransomware](https://cas-cyber.gitbook.io/cas-cybersecurity/malware-analysis/ransomware/ryuk)!

{% embed url="" %} ### 5. YARA Scan First let's do a yara scan with the default rules ``` cd /opt/applic/yara-rules volatility2 -f /home/hacker/Downloads/vmware-win-infected.vmem yarascan --yara-rule ./index.yar ``` ``` wget https://raw.githubusercontent.com/colincowie/Yara-Rules/master/MALW/Ryuk.yar wget https://raw.githubusercontent.com/advanced-threat-research/Yara-Rules/master/ransomware/RANSOM_Ryuk.yar ``` ``` volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ryuk.yar volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ransom_Ryuk.yar ``` For some reasons the volatility yarascan plugin didn't work for me.\ I get every time **No suitable address space mapping found** back. Maybe there's a problem with my virtual machine and I've to verify this later with another one. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F2eZCQk3R7VNXH9FL2Nf8%2Fvol08.png?alt=media\&token=16f98796-1cfd-4347-971c-594d147a69bf) I'll continue to scan the extracted binary now with the yara rules
``` yara Ryuk.yar executable.3496.exe yara Ransom_Ryuk.yar executable.3496.exe ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F6bpqnNWLhX29Hro1IFFA%2Fyar_rules06.png?alt=media\&token=03183c8d-1eee-4be8-a2c2-40b12e6db39b) Matching rule looks like this: ``` rule RANSOM_RYUK_May2021 : ransomware { meta: description = "Rule to detect latest May 2021 compiled Ryuk variant" author = "Marc Elias | McAfee ATR Team" date = "2021-05-21" hash = "8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a" version = "0.1" strings: $ryuk_filemarker = "RYUKTM" fullword wide ascii $sleep_constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 } $icmp_echo_constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 } condition: uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and ( $ryuk_filemarker or ( $sleep_constants and $icmp_echo_constants )) } ``` ### 6. Custom YARA Rule Let's create a custom yara rule based on the task description: ``` rule ryuktm { meta: description = "RYUKTM malware" strings: $ryuktm = "RYUKTM" condition: uint16(0) == 0x5a4d and filesize < 250KB and $ryuktm } ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fio47JWS3kIki48M1cmHO%2Fyar_rules07.png?alt=media\&token=b5119651-c4f9-4eb8-b680-40edfe9299e0) Now let's try a yarascan against the memory dump with volatility3volatility3 -f ./vmware-win-infected.vmem windows.vadyarascan.VadYaraScan --yara-rule ./myrule.yar ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FAK9XTVO4k9aLymvSobDK%2Fyar_rules08.png?alt=media\&token=8c0ba0f0-2975-4840-902d-f8282041ee06) Didn't get any result back from yara scan in memorydump! ### 7. Answers 1. The ransomware process is keepass\_instal.exe 2. The PID is 3496 and the extracted binary is executable.3496.exe 3. Sandbox Analysis Tools (eg. joe-security / virustotal) identify this executable as Ryuk malware 4. I don't think so. Using a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms serves both to encrypt the files and to protect the encryption key, making it impossible for a third party to decrypt the data. 5. **File was created on disk: 24-06-2021 23:00.51 UTC+000** 6. I took notice that keepass\_instal.exe is a subprocess of explorer.exe and it is in the downloads directory of the user itself. Therefore I guess it must be downloaded and started by the user itself and was not dropped and executed by a malware. 7. Please find my YARA Rule above