Memory dump analysis

1. Introduction

This task is about ransomware live response of a Win10x64_10586 memory dump using volatility2 or volatility3.

2. Your Task

Please download and analyze a given Windows memory dump from RESOURCES using volatility.

Logovmware-win-memory-dump-pw-infected.zipDropbox

  • The password to unzip the file from RESOURCES is infected

  • The memory profile you should use is Win10x64_10586.

  • Please respond to the questions below:

  1. find the ransomware process

  2. extract the ransomware process volatility2 -f mem.vmem --profile xy procdump --pid xy --dump-dir . or volatility3 -f mem.vmem windows.pslist.PsList --pid xy --dump

  3. identify the type of ransomware by using an online tool. Document each of your steps.

  4. if you could find the encryption key from the memory, would it be possible to decipher the data? Please explain

  5. when exactly, (time, date) was the executable created on the disk? Use the mftparser plugin.

  6. make assumptions relying on answers 1-5 on how the executable made its way to the machine. Justify your answer.

  7. create a simple YARA rule to search for the ransomware on other systems. The rule must match the string RYUKTM and files smaller than 250 kilo bytes.

WARNING!!!

YOU ARE WORKING ON TRULY INFECTED MEMORY DUMP. TAKE GREAT CARE!

3. Analysis with volatility

Let's scan the memory dump first to find suggested profiles:

volatility2 -f vmware-win-infected.vmem imageinfo
volatility3 -f vmware-win-infected.vmem windows.info

To check the network connections I run the following command:

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 netscan
volatility3 -f vmware-win-infected.vmem windows.netscan

To check the processes I'll run the pstree command:

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 pstree
volatility3 -f vmware-win-infected.vmem windows.pstree

Next I'll run cmdline to find cmd arguments of a process

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 cmdline
volatility3 -f vmware-win-infected.vmem windows.cmdline

Now let's extract the binary of pid: 3496

volatility2 -f vmware-win-infected.vmem --profile Win10x64_10586 procdump --pid 3496 --dump-dir .
volatility3 -f vmware-win-infected.vmem windows.dumpfiles --pid 3496

This command didn't work for me!

volatility3 -f vmware-win-infected.vmem windows.pslist.PsList --pid 3496 --dump

md5sum *

Now let's use the mftparser plugin to see when the maliscious process was created

volatility2 -f vmware-win-infected.vmem mftparser >mftpars.txt
cat mftpars.txt| grep keepass

File was created on disk: 24-06-2021 23:00.51 UTC+000

4. Identify Malware sample

I'll upload the maliscious binary to https://hybrid-analysis.com

After the analysis is finished we get links to different reports. The malwaresample is identified as the ryuk ransomware!

Automated Malware Analysis Report for executable.3496.exe - Generated by Joe Sandboxwww.joesandbox.com

5. YARA Scan

First let's do a yara scan with the default rules

cd /opt/applic/yara-rules
volatility2 -f /home/hacker/Downloads/vmware-win-infected.vmem yarascan --yara-rule ./index.yar
wget https://raw.githubusercontent.com/colincowie/Yara-Rules/master/MALW/Ryuk.yar
wget https://raw.githubusercontent.com/advanced-threat-research/Yara-Rules/master/ransomware/RANSOM_Ryuk.yar
volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ryuk.yar
volatility2 -f vmware-win-infected.vmem yarascan --yara-rule ./Ransom_Ryuk.yar

For some reasons the volatility yarascan plugin didn't work for me. I get every time No suitable address space mapping found back. Maybe there's a problem with my virtual machine and I've to verify this later with another one.

I'll continue to scan the extracted binary now with the yara rules 

yara Ryuk.yar executable.3496.exe
yara Ransom_Ryuk.yar executable.3496.exe

Matching rule looks like this:

rule RANSOM_RYUK_May2021 : ransomware
{
	meta:
		description = "Rule to detect latest May 2021 compiled Ryuk variant"
		author = "Marc Elias | McAfee ATR Team"
		date = "2021-05-21"
		hash = "8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a"
		version = "0.1"

	strings:
		$ryuk_filemarker = "RYUKTM" fullword wide ascii
		
		$sleep_constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 }
		$icmp_echo_constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 }
		
	condition:
		uint16(0) == 0x5a4d
		and uint32(uint32(0x3C)) == 0x00004550
		and filesize < 200KB
		and ( $ryuk_filemarker
		or ( $sleep_constants 
		and $icmp_echo_constants ))
}

6. Custom YARA Rule

Let's create a custom yara rule based on the task description:

rule ryuktm
{
 meta:
	description = "RYUKTM malware"
 strings:
	$ryuktm = "RYUKTM"
 condition:
	uint16(0) == 0x5a4d
	and filesize < 250KB
	and $ryuktm
}

Now let's try a yarascan against the memory dump with volatility3volatility3 -f ./vmware-win-infected.vmem windows.vadyarascan.VadYaraScan --yara-rule ./myrule.yar

Didn't get any result back from yara scan in memorydump!

7. Answers

  1. The ransomware process is keepass_instal.exe

  2. The PID is 3496 and the extracted binary is executable.3496.exe

  3. Sandbox Analysis Tools (eg. joe-security / virustotal) identify this executable as Ryuk malware

  4. I don't think so. Using a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms serves both to encrypt the files and to protect the encryption key, making it impossible for a third party to decrypt the data.

  5. File was created on disk: 24-06-2021 23:00.51 UTC+000

  6. I took notice that keepass_instal.exe is a subprocess of explorer.exe and it is in the downloads directory of the user itself. Therefore I guess it must be downloaded and started by the user itself and was not dropped and executed by a malware.

  7. Please find my YARA Rule above

PreviousTCP dump analysisNextDosfuscated Scripts

Last updated

Was this helpful?