BTLO Challenge Memory Analysis - Ransomware(Retired Challenge) write up
BTLOを始めてみました。
このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。
サービスの規約により、RetiredとなったInvestigationsとChallengesはwrite upを公開しても良いです。今回は、Challengesの内のMemory Analysis - Ransomwareのwrite upです。
BTLO Challenge Memory Analysis - Ransomware(Retired Challenge)
- Scenario
- Challenge Submission
- 1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
- 2. What is the parent process ID for the suspicious process?
- 3. What is the initial malicious executable that created this process?
- 4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
- 5. Find the path where the malicious file was first executed
- 6. Can you identify what ransomware it is? (Do your research!)
- 7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
Scenario
The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
Challenge Submission
今回のメモリダンプ
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/volatility/BTLO/BTLO Memory Analysis - Ransomware/infected.vmem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82948c28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82949c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2021-01-31 18:24:57 UTC+0000
Image local date and time : 2021-01-31 13:24:57 -0500
1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?
Format: @ProcessName
$ vol.py -f infected.vmem --profile=Win7S P1x86 psscan Volatility Foundation Volatility Framework 2.6.1 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000be92b88 dwm.exe 1424 856 0x1e6d92e0 2021-01-31 18:01:12 UTC+0000 0x000000001dc0fd40 svchost.exe 688 496 0x1e6d9140 2021-01-31 18:01:11 UTC+0000 0x000000001dc22520 svchost.exe 736 496 0x1e6d9160 2021-01-31 18:01:11 UTC+0000 0x000000001dc33030 taskhsvc.exe 2968 2924 0x1e6d92c0 2021-01-31 18:02:20 UTC+0000 0x000000001dc58030 svchost.exe 856 496 0x1e6d91a0 2021-01-31 18:01:11 UTC+0000 0x000000001dc6d548 svchost.exe 896 496 0x1e6d91c0 2021-01-31 18:01:11 UTC+0000 0x000000001dc92a88 svchost.exe 1000 496 0x1e6d9200 2021-01-31 18:01:11 UTC+0000 0x000000001dca9030 svchost.exe 1068 496 0x1e6d9220 2021-01-31 18:01:12 UTC+0000 0x000000001dcd6030 spoolsv.exe 1196 496 0x1e6d9240 2021-01-31 18:01:12 UTC+0000 0x000000001dcd91c8 svchost.exe 2204 496 0x1e6d95e0 2021-01-31 18:03:14 UTC+0000 0x000000001dd07290 svchost.exe 1252 496 0x1e6d9280 2021-01-31 18:01:12 UTC+0000 0x000000001dd32cb0 taskhost.exe 1348 496 0x1e6d92a0 2021-01-31 18:01:12 UTC+0000 0x000000001df45030 csrss.exe 404 388 0x1e6d9040 2021-01-31 18:01:11 UTC+0000 0x000000001df5a450 svchost.exe 2380 496 0x1e6d9560 2021-01-31 18:03:15 UTC+0000 0x000000001df5f030 services.exe 496 396 0x1e6d9080 2021-01-31 18:01:11 UTC+0000 0x000000001df63030 winlogon.exe 460 388 0x1e6d90c0 2021-01-31 18:01:11 UTC+0000 0x000000001df72958 lsass.exe 504 396 0x1e6d90e0 2021-01-31 18:01:11 UTC+0000 0x000000001df74030 lsm.exe 512 396 0x1e6d9100 2021-01-31 18:01:11 UTC+0000 0x000000001df975b0 svchost.exe 2508 496 0x1e6d9420 2021-01-31 18:21:28 UTC+0000 0x000000001dfc25f8 conhost.exe 2976 404 0x1e6d94e0 2021-01-31 18:02:20 UTC+0000 0x000000001dfcf108 powercfg.exe 3304 496 0x1e6d9460 2021-01-31 18:23:23 UTC+0000 2021-01-31 18:24:24 UTC+0000 0x000000001dfe2b08 svchost.exe 620 496 0x1e6d9120 2021-01-31 18:01:11 UTC+0000 0x000000001e178968 csrss.exe 356 340 0x1e6d9060 2021-01-31 18:01:11 UTC+0000 0x000000001e1801f8 wininit.exe 396 340 0x1e6d90a0 2021-01-31 18:01:11 UTC+0000 0x000000001e992a88 taskdl.exe 4060 2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000 2021-01-31 18:24:54 UTC+0000 0x000000001ec3ea58 WmiPrvSE.exe 1296 620 0x1e6d9400 2021-01-31 18:01:14 UTC+0000 0x000000001ec424a0 svchost.exe 2032 496 0x1e6d93a0 2021-01-31 18:01:13 UTC+0000 0x000000001ec81d40 dllhost.exe 1740 496 0x1e6d9440 2021-01-31 18:01:14 UTC+0000 0x000000001ed0a030 SearchFilterHo 3008 2232 0x1e6d9620 2021-01-31 18:23:00 UTC+0000 0x000000001ed3d940 WmiPrvSE.exe 208 620 0x1e6d9520 2021-01-31 18:24:23 UTC+0000 0x000000001ed5ead8 SearchProtocol 2304 2232 0x1e6d9180 2021-01-31 18:01:18 UTC+0000 0x000000001ee6a030 explorer.exe 1456 1408 0x1e6d9300 2021-01-31 18:01:12 UTC+0000 0x000000001ee80a48 VGAuthService. 1560 496 0x1e6d9320 2021-01-31 18:01:12 UTC+0000 0x000000001eef9d40 vm3dservice.ex 1688 1456 0x1e6d9340 2021-01-31 18:01:12 UTC+0000 0x000000001ef04498 vmtoolsd.exe 1700 1456 0x1e6d9360 2021-01-31 18:01:12 UTC+0000 0x000000001ef11030 vmtoolsd.exe 1720 496 0x1e6d9380 2021-01-31 18:01:13 UTC+0000 0x000000001ef28a78 msdtc.exe 2044 496 0x1e6d93c0 2021-01-31 18:01:16 UTC+0000 0x000000001ef9ed40 @WanaDecryptor 2688 2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000 2021-01-31 18:24:49 UTC+0000 0x000000001efb5418 smss.exe 268 4 0x1e6d9020 2021-01-31 18:01:10 UTC+0000 0x000000001efc1d40 SearchIndexer. 2232 496 0x1e6d9260 2021-01-31 18:01:18 UTC+0000 0x000000001fcbc0f0 sppsvc.exe 2432 496 0x1e6d9580 2021-01-31 18:03:14 UTC+0000 0x000000001fcc6800 @WanaDecryptor 3968 2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000 0x000000001fcd4350 or4qtckT.exe 2732 1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000 0x000000001fff1c40 System 4 0 0x00185000 2021-01-31 20:56:12 UTC+0000 0x000000001fff6920 System 4 0 0x00185000 2021-01-31 18:01:10 UTC+0000
Answer: @WanaDecryptor
2. What is the parent process ID for the suspicious process?
Parent Process ID (PPID)
Answer: 2732
3. What is the initial malicious executable that created this process?
Format: filename.exe
2732は、or4qtckT.exe
Answer: or4qtckT.exe
4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
Format: filename.extension
$ vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep 2732 Volatility Foundation Volatility Framework 2.6.1 0x000000001e992a88 taskdl.exe 4060 2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000 2021-01-31 18:24:54 UTC+0000 0x000000001ef9ed40 @WanaDecryptor 2688 2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000 2021-01-31 18:24:49 UTC+0000 0x000000001fcc6800 @WanaDecryptor 3968 2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000 0x000000001fcd4350 or4qtckT.exe 2732 1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000
Answer: taskdl.exe
5. Find the path where the malicious file was first executed
Format: drive:\path\to\filename.extension
$ vol.py -f infected.vmem --profile=Win7SP1x86 cmdline Volatility Foundation Volatility Framework 2.6.1 ************************************************************************ System pid: 4 ************************************************************************ smss.exe pid: 268 Command line : \SystemRoot\System32\smss.exe ************************************************************************ (snip) or4qtckT.exe pid: 2732 Command line : "C:\Users\hacker\Desktop\or4qtckT.exe" ************************************************************************ (snip) # または $ vol.py -f infected.vmem --profile=Win7SP1x86 filescan | grep or4qtckT.exe Volatility Foundation Volatility Framework 2.6.1 0x000000001ed75ae8 7 0 R--r-- \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe 0x000000001fcaf798 3 0 R--r-d \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe
Answer: C:\Users\hacker\Desktop\or4qtckT.exe
6. Can you identify what ransomware it is? (Do your research!)
Ransomware Name
@WanaDecryptor? Hum....
Answer: wannacry
7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
$ strings infected.vmem | grep "*.eky" 00000000.eky %08X.eky 00000000.eky ntor-onion-key U4/KcG1psOjpLuE8cd8qI6zQ/52YTJaLX9WbxekySk0= s+3Uc4gjE2RJhXkvwi6t1sUJmogfMlxLDDiXSpXekyHwVurAv/3yB6EPaRoujh1t MIGJAoGBAPWZYCeKAn1MnwQjFNDim2Ie2eU6hDfDsaeky54mh8bJGIh1DgF2NJUL 3vmi1rxFkeazE6PEt6zZOYi/X2hcEpKmgTr+iLG/qPu7v/x6pp0OHR8cxUc1ekyW %08X.eky %08X.eky $ strings infected.vmem | grep -n5 "00000000.eky" 183656-$02930FFEB87968D518101EB79202F1C3766078DA 183657-$109242967F596F4E3BF3D6996109EFF340FECB27 183658-Wur6 183659- or4qtckT.exe 183660-00000000.res 183661:00000000.eky 183662-00000000.res 183663-00000000.res 183664-00000000.res 183665-00000000.pky 183666-00000000.res -- 1488780-13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 1488781-gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion; 1488782-https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip 1488783-00000000.res 1488784-00000000.pky 1488785:00000000.eky 1488786-( ) 1488787-'k,k,^K^K 1488788-( ) 1488789-'k,k,^K^K 1488790-( ) # 00000000.ekyはor4qtckT.exeと関連がありそう。 $ vol.py -f infected.vmem --profile=Win7SP1x86 dumpfiles -D output/ -p 2732 Volatility Foundation Volatility Framework 2.6.1 DataSectionObject 0x83ea6268 2732 \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky SharedCacheMap 0x83ea6268 2732 \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky ImageSectionObject 0x991ffeb8 2732 (snip) # 00000000.ekyがor4qtckT.exeで使われている。
Answer: 00000000.eky
