4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

BTLO Challenge Memory Analysis - Ransomware(Retired Challenge) write up

BTLOを始めてみました。
このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。
サービスの規約により、RetiredとなったInvestigationsとChallengesはwrite upを公開しても良いです。今回は、Challengesの内のMemory Analysis - Ransomwareのwrite upです。

BTLO Challenge Memory Analysis - Ransomware(Retired Challenge)

Scenario

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!

Challenge Submission

今回のメモリダンプ

Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/volatility/BTLO/BTLO Memory Analysis - Ransomware/infected.vmem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82948c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82949c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-01-31 18:24:57 UTC+0000
     Image local date and time : 2021-01-31 13:24:57 -0500

1. Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

Format: @ProcessName

$ vol.py -f infected.vmem --profile=Win7S 
P1x86 psscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000be92b88 dwm.exe            1424    856 0x1e6d92e0 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dc0fd40 svchost.exe         688    496 0x1e6d9140 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc22520 svchost.exe         736    496 0x1e6d9160 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc33030 taskhsvc.exe       2968   2924 0x1e6d92c0 2021-01-31 18:02:20 UTC+0000                                 
0x000000001dc58030 svchost.exe         856    496 0x1e6d91a0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc6d548 svchost.exe         896    496 0x1e6d91c0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dc92a88 svchost.exe        1000    496 0x1e6d9200 2021-01-31 18:01:11 UTC+0000                                 
0x000000001dca9030 svchost.exe        1068    496 0x1e6d9220 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dcd6030 spoolsv.exe        1196    496 0x1e6d9240 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dcd91c8 svchost.exe        2204    496 0x1e6d95e0 2021-01-31 18:03:14 UTC+0000                                 
0x000000001dd07290 svchost.exe        1252    496 0x1e6d9280 2021-01-31 18:01:12 UTC+0000                                 
0x000000001dd32cb0 taskhost.exe       1348    496 0x1e6d92a0 2021-01-31 18:01:12 UTC+0000                                 
0x000000001df45030 csrss.exe           404    388 0x1e6d9040 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df5a450 svchost.exe        2380    496 0x1e6d9560 2021-01-31 18:03:15 UTC+0000                                 
0x000000001df5f030 services.exe        496    396 0x1e6d9080 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df63030 winlogon.exe        460    388 0x1e6d90c0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df72958 lsass.exe           504    396 0x1e6d90e0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df74030 lsm.exe             512    396 0x1e6d9100 2021-01-31 18:01:11 UTC+0000                                 
0x000000001df975b0 svchost.exe        2508    496 0x1e6d9420 2021-01-31 18:21:28 UTC+0000                                 
0x000000001dfc25f8 conhost.exe        2976    404 0x1e6d94e0 2021-01-31 18:02:20 UTC+0000                                 
0x000000001dfcf108 powercfg.exe       3304    496 0x1e6d9460 2021-01-31 18:23:23 UTC+0000   2021-01-31 18:24:24 UTC+0000  
0x000000001dfe2b08 svchost.exe         620    496 0x1e6d9120 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e178968 csrss.exe           356    340 0x1e6d9060 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e1801f8 wininit.exe         396    340 0x1e6d90a0 2021-01-31 18:01:11 UTC+0000                                 
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000  
0x000000001ec3ea58 WmiPrvSE.exe       1296    620 0x1e6d9400 2021-01-31 18:01:14 UTC+0000                                 
0x000000001ec424a0 svchost.exe        2032    496 0x1e6d93a0 2021-01-31 18:01:13 UTC+0000                                 
0x000000001ec81d40 dllhost.exe        1740    496 0x1e6d9440 2021-01-31 18:01:14 UTC+0000                                 
0x000000001ed0a030 SearchFilterHo     3008   2232 0x1e6d9620 2021-01-31 18:23:00 UTC+0000                                 
0x000000001ed3d940 WmiPrvSE.exe        208    620 0x1e6d9520 2021-01-31 18:24:23 UTC+0000                                 
0x000000001ed5ead8 SearchProtocol     2304   2232 0x1e6d9180 2021-01-31 18:01:18 UTC+0000                                 
0x000000001ee6a030 explorer.exe       1456   1408 0x1e6d9300 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ee80a48 VGAuthService.     1560    496 0x1e6d9320 2021-01-31 18:01:12 UTC+0000                                 
0x000000001eef9d40 vm3dservice.ex     1688   1456 0x1e6d9340 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ef04498 vmtoolsd.exe       1700   1456 0x1e6d9360 2021-01-31 18:01:12 UTC+0000                                 
0x000000001ef11030 vmtoolsd.exe       1720    496 0x1e6d9380 2021-01-31 18:01:13 UTC+0000                                 
0x000000001ef28a78 msdtc.exe          2044    496 0x1e6d93c0 2021-01-31 18:01:16 UTC+0000                                 
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:49 UTC+0000  
0x000000001efb5418 smss.exe            268      4 0x1e6d9020 2021-01-31 18:01:10 UTC+0000                                 
0x000000001efc1d40 SearchIndexer.     2232    496 0x1e6d9260 2021-01-31 18:01:18 UTC+0000                                 
0x000000001fcbc0f0 sppsvc.exe         2432    496 0x1e6d9580 2021-01-31 18:03:14 UTC+0000                                 
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000                                 
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000                                 
0x000000001fff1c40 System                4      0 0x00185000 2021-01-31 20:56:12 UTC+0000                                 
0x000000001fff6920 System                4      0 0x00185000 2021-01-31 18:01:10 UTC+0000


Answer: @WanaDecryptor

2. What is the parent process ID for the suspicious process?

Parent Process ID (PPID)
Answer: 2732

3. What is the initial malicious executable that created this process?

Format: filename.exe
2732は、or4qtckT.exe
Answer: or4qtckT.exe

4. If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

Format: filename.extension

$ vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep 2732
Volatility Foundation Volatility Framework 2.6.1
0x000000001e992a88 taskdl.exe         4060   2732 0x1e6d9540 2021-01-31 18:24:54 UTC+0000   2021-01-31 18:24:54 UTC+0000  
0x000000001ef9ed40 @WanaDecryptor     2688   2732 0x1e6d9460 2021-01-31 18:24:49 UTC+0000   2021-01-31 18:24:49 UTC+0000  
0x000000001fcc6800 @WanaDecryptor     3968   2732 0x1e6d95c0 2021-01-31 18:02:48 UTC+0000                                 
0x000000001fcd4350 or4qtckT.exe       2732   1456 0x1e6d94c0 2021-01-31 18:02:16 UTC+0000     

Answer: taskdl.exe

5. Find the path where the malicious file was first executed

Format: drive:\path\to\filename.extension

$ vol.py -f infected.vmem --profile=Win7SP1x86 cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    268
Command line : \SystemRoot\System32\smss.exe
************************************************************************
(snip)
or4qtckT.exe pid:   2732
Command line : "C:\Users\hacker\Desktop\or4qtckT.exe" 
************************************************************************
(snip)
# または
$ vol.py -f infected.vmem --profile=Win7SP1x86 filescan | grep or4qtckT.exe

Volatility Foundation Volatility Framework 2.6.1
0x000000001ed75ae8      7      0 R--r-- \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe
0x000000001fcaf798      3      0 R--r-d \Device\HarddiskVolume1\Users\hacker\Desktop\or4qtckT.exe

Answer: C:\Users\hacker\Desktop\or4qtckT.exe

6. Can you identify what ransomware it is? (Do your research!)

Ransomware Name
@WanaDecryptor? Hum....

Answer: wannacry

7. What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

$ strings infected.vmem | grep "*.eky"
00000000.eky
%08X.eky
00000000.eky
ntor-onion-key U4/KcG1psOjpLuE8cd8qI6zQ/52YTJaLX9WbxekySk0=
s+3Uc4gjE2RJhXkvwi6t1sUJmogfMlxLDDiXSpXekyHwVurAv/3yB6EPaRoujh1t
MIGJAoGBAPWZYCeKAn1MnwQjFNDim2Ie2eU6hDfDsaeky54mh8bJGIh1DgF2NJUL
3vmi1rxFkeazE6PEt6zZOYi/X2hcEpKmgTr+iLG/qPu7v/x6pp0OHR8cxUc1ekyW
%08X.eky
%08X.eky
$ strings infected.vmem | grep -n5 "00000000.eky"
183656-$02930FFEB87968D518101EB79202F1C3766078DA
183657-$109242967F596F4E3BF3D6996109EFF340FECB27
183658-Wur6
183659-  or4qtckT.exe
183660-00000000.res
183661:00000000.eky
183662-00000000.res
183663-00000000.res
183664-00000000.res
183665-00000000.pky
183666-00000000.res
--
1488780-13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
1488781-gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;
1488782-https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
1488783-00000000.res
1488784-00000000.pky
1488785:00000000.eky
1488786-( ) 
1488787-'k,k,^K^K
1488788-( ) 
1488789-'k,k,^K^K
1488790-( ) 
# 00000000.ekyはor4qtckT.exeと関連がありそう。
$ vol.py -f infected.vmem --profile=Win7SP1x86 dumpfiles -D output/ -p 2732
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x83ea6268   2732   \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky
SharedCacheMap 0x83ea6268   2732   \Device\HarddiskVolume1\Users\hacker\Desktop\00000000.eky
ImageSectionObject 0x991ffeb8   2732   
(snip)
# 00000000.ekyがor4qtckT.exeで使われている。

Answer: 00000000.eky