Memory Forensics - Ransomware (BTLO Challenge)

 

here presenting a hot steaming pile of nonsense - fresh from my notes descended straight unto this blog. attempting the memory forensics ransomware challenge on BTLO. done 29 jan through 3 feb. 

ok lets do this 

i already have volatility but ive never used it so lets freakin gooo

ok hacktricks my beloved here i come

right so question 1 already tells me what to do

so i looked it up and -f gives file name, then profile is obvs profile of the memory dump and psscan gives process scan. so i runs it

ok the only strange process is @WanaDecryptor so it must be the answer. and the PPID is right next to it so that is another question answered.

for the malicious executable i guessed or4qtckT.exe because all the rest are standard windows processes (or seems like it to me). this might be an inside out approach to this question tho, wouldnt it?

let me see if there's another way to approach this. 

ok so i saw svcscan which is a service scan and it tells me in more detail about the services running so i can map he pslist to it and i can see that most of it is standard windows services. so or4qtckT.exe is the only suspicious process. 

so i saw the command line history with cmdline and got location of the exe. 

ok i just realised that i can tell what the exe is because the parent id of wana decryptor is the process id of or4qtckT.exe haha wow my observation skills are really parallel to sherlock holmes.

i grepped for this pid and got the process that deleted the files is taskdel.exe ok now 2 questions left.

so the ransomware is wannacry ransomware. they ran a ransomware attack on windows and encrypted stuff and demanded btc from people. if i were ever the victim of a ransomware attack what would i even have worth encrypting? its embarrassing really. 

ok wow found a research paper analysing and reverse engineering the malware ooooh exciting. 

its a sad sad life when you're excited about research papers but it is what it is. 

grep for eky in filescan and found 000000.eky and thats it. done.

not v fun. maybe ive outgrown this?

anyway. see ya soon.

btw I still have gotten round to the wannacry research paper. honestly, I'm tired of myself at this point.