MEMORY ANALYSIS – RANSOMWARE

note you need to download volatility first in your system before getting started

first we need to run the next command

vol.py -f infected.vmem imageinfo

after know what the profile is , we can start and analysis this memory , fisrt question is to find what is the name of the suspicious process?

to answer this we have two method or to write the command directly or we can do some thing smart maybe we will need it in the feture

we can write the next commands

vol.py volatility -f infected.vmem --profile=Win7SP1x86 pslist > pslist.txt

vol.py volatility -f infected.vmem --profile=Win7SP1x86 psscan > pslscan.txt

now it's time to see what is the deference between this two files , diff pslist.txt pslscan.txt

we can see know the answer of the first question directly

what is the parent process ID for the suspicious process ?

vol.py volatility -f infected.vmem --profile=Win7SP1x86 pstree

What is the initial malicious executable that created this process?

cat pslscan.txt | grep "2732"

If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

Find the path where the malicious file was first executed ?

vol.py -f infected.vmem --profile=Win7SP1x86 dlllist -p 2732 or

vol.py -f infected.vmem --profile=Win7SP1x86 cmdline

Can you identify what ransomware it is? (Do your research!)

What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p 2732 --dump-dir=./

after it we can grep the key word we looking for

Last updated