MEMORY ANALYSIS – RANSOMWARE
note you need to download volatility first in your system before getting started
Last updated
note you need to download volatility first in your system before getting started
Last updated
first we need to run the next command
vol.py -f infected.vmem imageinfo
after know what the profile is , we can start and analysis this memory , fisrt question is to find what is the name of the suspicious process?
to answer this we have two method or to write the command directly or we can do some thing smart maybe we will need it in the feture
we can write the next commands
vol.py volatility -f infected.vmem --profile=Win7SP1x86 pslist > pslist.txt
vol.py volatility -f infected.vmem --profile=Win7SP1x86 psscan > pslscan.txt
now it's time to see what is the deference between this two files , diff pslist.txt pslscan.txt
we can see know the answer of the first question directly
what is the parent process ID for the suspicious process ?
vol.py volatility -f infected.vmem --profile=Win7SP1x86 pstree
What is the initial malicious executable that created this process?
cat pslscan.txt | grep "2732"
If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files
Find the path where the malicious file was first executed ?
vol.py -f infected.vmem --profile=Win7SP1x86 dlllist -p 2732 or
vol.py -f infected.vmem --profile=Win7SP1x86 cmdline
Can you identify what ransomware it is? (Do your research!)
What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)
vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p 2732 --dump-dir=./
after it we can grep the key word we looking for
