How to interpret ra...
 
Notifications
Clear all

How to interpret ransomware messages in a memory dump file via FTK Imager

5 Posts
2 Users
3 Reactions
1,297 Views
(@dumper)
Active Member
Joined: 6 months ago
Posts: 3
Topic starter  
Hello,
 
I would like to request your help on this matter, I really new in the digital forensic analysis but i think i discovered a topic really intresting to study for me.
 
I was making some tests on a Windows server device with FTK Imager and I obtained its dump memory file .mem, and after loading it on the application, appeared this kind of messages that make me feel worried:
 
"

\.b
c
i l.p.uRansom:MSIL/BlackWorld.DA!MTB......S..¬..±xm...µæYd..È"1.>GÈaÞ|ç¹Black World Ransomware.exeB.l.a.c.k. .W.o.r.l.d. .R.a.n.s.o.m.w.a.r.e...e.x.e.Black_World_Ransomware.PropertiesB.l.a.c.k._.W.o.r.l.d._.R.a.n.s.o.m.w.a.r.e...P.r.o.p.e.r.t.i.e.s.Black World Ransomware.pdbB.l.a.c.k. .W.o.r.l.d. .R.a.n.s.o.m.w.a.r.e...p.d.b.Ransom:MSIL/Filecoder.DR!MTB..... S.....Ûx....n.Ój..ï.j.¡øçÞÒ¦Ç:êEncryptFileSystemE.n.c.r.y.p.t.F.i.l.e.S.y.s.t.e.m.EncryptionKeyE.n.c.r.y.p.t.i.o.n.K.e.y.install\obj\Release\install.pdbi.n.s.t.a.l.l.\.o.b.j.\.R.e.l.e.a.s.e.\.i.n.s.t.a.l.l...p.d.b.Users\Public\pay.jpgU.s.e.r.s.\.P.u.b.l.i.c.\.p.a.y...j.p.g..crypted..c.r.y.p.t.e.d.Ivan MedvedevI.v.a.n. .M.e.d.v.e.d.e.v.Ransom:MSIL/Filecoder.DS!MTB.....!S..mÏ{Øxc..1Iç$..Ë.3¢÷..Ç.HÏ+â.ransomback.pngr.a.n.s.o.m.b.a.c.k...p.n.g.UpdateDecrypter.exeU.p.d.a.t.e.D.e.c.r.y.p.t.e.r...e.x.e.ransomupdater.a.n.s.o.m.u.p.d.a.t.e.Ransom:Win32/Death.DB!MTB....."S..Ô.ñ.x¨....EJ)¡À. .EÕ2B·.(.i³B.cryptedB...c.r.y.p.t.e.d.select * from Win32_ShadowCopyWin32_ShadowCopy.IDW.i.n.3.2._.S.h.a.d.o.w.C.o.p.y...I.D.Trojan:Python/Downldr.B!MTB.....#S..ûæã )D..ï}ø.3ÿ±.m.^ÆÈöT»g.6º/synapsebins.sh;chmod777synapsebins.sh;shsynapsebins.sh..Ë.AgentTesla.MA!MTB.....$S.. \]
@U..N\SdYo..°2ýgDÊ.ø²³¥TrojanDownloader:O97M/EncDoc.XAQ!MTB.....%S..DCl.ç~...x.àML..Y.>~.¦þ... É#ATTR_00003348.#ATTR_00003349.SCPT:TrojanDownloader:O97M/EncDoc.XAQ!MTB!XQ1.¬¡Mirai.AM!MTB.....&S...S¾.)U...ÀÅEü¼.Gï.ª7y¹...[}`/bins/keksec....-okeksec....;chmod777keksec....;./keksec....;rm-rfkeksec..¬!Emotetcrypt.VK!MTB.....'S..ÑÏ.gxð..G|á.ïò

"

 
 
What do these registers mean?. Is the server under potential ransomware attack? or could be a false positive?
 
I test it in the Volatility3 also, and I no found malicious process (at least at my sight and low experience..)
 
Could you help me to understand and to learn how to interpret these results?
 
Thank you.

   
Quote
Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 12 years ago
Posts: 259
 

Congratulations 🙂 
You found a signature from an antivirus program or a dll containing detection patterns. The same happened to me ~15 years ago and I was so proud to find evidence for activities from multiple threat actors. And I was running around and raising an alert based on this false positive 🤪 🤪 🤪 


   
N1N4 and dumper reacted
ReplyQuote
(@dumper)
Active Member
Joined: 6 months ago
Posts: 3
Topic starter  

@bunnysniper Thank you for sharing your experience!. I have a question, how can I identify the difference between detection patterns of dll or antivirus program from a real maliciuos activity of malware in RAM memory? Is that possible with FTK imager or should I use another tools to analyze it? (I used Volatility3 but I found nothing suspicious)

Maybe could you recommend me please some technical material to understand well the interpretation of memory images through FTKimager? because I found many material of how to get the images but very little material of malware analysis by using this tool.

Thanks for your help!


   
ReplyQuote
Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 12 years ago
Posts: 259
 

In #DFIR you have great tools to
1. gather evidence
2. analyse evidenve

but only a handful that can do both.
FTK Imager is a great tool and (more or less) the industry standard to create online (OS is running) and offline (OS is not running) images. But it is not a tool for analysis! To analyse the hard drive content imaged by FTK Imager, you can use tools like Autopsy (free) or commercial tools like Magnet Axiom or X-Ways Forensics (and a lot more).

And yes, FTK Imager can create memory dumps. Other tools you can use to create mem dumps are winpmem, Magnet RAM Capturer and a few others. When it comes to memory analysis, Volatility 3 is the standard tool to use.

These analysis tools will show you something important: the path, where a string like "Emotet" was found and the file name. Then it is much more clearer to you, why this string was there. 
The overall amount of suspicous or malicious strings within one line in a file found by using FTK Imager clearly shows, that the file you found something related to antivirus detection.

 


   
dumper reacted
ReplyQuote
(@dumper)
Active Member
Joined: 6 months ago
Posts: 3
Topic starter  

@bunnysniper Thank you so much for sharing your knowledge, this clarifies me more about memory analysis topic.

👍 👍 👍 

 

This post was modified 6 months ago by dumper

   
ReplyQuote
Share: