CHIqueen

OtterCTF 2018 Bit 4 Bit 본문

포렌식/CTF

OtterCTF 2018 Bit 4 Bit

사용자 CHIqueen 2018. 12. 14. 15:14

We've found out that the malware is a ransomware. Find the attacker's bitcoin address.

 

먼저 프로세스를 덤프 떠줍니다.

$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./

Volatility Foundation Volatility Framework 2.6

Process(V)         ImageBase          Name                 Result

------------------ ------------------ -------------------- ------



0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex       OK: executable.3720.exe

* 진짜 랜섬웨어 이니까 조심하세요

 

 

dnSpy로 디컴파일 해줍니다.

 

 

CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}

'포렌식 > CTF' 카테고리의 다른 글

OtterCTF 2018 Recovery  (0) 2018.12.14
OtterCTF 2018 Graphic's For The Weak  (0) 2018.12.14
OtterCTF 2018 Bit 4 Bit  (0) 2018.12.14
OtterCTF 2018 Hide And Seek  (0) 2018.12.14
OtterCTF 2018 Silly Rick  (0) 2018.12.14
OtterCTF 2018 Name Game  (0) 2018.12.14
0 Comments
댓글쓰기 폼