관리 메뉴

CHIqueen

OtterCTF 2018 Bit 4 Bit 본문

포렌식/CTF

OtterCTF 2018 Bit 4 Bit

CHIqueen 2018. 12. 14. 15:14

We've found out that the malware is a ransomware. Find the attacker's bitcoin address.

 

먼저 프로세스를 덤프 떠줍니다.

$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./

Volatility Foundation Volatility Framework 2.6

Process(V)         ImageBase          Name                 Result

------------------ ------------------ -------------------- ------



0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex       OK: executable.3720.exe

* 진짜 랜섬웨어 이니까 조심하세요

 

 

dnSpy로 디컴파일 해줍니다.

 

 

CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}

'포렌식 > CTF' 카테고리의 다른 글

OtterCTF 2018 Recovery  (0) 2018.12.14
OtterCTF 2018 Graphic's For The Weak  (0) 2018.12.14
OtterCTF 2018 Hide And Seek  (0) 2018.12.14
OtterCTF 2018 Silly Rick  (0) 2018.12.14
OtterCTF 2018 Name Game  (0) 2018.12.14
Comments