OtterCTF 2018 Bit 4 Bit

포렌식/CTF

OtterCTF 2018 Bit 4 Bit

CHIqueen 2018. 12. 14. 15:14

We've found out that the malware is a ransomware. Find the attacker's bitcoin address.

먼저 프로세스를 덤프 떠줍니다.

$ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./

Volatility Foundation Volatility Framework 2.6

Process(V)         ImageBase          Name                 Result

------------------ ------------------ -------------------- ------



0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex       OK: executable.3720.exe

* 진짜 랜섬웨어 이니까 조심하세요

dnSpy로 디컴파일 해줍니다.

CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}