We’re testing our Memory Analysis package (currently in beta) against various challenges available online.
We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to CyberDefenders for creating it in the first place.
The scenario is as follows:
“You have given a memory image for a compromised machine. As a security blue team analyst Analyze the image and figure out attack details.”
Thanks to our newly introduced feature for detecting hidden processes, this challenge turns out to be quite simple. We identify the malware family using two separate methods. First, we dump the malicious process to disk and submit it to VirusTotal. Second, we locate an injected PE within the memory of the malicious process and analyze it. The YARA signature match once again confirms the malware family.