pf-ing (prefetch-ing)
this is a challenge that i created for SNI CTF 2024
given a memdump files (.mem) with description:
believe me, its just an intro to DFIR about ransom cases
If you analyze it with pslist or pstree, you wont notice anything suspicious
Because of that, try to check the prefetch artifacts that residen in the memory dumo
https://www.geeksforgeeks.org/prefetch-files-in-windows/
vol -f dump.dmp windows.filescan | grep ".pf"
Analyze the prefetch files. You will notice there is Edge.exe proccess that suspicious. (Remember that the process of MS Edge is msedge.exe, not Edge.exe)
Analyze the Edge.exe prefetch with PECmd and you will find out that this exe will load some files in the Documents folder, resulting .dll files in %localappdata%/temp which is suspicious
By that evidence, you can assume that the Edge.exe is the malicious program and the data might be encrypted in the temp folder. Proceed to decrypt by dump the Edge.exe and the encrypted files
Decompile Edge.exe
XOR Encryption function.
Key is being randomized but only in the range of % 256 which can be bruteforced
Dumping Encrypted File
Command:
vol -f dump.dmp windows.dumpfiles --virtaddr {offset}
Decrypt:
flag: SNI{intr0_t0_df1r_and_th1s_g1rl_is_w4y_b3tter_than_Chizuru}