10.12.2018


GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Bit 4 Bit”

We’ve found the malware before:
https://wearegvts.com/2018/otterctf/memory-forensics/hide-and-seek

We need to extract malware from the memory dump so we can examine it:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -D dump/ -p 3720


We thought that running the malware/ransomeware under a dummy/temporary Windows to infect the OS intentionally so maybe we can see the attacker’s wallet address easily.
We were unable to run it.

We moved the executable.3720.exe to a Windows OS with CodeReflect installed and opened it.
After some digging we found this:



1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M was looks like a BTC wallet. To be sure we checked it via:
https://www.blockchain.com/btc/address/1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M

So the flag is:
CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}