GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Bit 4 Bit”
We’ve found the malware before:
We need to extract malware from the memory dump so we can examine it:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -D dump/ -p 3720
We thought that running the malware/ransomeware under a dummy/temporary Windows to infect the OS intentionally so maybe we can see the attacker’s wallet address easily.
We were unable to run it.
We moved the executable.3720.exe to a Windows OS with CodeReflect installed and opened it.
After some digging we found this:
1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M was looks like a BTC wallet. To be sure we checked it via:
So the flag is: