Paulo Pereira, PhD
This article is the second part of a LockBit 3.0 Black (LB3B) investigation, describing the difficulties when performing a memory forensics analysis using the open-source tool Volatility 3. Similarly, we’ll be discussing new obfuscation techniques employed by attackers in malware development. LB3B is a ransomware with several features that still need further forensic analysis. LB3B ransomware challenges any forensic security analyst. It has an advanced obfuscation that makes it difficult to search for evidence that demonstrates the behavior of the artifact. This article describes an analysis of memory captured at the time of infection in a host.
The tools and test environment
The test environment brings together a Kali Linux (2022.4 release) virtual machine (to run Volatility 3) and a Windows 10 virtual machine. The following tools are installed on the Windows 10 machine:
a) The Sysinternals Suite for using tools such as: procexp, autoruns, procmon, and sigcheck
b) FTKImager (version 4.5.0.3)
c) XDBG64 (to parse some function calls from Lb3.exe)
d) Ghidra (to parse the LB3.exe code)
The Windows 10 infection stages and snapshots
In this forensic analysis, the Windows 10 virtual machine (running on VMWare Workstation 16) was infected twice. The first infection process is called infected1; and infected2 is the second one, as shown in Figure 1. All phases of this test environment appear in the snapshots created for each stage. For both cases, the LB3.exe file was generated by the Builder.bat file and executed in the specific infection stages.
Author
- Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Latest Articles
OfficialJune 6, 2024Dark Web File Sharing: Basic Forensics Using CSI Linux
OfficialOctober 24, 2023The LockBit 3 Black Forensics Analysis Part II
OfficialOctober 24, 2023The Lockbit 3 Black Forensics Analysis (Part III)
OfficialOctober 17, 2023Reflections on Artificial Intelligence and Digital Forensics