Hello, today we analyze Black Energy malware. You can read here about Black Energy. You can download the lab file here. The file is a memory image of a windows system. Let’s move on. Strike while the iron is hot.
Password of the zip file : cyberdefenders.org
I unzipped the file using the command below.
7z x 99-BlackEnergy.zipI use volatility for this. You can download volatility3 here. First we can look at windows.info outputs using the command below.
./vol.py -f CYBERDEF-567078-20230213-171333.raw windows.infoPress enter or click to view image in full size
We can see some information about the image.
After this we will look at windows.pslist plugin that lists all of processes on the RAM image. The command is below:
./vol.py -f CYBERDEF-567078-20230213-171333.raw windows.pslistPress enter or click to view image in full size
There are two files marked rootkit.exe and cmd.exe but they are terminated processes because of the number of Threads. If a process’ number of Threads is 0 there is no work. So we can pass these processes. We didn’t see anything…