Objective: Perform memory forensics on a Windows memory dump to identify a suspicious executable running in memory, determine its characteristics, extract indicators of compromise (IOC), and analyze ransomware behavior.
Malware Family: DarkHav0c (ransomware variant)
Execution Context: Masqueraded as SpotifySetup.exe (likely a trojanized installer dropped in Downloads folder)
Key Behaviors:
- Runs directly from user Downloads (not Program Files)
- Child process of
explorer.exe - Encrypts files with
.Hav0cextension - Attempts C2 communication to a suspicious IP/port
Tools Used:
- Volatility (memory analysis framework)
- ExifTool (for dumping/analyzing embedded data in memory artifacts)
- Filescan, pslist/pstree, netscan plugins (Volatility)
- Basic terminal commands for output redirection
- Used Volatility's
pslistorpstreeto enumerate running processes. - Identified
SpotifySetup.exeas suspicious due to:- Running as a child of
explorer.exe(common for malware that injects or drops from explorer) - Not in expected Program Files path — typical of droppers/trojans that execute payloads immediately without full installation.
- Running as a child of
Key Findings:
- Process Name: SpotifySetup.exe (masqueraded legitimate app)
- Internal/Malware Name: DarkHav0c
- Full Path:
C:\Users\Zifrana\Downloads\SpotifySetup.exe - PID: 6816
- Execution Time: 2025-02-24 10:51:16
- Created a memory dump for PID 6816.
- Dragged and dropped the dump into ExifTool (Exfiltool variant?) to inspect embedded metadata/sections.
- This revealed additional details about the payload (e.g., custom tag names or binary sections containing executable data)
- Ran Volatility
filescanplugin to scan for file objects in memory. - Identified encrypted files using the custom extension: .Hav0c
This is a strong IOC — searching disk or memory for files ending in .Hav0c would confirm infection scope.
- Used Volatility
netscanorconnscanto enumerate network connections from the infected process/memory. - Discovered attempted outbound communication to:
- IP: 104.152.52.238
- Port: 6548
This IP/port is likely the ransomware's command-and-control (C2) server for exfiltration, key retrieval, or status reporting.
| Category | Value | Notes |
|---|---|---|
| File Name | SpotifySetup.exe | Masqueraded dropper |
| Malware Name | DarkHav0c | Internal name from analysis |
| Full Path | C:\Users\Zifrana\Downloads\SpotifySetup.exe | Non-standard install location |
| PID | 6816 | At time of dump |
| Execution Time | 2025-02-24 10:51:16 | From process creation time |
| Encryption Ext | .Hav0c | Ransomware marker |
| C2 IP:Port | 104.152.52.238:6548 | Outbound connection attempt |
- Avoid executing installers directly from Downloads — verify sources and use sandboxing.
- Monitor for child processes of explorer.exe spawning unusual binaries.
- Block suspicious IPs/ports at firewall level.
- Enable EDR/memory forensics for rapid ransomware detection.
- User awareness: Fake "setup" files (e.g., Spotify) are common phishing vectors.
This challenge demonstrates classic memory forensics workflow for identifying fileless/malware-in-memory threats and ransomware IOCs.
Tools & References:
- Volatility 3 Documentation: https://volatility3.readthedocs.io/
- ExifTool: https://exiftool.org/
- General ransomware analysis techniques (similar to samples in CTFs like Huntress, CyberDefenders)