This repository documents a step-by-step memory forensics workflow of the WannaCry ransomware on Windows using the Volatility Framework. It focuses on extracting artifacts, identifying persistence, analyzing registry and network activity, dumping suspicious files, and collecting indicators of compromise (IOCs) from an infected system’s memory image.
Read the full walkthrough → Memory Analysis using Volatility
- Extract process lists and suspicious executables
- Identify WannaCry-specific mutexes and registry artifacts
- Analyze network activity (IPs, connections, and .onion domains)
- Dump and inspect malware-related files from memory
- Search for Bitcoin wallet addresses and ransom note traces
- Detect persistence mechanisms and execution flow
- Extract memory artifacts for downstream DFIR analysis
- Volatility 2.6.1 (memory forensics)
- Python 2.7 (required for Volatility 2.x)
- grep, strings, awk (log and data filtering)
- Memory Analysis using Memory Analysis using Volatility.md — Detailed step-by-step analysis
- images/ — Supporting screenshots and figures (if applicable)
- Volatility 2.x requires Python 2.7.
- Profile selection (Win7/Win10, x86/x64) depends on the target image; adjust flags accordingly.
- Use an isolated analysis environment for malware artifacts.
This project is for educational and defensive DFIR purposes only. Handle malware samples and extracted artifacts responsibly in a safe, isolated environment.