Windows Memory Dump Analysis With Volatility



 

Memory forensics deals basically with the recovery and analysis of data from areas of a system's memory (such as RAM and virtual memory)  that is lost when a system is powered down or overwritten by other running processes.

Why are investigators looking into this untapped areas of forensic data? 

The main reason is that typically systems collected for forensic analysis are powered down for onward movement to a forensic laboratory where they will be analysed. When shutting these system down, the volatile memory areas are lost and irrecoverable. But if one can analyse the data in a live state, it has been determined that investigators could gain a greater picture of the run time state of the system as at when it was acquired. This run time state can give an examiner an idea of the system's network connections, the encryption keys being used by the user on the system, access to decrypted data, access to running processes and their utilization, as well as any possible modified applications that could be running within these memory areas. This can be very useful in the investigative procedures that follows afterwards.

Before proceeding with the rest of the post, the reader is encouraged to view some concepts to understand before delving into memory forensics. Also there is a poster by SANS that the reader is encouraged to download for keeps as it will greatly aid the understanding of the remaining part of this post.


Windows Processes Genealogy

The Windows operating system contains a lot of system processes that are present every time we boot our computers. These processes are responsible for a lot of things - from initialization and creating the user interface to loading the necessary drivers and DLLs. It is mandatory for forensic investigators to know what is the normal behaviour of these processes in order to have a 'baseline' useful to make a 'difference' with a compromised system.


I will also like to refer the reader to a popular SANS poster that treats this subject extensively. Richard Davies of 13 cubed made the SANS poster easier to comprehend with his own version which can be downloaded here. These two should always be your reference materials when analysing Windows process relationships.



Windows Memory Analysis With Volatility

The Volatility Framework is an open source toolkit, so it's cross-platform, which means that you can use any operating system family you want - Windows, Linux, or mac OS. Of course, you can build these tools from source, but there are also so-called standalone executables for all the operating systems mentioned.

As this post  is about Windows memory forensics, we are going to use the Windows Standalone Executable. At the time of writing, the most recent version of Volatility is 2.6. With this version, support for Windows 10 (including 14393.447) improved, also support for Windows Server 2016, mac OS Sierra 10.12, and Linux with KASLR kernels was added.

To download the collection of tools, go to the Volatility Framework website and use the Releases tab to choose the most recent version, in our case 2.6. Now, all you need is to unzip volatility_2.6_win64_standalone.zip which you've just downloaded, and you are ready to go.

Volatility plugins like pslist, pstree, psxview, dlllist, ldrmodules, hollowfind, getsids, handles and many others rely on a few key process related data structures like EPROCESS, Process Environment Block (PEB), Virtual Address Descriptor (VAD) etc. These volatility modules parse these structures and substructures within them and presents the examiner a beautiful tabular view for analysis.

In the table below, a few volatility modules have been mapped against the relevant process related data structures. This list is no way near comprehensive, it is just to highlight the mapping between volatility plugins and the data structures.



Selecting A Profile

For performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows 10, XP, Vista, Linux flavors, etc. To do this, we will utilize the imageinfo plugin

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem imageinfo

The output is given below

C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem)
                      PAE type : PAE
                           DTB : 0x2fe000L
                          KDBG : 0x80545ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2012-07-22 02:45:08 UTC+0000
     Image local date and time : 2012-07-21 22:45:08 -0400

The imageinfo plugin returned two suggested profiles - WinXPSP2x86 or WinXPSP3x86. Let us select WinXPSP2x86 if we do not specifically set a profile.

To get a list of available profiles in volatility, enter the following command

volatility_2.6_win64_standalone --info

The output is given below

C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
VistaSP0x64           - A Profile for Windows Vista SP0 x64
VistaSP0x86           - A Profile for Windows Vista SP0 x86
VistaSP1x64           - A Profile for Windows Vista SP1 x64
VistaSP1x86           - A Profile for Windows Vista SP1 x86
VistaSP2x64           - A Profile for Windows Vista SP2 x64
VistaSP2x86           - A Profile for Windows Vista SP2 x86
Win10x64              - A Profile for Windows 10 x64
Win10x64_10586        - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393        - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86              - A Profile for Windows 10 x86
Win10x86_10586        - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393        - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86         - A Profile for Windows 2003 SP0 x86
Win2003SP1x64         - A Profile for Windows 2003 SP1 x64
Win2003SP1x86         - A Profile for Windows 2003 SP1 x86
Win2003SP2x64         - A Profile for Windows 2003 SP2 x64
Win2003SP2x86         - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64       - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64       - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64         - A Profile for Windows 2008 SP1 x64
Win2008SP1x86         - A Profile for Windows 2008 SP1 x86
Win2008SP2x64         - A Profile for Windows 2008 SP2 x64
Win2008SP2x86         - A Profile for Windows 2008 SP2 x86
Win2012R2x64          - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340    - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64            - A Profile for Windows Server 2012 x64
Win2016x64_14393      - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64            - A Profile for Windows 7 SP0 x64
Win7SP0x86            - A Profile for Windows 7 SP0 x86
Win7SP1x64            - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418      - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86            - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418      - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64            - A Profile for Windows 8.1 Update 1 x64
Win81U1x86            - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64            - A Profile for Windows 8 x64
Win8SP0x86            - A Profile for Windows 8 x86
Win8SP1x64            - A Profile for Windows 8.1 x64
Win8SP1x64_18340      - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86            - A Profile for Windows 8.1 x86
WinXPSP1x64           - A Profile for Windows XP SP1 x64
WinXPSP2x64           - A Profile for Windows XP SP2 x64
WinXPSP2x86           - A Profile for Windows XP SP2 x86
WinXPSP3x86           - A Profile for Windows XP SP3 x86  

View Running Processes

Now that we have the correct profile, we can use it as a switch to collect information about the processes running on the infected machine. To do this, we can use the pslist plugin:

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pslist

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit         
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c89c8 System                    4      0     53      240 ------      0                                             
0x822f1020 smss.exe                368      4      3       19 ------      0 2012-07-22 02:42:31 UTC+0000                
0x822a0598 csrss.exe               584    368      9      326      0      0 2012-07-22 02:42:32 UTC+0000                
0x82298700 winlogon.exe            608    368     23      519      0      0 2012-07-22 02:42:32 UTC+0000                
0x81e2ab28 services.exe            652    608     16      243      0      0 2012-07-22 02:42:32 UTC+0000                
0x81e2a3b8 lsass.exe               664    608     24      330      0      0 2012-07-22 02:42:32 UTC+0000                
0x82311360 svchost.exe             824    652     20      194      0      0 2012-07-22 02:42:33 UTC+0000                
0x81e29ab8 svchost.exe             908    652      9      226      0      0 2012-07-22 02:42:33 UTC+0000                
0x823001d0 svchost.exe            1004    652     64     1118      0      0 2012-07-22 02:42:33 UTC+0000                
0x821dfda0 svchost.exe            1056    652      5       60      0      0 2012-07-22 02:42:33 UTC+0000                
0x82295650 svchost.exe            1220    652     15      197      0      0 2012-07-22 02:42:35 UTC+0000                
0x821dea70 explorer.exe           1484   1464     17      415      0      0 2012-07-22 02:42:36 UTC+0000                
0x81eb17b8 spoolsv.exe            1512    652     14      113      0      0 2012-07-22 02:42:36 UTC+0000                
0x81e7bda0 reader_sl.exe          1640   1484      5       39      0      0 2012-07-22 02:42:36 UTC+0000                
0x820e8da0 alg.exe                 788    652      7      104      0      0 2012-07-22 02:43:01 UTC+0000                
0x821fcda0 wuauclt.exe            1136   1004      8      173      0      0 2012-07-22 02:43:46 UTC+0000                
0x8205bda0 wuauclt.exe            1588   1004      5      132      0      0 2012-07-22 02:44:01 UTC+0000                    


From the application list above we can see that there is an process that is suspicious with PID 1640 reader_sl.exe where the parent process is explorer.exe PID 1484 which mean that reader_sl.exe was triggered by explorer application.

Another way to determine the processes that are running and also shows their parent processes is by using the pstree plugin

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pstree

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x823c89c8:System                                      4      0     53    240 1970-01-01 00:00:00 UTC+0000
. 0x822f1020:smss.exe                                 368      4      3     19 2012-07-22 02:42:31 UTC+0000
.. 0x82298700:winlogon.exe                            608    368     23    519 2012-07-22 02:42:32 UTC+0000
... 0x81e2ab28:services.exe                           652    608     16    243 2012-07-22 02:42:32 UTC+0000
.... 0x821dfda0:svchost.exe                          1056    652      5     60 2012-07-22 02:42:33 UTC+0000
.... 0x81eb17b8:spoolsv.exe                          1512    652     14    113 2012-07-22 02:42:36 UTC+0000
.... 0x81e29ab8:svchost.exe                           908    652      9    226 2012-07-22 02:42:33 UTC+0000
.... 0x823001d0:svchost.exe                          1004    652     64   1118 2012-07-22 02:42:33 UTC+0000
..... 0x8205bda0:wuauclt.exe                         1588   1004      5    132 2012-07-22 02:44:01 UTC+0000
..... 0x821fcda0:wuauclt.exe                         1136   1004      8    173 2012-07-22 02:43:46 UTC+0000
.... 0x82311360:svchost.exe                           824    652     20    194 2012-07-22 02:42:33 UTC+0000
.... 0x820e8da0:alg.exe                               788    652      7    104 2012-07-22 02:43:01 UTC+0000
.... 0x82295650:svchost.exe                          1220    652     15    197 2012-07-22 02:42:35 UTC+0000
... 0x81e2a3b8:lsass.exe                              664    608     24    330 2012-07-22 02:42:32 UTC+0000
.. 0x822a0598:csrss.exe                               584    368      9    326 2012-07-22 02:42:32 UTC+0000
 0x821dea70:explorer.exe                             1484   1464     17    415 2012-07-22 02:42:36 UTC+0000
. 0x81e7bda0:reader_sl.exe                           1640   1484      5     39 2012-07-22 02:42:36 UTC+0000    


As shown in the output above, we have a suspicious looking process “reader_sl.exe” which is under the explorer processes. After noting this, we can try check if there are any hidden processes using the psxview plugin. This plugin is useful as it shows all the processes that are running either hidden or not hidden. If you see any process that is false in the pslist and psscan then you can assume this is the malware.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 psxview

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 psxview
Volatility Foundation Volatility Framework 2.6
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe            608 True   True   True     True   True  True    True
0x02511360 svchost.exe             824 True   True   True     True   True  True    True
0x022e8da0 alg.exe                 788 True   True   True     True   True  True    True
0x020b17b8 spoolsv.exe            1512 True   True   True     True   True  True    True
0x0202ab28 services.exe            652 True   True   True     True   True  True    True
0x02495650 svchost.exe            1220 True   True   True     True   True  True    True
0x0207bda0 reader_sl.exe          1640 True   True   True     True   True  True    True
0x025001d0 svchost.exe            1004 True   True   True     True   True  True    True
0x02029ab8 svchost.exe             908 True   True   True     True   True  True    True
0x023fcda0 wuauclt.exe            1136 True   True   True     True   True  True    True
0x0225bda0 wuauclt.exe            1588 True   True   True     True   True  True    True
0x0202a3b8 lsass.exe               664 True   True   True     True   True  True    True
0x023dea70 explorer.exe           1484 True   True   True     True   True  True    True
0x023dfda0 svchost.exe            1056 True   True   True     True   True  True    True
0x024f1020 smss.exe                368 True   True   True     True   False False   False
0x025c89c8 System                    4 True   True   True     True   False False   False
0x024a0598 csrss.exe               584 True   True   True     True   False True    True

DLLs Loaded By The Suspicious Process

We have one potentially malicious process. Let's check the DLLs loaded by the process using the dlllist plugin: 

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 dlllist -p 1640

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 dlllist -p 1640
Volatility Foundation Volatility Framework 2.6
************************************************************************
reader_sl.exe pid:   1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Service Pack 3

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x00400000     0xa000     0xffff C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x92000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
0x7c9c0000   0x817000     0xffff C:\WINDOWS\system32\SHELL32.dll
0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll
0x77f60000    0x76000     0xffff C:\WINDOWS\system32\SHLWAPI.dll
0x7c420000    0x87000     0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
0x78130000    0x9b000     0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
0x773d0000   0x103000        0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000    0x9a000        0x1 C:\WINDOWS\system32\comctl32.dll
0x5ad70000    0x38000        0x2 C:\WINDOWS\system32\uxtheme.dll
0x71ab0000    0x17000        0x1 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000     0x8000        0x1 C:\WINDOWS\system32\WS2HELP.dll   


Check For Open Connections And Running Sockets

The next step to check is the connection event, usually malware will create connection back to the its CnC (Command and Control) in order to do its next task or sending the information to it for any information that the malware successfully extract from the host. We do this by using the connscan plugin.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 connscan

The output is given below.


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038       41.168.5.140:8080         1484
0x023a8008 172.16.112.128:1037       125.19.103.198:8080       1484    

After we check for the TCP connections, we note that process with ID 1484 is connected to a remote address using IP 41.168.5.140 and 125.19.103.198 using port 8080. You can then investigate the above remote IP addresses using the OSINT techniques described here. We can check for open sockets using the socket plugin.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 sockets

The output is given below.


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6
Offset(V)       PID   Port  Proto Protocol        Address         Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x81ddb780      664    500     17 UDP             0.0.0.0         2012-07-22 02:42:53 UTC+0000
0x82240d08     1484   1038      6 TCP             0.0.0.0         2012-07-22 02:44:45 UTC+0000
0x81dd7618     1220   1900     17 UDP             172.16.112.128  2012-07-22 02:43:01 UTC+0000
0x82125610      788   1028      6 TCP             127.0.0.1       2012-07-22 02:43:01 UTC+0000
0x8219cc08        4    445      6 TCP             0.0.0.0         2012-07-22 02:42:31 UTC+0000
0x81ec23b0      908    135      6 TCP             0.0.0.0         2012-07-22 02:42:33 UTC+0000
0x82276878        4    139      6 TCP             172.16.112.128  2012-07-22 02:42:38 UTC+0000
0x82277460        4    137     17 UDP             172.16.112.128  2012-07-22 02:42:38 UTC+0000
0x81e76620     1004    123     17 UDP             127.0.0.1       2012-07-22 02:43:01 UTC+0000
0x82172808      664      0    255 Reserved        0.0.0.0         2012-07-22 02:42:53 UTC+0000
0x81e3f460        4    138     17 UDP             172.16.112.128  2012-07-22 02:42:38 UTC+0000
0x821f0630     1004    123     17 UDP             172.16.112.128  2012-07-22 02:43:01 UTC+0000
0x822cd2b0     1220   1900     17 UDP             127.0.0.1       2012-07-22 02:43:01 UTC+0000
0x82172c50      664   4500     17 UDP             0.0.0.0         2012-07-22 02:42:53 UTC+0000
0x821f0d00        4    445     17 UDP             0.0.0.0         2012-07-22 02:42:31 UTC+0000    

When we check for open sockets, we can see that process 1484 (explorer, the parent of reader_sl.exe) has an open TCP connection using port 1038 and is actually waiting for TCP connection that accepting from any IP.


Check The Content Of Registry Keys

Most malware try to make their execution automatic at every system start-up. o see if this is the case with Cridex, we can take a look at the registry entries used during the system start-up. These registry keys are stored in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce, RunOnceEx

We can use the hivelist to navigate into hives and print the content of registry keys.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 hivelist

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0xe18e5b60 0x093f8b60 \Device\HarddiskVolume1\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a19b60 0x0a5a9b60 \Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
0xe18398d0 0x08a838d0 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe18614d0 0x08e624d0 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe183bb60 0x08e2db60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17f2b60 0x08519b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1570510 0x07669510 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1571008 0x0777f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15709b8 0x076699b8 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15719e8 0x0777f9e8 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe13ba008 0x02e4b008 [no name]
0xe1035b60 0x02ac3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a7d008 [no name]    

We can use the printkey plugin to view the content of a registry key, its subkeys, and values specififying the option -k to navigate towards the registry key path.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"

The output is given below

C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
Key name: Run (S)
Last updated: 2012-07-22 02:31:51 UTC+0000

Subkeys:

Values:
REG_SZ        KB00207877.exe  : (S) "C:\Documents and Settings\Robert\Application Data\KB00207877.exe"
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Run (S)
Last updated: 2011-04-12 20:31:49 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-04-13 00:49:16 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-04-13 00:49:28 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000

Subkeys:

Values:    

The only hive that has been recently modified is the following registry:


\Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT

It was last updated 2012-07-22

Check The Last Commands That Were Executed

We can now check for commands which were executed on the PC under investigation and the parameter and path of the application. Checking commands can help an investigator while he gathers evidence from the volatility memory dump. We will be checking out for process 1640. To do this, we use the cmdline plugin.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 cmdline

The output is given below.


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid:    584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid:    608
Command line : winlogon.exe
************************************************************************
services.exe pid:    652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid:    664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid:    824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid:    908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid:   1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid:   1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid:   1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid:   1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid:   1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid:   1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid:    788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid:   1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid:   1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"    

After running the command we now see the process 1640 is one of the processes running on the PC (highlighted in red above). This is a Adobe classic reader executed from the following path


C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe    

 We can export the reader_sl.exe from volatility memory for further analysis.

Export The Suspicious Application

The next step that is to analyze the binary of Reader_sl.exe. There is another extremely useful Volatility plugin - malfind. This plugin helps digital forensic examiners to find hidden or injected code/DLLs in the user mode memory. We can extract that specific binary from the memory dump using the below command.

volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 malfind -p 1640 --dump-dir C:\Users\JOSEPH\Documents\cridex_memdump

The output is given below


C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 malfind -p 1640 --dump-dir C:\Users\JOSEPH\Documents\cridex_memdump
Volatility Foundation Volatility Framework 2.6
Process: reader_sl.exe Pid: 1640 Address: 0x3d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x003d0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x003d0010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x003d0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x003d0030  00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00   ................

0x003d0000 4d               DEC EBP
0x003d0001 5a               POP EDX
0x003d0002 90               NOP
0x003d0003 0003             ADD [EBX], AL
0x003d0005 0000             ADD [EAX], AL
0x003d0007 000400           ADD [EAX+EAX], AL
0x003d000a 0000             ADD [EAX], AL
0x003d000c ff               DB 0xff
0x003d000d ff00             INC DWORD [EAX]
0x003d000f 00b800000000     ADD [EAX+0x0], BH
0x003d0015 0000             ADD [EAX], AL
0x003d0017 004000           ADD [EAX+0x0], AL
0x003d001a 0000             ADD [EAX], AL
0x003d001c 0000             ADD [EAX], AL
0x003d001e 0000             ADD [EAX], AL
0x003d0020 0000             ADD [EAX], AL
0x003d0022 0000             ADD [EAX], AL
0x003d0024 0000             ADD [EAX], AL
0x003d0026 0000             ADD [EAX], AL
0x003d0028 0000             ADD [EAX], AL
0x003d002a 0000             ADD [EAX], AL
0x003d002c 0000             ADD [EAX], AL
0x003d002e 0000             ADD [EAX], AL
0x003d0030 0000             ADD [EAX], AL
0x003d0032 0000             ADD [EAX], AL
0x003d0034 0000             ADD [EAX], AL
0x003d0036 0000             ADD [EAX], AL
0x003d0038 0000             ADD [EAX], AL
0x003d003a 0000             ADD [EAX], AL
0x003d003c e000             LOOPNZ 0x3d003e
0x003d003e 0000             ADD [EAX], AL

As you can see, we also used the --dump-dir switch to export the DLLs to a folder. After that we can, for example, upload them to VirusTotal. And of course, most services detected our suspicious application as malicious as shown below.




There are many more Volatility plugins available. You can learn more about them in the documentation available on the Volatility Foundation website.



Post a Comment

Previous Post Next Post