Memory forensics deals basically with the recovery and analysis of data from areas of a system's memory (such as RAM and virtual memory) that is lost when a system is powered down or overwritten by other running processes.
Why are investigators looking into this untapped areas of forensic data?
The main reason is that typically systems collected for forensic analysis are powered down for onward movement to a forensic laboratory where they will be analysed. When shutting these system down, the volatile memory areas are lost and irrecoverable. But if one can analyse the data in a live state, it has been determined that investigators could gain a greater picture of the run time state of the system as at when it was acquired. This run time state can give an examiner an idea of the system's network connections, the encryption keys being used by the user on the system, access to decrypted data, access to running processes and their utilization, as well as any possible modified applications that could be running within these memory areas. This can be very useful in the investigative procedures that follows afterwards.
Before proceeding with the rest of the post, the reader is encouraged to view some concepts to understand before delving into memory forensics. Also there is a poster by SANS that the reader is encouraged to download for keeps as it will greatly aid the understanding of the remaining part of this post.
Windows Processes Genealogy
The Windows operating system contains a lot of system processes that are present every time we boot our computers. These processes are responsible for a lot of things - from initialization and creating the user interface to loading the necessary drivers and DLLs. It is mandatory for forensic investigators to know what is the normal behaviour of these processes in order to have a 'baseline' useful to make a 'difference' with a compromised system.
I will also like to refer the reader to a popular SANS poster that treats this subject extensively. Richard Davis of 13 cubed made the SANS poster easier to comprehend with his own version which can be downloaded here. These two should always be your reference materials when analysing Windows process relationships.
.jpg)
Windows Memory Analysis With Volatility
The Volatility Framework is an open source toolkit, so it's cross-platform, which means that you can use any operating system family you want - Windows, Linux, or mac OS. Of course, you can build these tools from source, but there are also so-called standalone executables for all the operating systems mentioned.
As this post is about Windows memory forensics, we are going to use the Windows Standalone Executable. At the time of writing, the most recent version of Volatility is 2.6. With this version, support for Windows 10 (including 14393.447) improved, also support for Windows Server 2016, mac OS Sierra 10.12, and Linux with KASLR kernels was added.
To download the collection of tools, go to the Volatility Framework website and use the Releases tab to choose the most recent version, in our case 2.6. Now, all you need is to unzip volatility_2.6_win64_standalone.zip which you've just downloaded, and you are ready to go.
Volatility plugins like pslist, pstree, psxview, dlllist, ldrmodules, hollowfind, getsids, handles and many others rely on a few key process related data structures like EPROCESS, Process Environment Block (PEB), Virtual Address Descriptor (VAD) etc. These volatility modules parse these structures and substructures within them and presents the examiner a beautiful tabular view for analysis.
In the table below, a few volatility modules have been mapped against the relevant process related data structures. This list is no way near comprehensive, it is just to highlight the mapping between volatility plugins and the data structures.
Selecting A Profile
For performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows 10, XP, Vista, Linux flavors, etc. To do this, we will utilize the imageinfo plugin
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem imageinfoThe output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem)
PAE type : PAE
DTB : 0x2fe000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-07-22 02:45:08 UTC+0000
Image local date and time : 2012-07-21 22:45:08 -0400
The imageinfo plugin returned two suggested profiles - WinXPSP2x86 or WinXPSP3x86. Let us select WinXPSP2x86 which is the default profile.
To get a list of available profiles in volatility, enter the following command
volatility_2.6_win64_standalone --info
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone --info
Volatility Foundation Volatility Framework 2.6
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
View Running Processes
Now that we have the correct profile, we can use it as a switch to collect information about the processes running on the infected machine. To do this, we can use the pslist plugin:
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pslist
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c89c8 System 4 0 53 240 ------ 0
0x822f1020 smss.exe 368 4 3 19 ------ 0 2012-07-22 02:42:31 UTC+0000
0x822a0598 csrss.exe 584 368 9 326 0 0 2012-07-22 02:42:32 UTC+0000
0x82298700 winlogon.exe 608 368 23 519 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2ab28 services.exe 652 608 16 243 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2a3b8 lsass.exe 664 608 24 330 0 0 2012-07-22 02:42:32 UTC+0000
0x82311360 svchost.exe 824 652 20 194 0 0 2012-07-22 02:42:33 UTC+0000
0x81e29ab8 svchost.exe 908 652 9 226 0 0 2012-07-22 02:42:33 UTC+0000
0x823001d0 svchost.exe 1004 652 64 1118 0 0 2012-07-22 02:42:33 UTC+0000
0x821dfda0 svchost.exe 1056 652 5 60 0 0 2012-07-22 02:42:33 UTC+0000
0x82295650 svchost.exe 1220 652 15 197 0 0 2012-07-22 02:42:35 UTC+0000
0x821dea70 explorer.exe 1484 1464 17 415 0 0 2012-07-22 02:42:36 UTC+0000
0x81eb17b8 spoolsv.exe 1512 652 14 113 0 0 2012-07-22 02:42:36 UTC+0000
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
0x820e8da0 alg.exe 788 652 7 104 0 0 2012-07-22 02:43:01 UTC+0000
0x821fcda0 wuauclt.exe 1136 1004 8 173 0 0 2012-07-22 02:43:46 UTC+0000
0x8205bda0 wuauclt.exe 1588 1004 5 132 0 0 2012-07-22 02:44:01 UTC+0000
From the application list above we can see that there is a process that is suspicious with PID 1640 reader_sl.exe where the parent process is explorer.exe with PID 1484 which means that reader_sl.exe was triggered by explorer application.
Another way to determine the processes that are running and also show their parent processes is by using the pstree plugin
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pstreeThe output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x823c89c8:System 4 0 53 240 1970-01-01 00:00:00 UTC+0000
. 0x822f1020:smss.exe 368 4 3 19 2012-07-22 02:42:31 UTC+0000
.. 0x82298700:winlogon.exe 608 368 23 519 2012-07-22 02:42:32 UTC+0000
... 0x81e2ab28:services.exe 652 608 16 243 2012-07-22 02:42:32 UTC+0000
.... 0x821dfda0:svchost.exe 1056 652 5 60 2012-07-22 02:42:33 UTC+0000
.... 0x81eb17b8:spoolsv.exe 1512 652 14 113 2012-07-22 02:42:36 UTC+0000
.... 0x81e29ab8:svchost.exe 908 652 9 226 2012-07-22 02:42:33 UTC+0000
.... 0x823001d0:svchost.exe 1004 652 64 1118 2012-07-22 02:42:33 UTC+0000
..... 0x8205bda0:wuauclt.exe 1588 1004 5 132 2012-07-22 02:44:01 UTC+0000
..... 0x821fcda0:wuauclt.exe 1136 1004 8 173 2012-07-22 02:43:46 UTC+0000
.... 0x82311360:svchost.exe 824 652 20 194 2012-07-22 02:42:33 UTC+0000
.... 0x820e8da0:alg.exe 788 652 7 104 2012-07-22 02:43:01 UTC+0000
.... 0x82295650:svchost.exe 1220 652 15 197 2012-07-22 02:42:35 UTC+0000
... 0x81e2a3b8:lsass.exe 664 608 24 330 2012-07-22 02:42:32 UTC+0000
.. 0x822a0598:csrss.exe 584 368 9 326 2012-07-22 02:42:32 UTC+0000
0x821dea70:explorer.exe 1484 1464 17 415 2012-07-22 02:42:36 UTC+0000
. 0x81e7bda0:reader_sl.exe 1640 1484 5 39 2012-07-22 02:42:36 UTC+0000
As shown in the output above, we have a suspicious looking process “reader_sl.exe” which is under the explorer process. After noting this, we can try check if there are any hidden processes by using the psxview plugin. This plugin is useful as it shows all the processes that are running either hidden or not hidden. If you see any process that is false in the pslist and psscan then you can assume this is the malware.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 psxview
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 psxview
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe 608 True True True True True True True
0x02511360 svchost.exe 824 True True True True True True True
0x022e8da0 alg.exe 788 True True True True True True True
0x020b17b8 spoolsv.exe 1512 True True True True True True True
0x0202ab28 services.exe 652 True True True True True True True
0x02495650 svchost.exe 1220 True True True True True True True
0x0207bda0 reader_sl.exe 1640 True True True True True True True
0x025001d0 svchost.exe 1004 True True True True True True True
0x02029ab8 svchost.exe 908 True True True True True True True
0x023fcda0 wuauclt.exe 1136 True True True True True True True
0x0225bda0 wuauclt.exe 1588 True True True True True True True
0x0202a3b8 lsass.exe 664 True True True True True True True
0x023dea70 explorer.exe 1484 True True True True True True True
0x023dfda0 svchost.exe 1056 True True True True True True True
0x024f1020 smss.exe 368 True True True True False False False
0x025c89c8 System 4 True True True True False False False
0x024a0598 csrss.exe 584 True True True True False True True
DLLs Loaded By The Suspicious Process
We have one potentially malicious process. Let's check the DLLs loaded by the process by using the dlllist plugin:
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 dlllist -p 1640
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 dlllist -p 1640
Volatility Foundation Volatility Framework 2.6
************************************************************************
reader_sl.exe pid: 1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0xa000 0xffff C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x7c9c0000 0x817000 0xffff C:\WINDOWS\system32\SHELL32.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll
0x7c420000 0x87000 0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
0x78130000 0x9b000 0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
0x773d0000 0x103000 0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll
0x5ad70000 0x38000 0x2 C:\WINDOWS\system32\uxtheme.dll
0x71ab0000 0x17000 0x1 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 0x1 C:\WINDOWS\system32\WS2HELP.dll
Check For Open Connections And Running Sockets
The next step to check is the connection event. Usually malware will create connection back to the its CnC (Command and Control) in order to do its next task or send any information to it that the malware successfully extracts from the host. We can check for connections by using the connscan plugin.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 connscan
The output is given below.
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038 41.168.5.140:8080 1484
0x023a8008 172.16.112.128:1037 125.19.103.198:8080 1484
After we check for the TCP connections, we noticed that the process with ID 1484 is connected to a remote address using IP 41.168.5.140 and 125.19.103.198 using port 8080. We can then investigate the above remote IP addresses using the OSINT techniques described here. We can check for open sockets using the socket plugin.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 socketsThe output is given below.
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x81ddb780 664 500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x82240d08 1484 1038 6 TCP 0.0.0.0 2012-07-22 02:44:45 UTC+0000
0x81dd7618 1220 1900 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x82125610 788 1028 6 TCP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x8219cc08 4 445 6 TCP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
0x81ec23b0 908 135 6 TCP 0.0.0.0 2012-07-22 02:42:33 UTC+0000
0x82276878 4 139 6 TCP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x82277460 4 137 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x81e76620 1004 123 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172808 664 0 255 Reserved 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x81e3f460 4 138 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x821f0630 1004 123 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x822cd2b0 1220 1900 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172c50 664 4500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x821f0d00 4 445 17 UDP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
When we check for open sockets, we can see that process 1484 (explorer, the parent of reader_sl.exe) has an open TCP connection using port 1038 and is actually waiting for TCP connection from any IP address.
Check The Content Of Registry Keys
Most malware try to make their execution automatic at every system start-up. To see if this is the case with Cridex, we can take a look at the registry entries used during the system start-up. These registry keys are stored in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce, RunOnceEx
We can use the hivelist to navigate into hives and print the content of registry keys.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 hivelist
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0xe18e5b60 0x093f8b60 \Device\HarddiskVolume1\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a19b60 0x0a5a9b60 \Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
0xe18398d0 0x08a838d0 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe18614d0 0x08e624d0 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe183bb60 0x08e2db60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17f2b60 0x08519b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1570510 0x07669510 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1571008 0x0777f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15709b8 0x076699b8 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15719e8 0x0777f9e8 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe13ba008 0x02e4b008 [no name]
0xe1035b60 0x02ac3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a7d008 [no name]
We can use the printkey plugin to view the content of a registry key, its subkeys, and values specifying the option -k to navigate towards the registry key path.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
Key name: Run (S)
Last updated: 2012-07-22 02:31:51 UTC+0000
Subkeys:
Values:
REG_SZ KB00207877.exe : (S) "C:\Documents and Settings\Robert\Application Data\KB00207877.exe"
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Run (S)
Last updated: 2011-04-12 20:31:49 UTC+0000
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-04-13 00:49:16 UTC+0000
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-04-13 00:49:28 UTC+0000
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: Run (S)
Last updated: 2011-04-13 00:55:13 UTC+0000
Subkeys:
Values:
The only hive that has been recently modified is the following registry:
\Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
It was last updated 2012-07-22
Check The Last Commands That Were Executed
We can now check for commands which were executed on the PC under investigation and the parameter and path of the application. Checking commands can help an investigator while he gathers evidence from the memory dump. We will be checking out for process 1640. To do this, we use the cmdline plugin.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 cmdline
The output is given below.
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 608
Command line : winlogon.exe
************************************************************************
services.exe pid: 652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid: 824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid: 1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid: 1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid: 1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid: 788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid: 1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid: 1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"
After running the command we now see the process 1640 is one of the processes running on the PC (highlighted in red above). This is an Adobe classic reader executed from the following path
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
We can export the reader_sl.exe from the memory dump for further analysis.
Export The Suspicious Application
The next step that is to analyze the binary of Reader_sl.exe. There is another extremely useful Volatility plugin - malfind. This plugin helps digital forensic examiners to find hidden or injected code/DLLs in the user mode memory. We can extract that specific binary from the memory dump using the below command.
volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 malfind -p 1640 --dump-dir C:\Users\JOSEPH\Documents\cridex_memdump
The output is given below
C:\Users\JOSEPH\Documents\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone -f C:\Users\JOSEPH\Documents\cridex_memdump\cridex.vmem --profile=WinXPSP2x86 malfind -p 1640 --dump-dir C:\Users\JOSEPH\Documents\cridex_memdump
Volatility Foundation Volatility Framework 2.6
Process: reader_sl.exe Pid: 1640 Address: 0x3d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x003d0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x003d0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x003d0030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................
0x003d0000 4d DEC EBP
0x003d0001 5a POP EDX
0x003d0002 90 NOP
0x003d0003 0003 ADD [EBX], AL
0x003d0005 0000 ADD [EAX], AL
0x003d0007 000400 ADD [EAX+EAX], AL
0x003d000a 0000 ADD [EAX], AL
0x003d000c ff DB 0xff
0x003d000d ff00 INC DWORD [EAX]
0x003d000f 00b800000000 ADD [EAX+0x0], BH
0x003d0015 0000 ADD [EAX], AL
0x003d0017 004000 ADD [EAX+0x0], AL
0x003d001a 0000 ADD [EAX], AL
0x003d001c 0000 ADD [EAX], AL
0x003d001e 0000 ADD [EAX], AL
0x003d0020 0000 ADD [EAX], AL
0x003d0022 0000 ADD [EAX], AL
0x003d0024 0000 ADD [EAX], AL
0x003d0026 0000 ADD [EAX], AL
0x003d0028 0000 ADD [EAX], AL
0x003d002a 0000 ADD [EAX], AL
0x003d002c 0000 ADD [EAX], AL
0x003d002e 0000 ADD [EAX], AL
0x003d0030 0000 ADD [EAX], AL
0x003d0032 0000 ADD [EAX], AL
0x003d0034 0000 ADD [EAX], AL
0x003d0036 0000 ADD [EAX], AL
0x003d0038 0000 ADD [EAX], AL
0x003d003a 0000 ADD [EAX], AL
0x003d003c e000 LOOPNZ 0x3d003e
0x003d003e 0000 ADD [EAX], AL
As you can see, we also used the --dump-dir switch to export the DLLs to a folder. After that we can, for example, upload them to VirusTotal. And of course, most services detected our suspicious application as malicious as shown below.
There are many more Volatility plugins available. You can learn more about them in the documentation available on the Volatility Foundation website.
Post a Comment