Monday, February 15, 2016

Tinba malware Memory Forensic

Forensic techniques have evolved in the last years. There has been a lot of research done and many tools have been developed around forensic in live systems. The analysis approach has changed quite a bit, as previously most of the analysis was done focusing in the filesystem, but now the analysis of the memory is a key step. This is due to the fact that many of the evidence are in memory at some state on account that anything running in a system has to pass through the memory at some point. Additional, there is some malware which runs only in memory and doesn't write to disk, which means evidence can't be gathered through the file system, but only through the memory.

Some days ago I wrote about a version of Tinba affecting some Swiss bank which was using Tor, what information can be gathered from the memory of a infected system with such malware?

The first thing to do is to obtain a memory dump of the infected system. The are several tools and methods, however I find the tool winpmem from the rekall framework very easy to use. The tool can be used from a external USB to dump the memory in that same USB, which can be later on analysed in the Forensic workstation.




It exists several tools to perform the analysis of memory dumps. Some of them being commercial and some free.
From Mandiant, there is Redline, which I wrote about some time ago. Redline permits to gather the data from the system and / or analyse it as well. Also, there is Volatility which is multi-platform and can even be used to perform memory forensic on Android, as I wrote here.

In this post I am going to use Volatility, but in future post I will explain how you can do the same with Redline. 

There is a set of steps to perform memory forensic. A good document that covers those steps and the set of commands to run are in the memory forensic cheat sheet from SANS:
https://digital-forensics.sans.org/media/memory-forensics-cheat-sheet.pdf. The six steps are:
  1. Identify Rogue Processes 
  2. Analyze Process DLLs and Handles 
  3. Review Network Artifacts 
  4. Look for Evidence of Code Injection 
  5. Check for Signs of a Rootkit 
  6. Dump Suspicious Processes and Drivers 

1) Identify Rogue Processes 

The first step is to check the process running in memory with 'pslist'. 

 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp pslist  
 Volatility Foundation Volatility Framework 2.5  
 Offset(V)     Name          PID  PPID  Thds   Hnds  Sess Wow64 Start             Exit  
 ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------  
 0xfffffa8003c729c0 System          4   0   99   599 ------   0 2016-02-12 20:32:20 UTC+0000  
 0xfffffa800466eb10 smss.exe        272   4   2    30 ------   0 2016-02-12 20:32:20 UTC+0000  
 0xfffffa8004f01b10 csrss.exe        368  356   10   659   0   0 2016-02-12 20:32:21 UTC+0000  
 0xfffffa800482a510 wininit.exe       412  356   3    77   0   0 2016-02-12 20:32:24 UTC+0000  
 0xfffffa8004834b10 csrss.exe        420  404   10   321   1   0 2016-02-12 20:32:24 UTC+0000  
 0xfffffa800532a510 winlogon.exe      476  404   3   122   1   0 2016-02-12 20:32:25 UTC+0000  
 0xfffffa8005330b10 services.exe      500  412   15   259   0   0 2016-02-12 20:32:25 UTC+0000  
 0xfffffa8005354350 lsass.exe        528  412   7   637   0   0 2016-02-12 20:32:25 UTC+0000  
 0xfffffa8005361570 lsm.exe         536  412   11   206   0   0 2016-02-12 20:32:25 UTC+0000  
 0xfffffa80049ff060 svchost.exe       632  500   11   375   0   0 2016-02-12 20:32:26 UTC+0000  
 0xfffffa8004a33b10 vmacthlp.exe      692  500   3    55   0   0 2016-02-12 20:32:26 UTC+0000  
 0xfffffa8004a5db10 svchost.exe       736  500   8   321   0   0 2016-02-12 20:32:26 UTC+0000  
 0xfffffa800542cb10 svchost.exe       816  500   19   483   0   0 2016-02-12 20:32:27 UTC+0000  
 0xfffffa80054859c0 svchost.exe       884  500   18   438   0   0 2016-02-12 20:32:27 UTC+0000  
 0xfffffa80054b5b10 svchost.exe       928  500   17   625   0   0 2016-02-12 20:32:27 UTC+0000  
 0xfffffa80054d3b10 svchost.exe       956  500   47   1284   0   0 2016-02-12 20:32:27 UTC+0000  
 0xfffffa80054fcb10 svchost.exe       360  500   5   111   0   0 2016-02-12 20:32:27 UTC+0000  
 0xfffffa80055c9650 svchost.exe      1076  500   27   739   0   0 2016-02-12 20:32:28 UTC+0000  
 0xfffffa8005646b10 spoolsv.exe      1248  500   13   358   0   0 2016-02-12 20:32:28 UTC+0000  
 0xfffffa8005689060 svchost.exe      1280  500   19   321   0   0 2016-02-12 20:32:28 UTC+0000  
 0xfffffa800571eb10 armsvc.exe       1376  500   4    69   0   1 2016-02-12 20:32:29 UTC+0000  
 0xfffffa8005758b10 AppleOSSMgr.ex     1408  500   5    57   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa800577bb10 AppleTimeSrv.e     1444  500   4    55   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa8005780060 svchost.exe      1472  500   11   299   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa8005796b10 svchost.exe      1512  500   19   304   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa800594fb10 VGAuthService.     1636  500   3    88   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa80059c2b10 vmtoolsd.exe      1700  500   9   315   0   0 2016-02-12 20:32:29 UTC+0000  
 0xfffffa80049d85d0 svchost.exe      1900  500   6    94   0   0 2016-02-12 20:32:30 UTC+0000  
 0xfffffa8004a46060 WmiPrvSE.exe      1872  632   11   331   0   0 2016-02-12 20:32:30 UTC+0000  
 0xfffffa8005119b10 dllhost.exe      2056  500   13   194   0   0 2016-02-12 20:32:31 UTC+0000  
 0xfffffa8005189940 msdtc.exe       2248  500   12   146   0   0 2016-02-12 20:32:31 UTC+0000  
 0xfffffa8004088600 WmiPrvSE.exe      2596  632   9   244   0   0 2016-02-12 20:32:50 UTC+0000  
 0xfffffa8004301600 mscorsvw.exe      2924  500   6   111   0   1 2016-02-12 20:34:29 UTC+0000  
 0xfffffa8003d583e0 mscorsvw.exe      2972  500   6    84   0   0 2016-02-12 20:34:29 UTC+0000  
 0xfffffa800477fb10 svchost.exe      1176  500   14   390   0   0 2016-02-12 20:34:30 UTC+0000  
 0xfffffa80052b7440 wmpnetwk.exe      2704  500   14   429   0   0 2016-02-12 20:34:38 UTC+0000  
 0xfffffa80052d8610 SearchIndexer.     1776  500   12   619   0   0 2016-02-12 20:34:39 UTC+0000  
 0xfffffa800528eb10 TrustedInstall     2684  500   5   130   0   0 2016-02-12 20:35:27 UTC+0000  
 0xfffffa8005c18840 taskhost.exe      2176  500   11   281   1   0 2016-02-12 20:38:21 UTC+0000  
 0xfffffa8005381060 dwm.exe        2468  884   3    71   1   0 2016-02-12 20:38:21 UTC+0000  
 0xfffffa8005c47320 explorer.exe      2080  2824   44   1032   1   0 2016-02-12 20:38:21 UTC+0000  
 0xfffffa8005c88b10 Bootcamp.exe      2552  2080   6   139   1   0 2016-02-12 20:38:22 UTC+0000  
 0xfffffa8005c92530 vmtoolsd.exe      2300  2080   7   280   1   0 2016-02-12 20:38:22 UTC+0000  
 0xfffffa8005cd7180 audiodg.exe      1556  816   4   129   0   0 2016-02-12 20:38:22 UTC+0000  
 0xfffffa8005d89b10 GWX.exe        1668  620   4   196   1   0 2016-02-12 20:38:37 UTC+0000  
 0xfffffa8005d09060 cmd.exe        3872  2080   1    23   1   0 2016-02-13 20:11:42 UTC+0000  
 0xfffffa8005d07060 conhost.exe      2832  420   2    44   1   0 2016-02-13 20:11:42 UTC+0000  
 0xfffffa8006065060 Procmon.exe      3192  2080   5   174   1   1 2016-02-13 20:17:46 UTC+0000  
 0xfffffa8005175b10 Procmon64.exe     4036  3192   11   249   1   0 2016-02-13 20:17:46 UTC+0000  
 0xfffffa8005ef8b10 Verifikation.e     3924  2080   25   432   1   1 2016-02-13 20:19:30 UTC+0000  
 0xfffffa8005dea060 winpmem_1.6.2.     3748  3872   1    29   1   1 2016-02-13 20:19:41 UTC+0000  



The process highlight in yellow is suspicious as it is not really a known process from the Windows OS. This is worth to investigate. 
In some cases it might not be so obvious as the malicious process can use a valid process name (like svchost.exe)  or might have "infected"  a valid process through DLL injection or Process Hollowing techniques.

All the processes listed below are the ones in the list of running processes on the OS, but there is some malware which tries to hide bad process through unlinking it from that list (which is a double linked list). Without going into much details on that, I can see if there is such 'hidden' processes with 'psscan':




In this case Volatility shows it exist a process with PID 0, which it is also worth to investigate, as this is not something common.

2) Analyse Process DLLs and Handles 

The next step is to identify the DLLs loaded by the process. There might be also some suspicious DLL loaded. This is done with 'dlllist'

 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp dlllist -p 3924  
 Volatility Foundation Volatility Framework 2.5  
 ************************************************************************  
 Verifikation.e pid:  3924  
 Command line : "C:\Users\angel\Desktop\file\Verifikation.exe"  
 Note: use ldrmodules for listing DLLs in Wow64 processes  
 Base               Size     LoadCount Path  
 ------------------ ------------------ ------------------ ----  
 0x0000000000400000      0x42000       0xffff C:\Users\angel\Desktop\file\Verifikation.exe  
 0x0000000076eb0000      0x1aa000       0xffff C:\Windows\SYSTEM32\ntdll.dll  
 0x0000000073480000      0x3f000        0x3 C:\Windows\SYSTEM32\wow64.dll  
 0x0000000073420000      0x5c000        0x1 C:\Windows\SYSTEM32\wow64win.dll  
 0x0000000073410000       0x8000        0x1 C:\Windows\SYSTEM32\wow64cpu.dll  

In this case I do not see any suspicious DLL. As a note, in the field "Command line", I can see the exactly command which was executed to launch the malicious process.

Handles, which basically are any kind of object that the process deals with, like register key, files, Threads, processes, mutant (mutex), directories, etc, can provide very useful information. Running Volatility with 'handles' it is possible to obtain all the kind of handles. 



 olatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp handles -p 3924  
 Volatility Foundation Volatility Framework 2.5  
 Offset(V)       Pid       Handle       Access Type       Details  
 ------------------ ------ ------------------ ------------------ ---------------- -------  
 0xfffff8a001c49610  3924        0x4        0x9 Key       MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS  
 0xfffff8a0007de800  3924        0x8        0x3 Directory    KnownDlls  
 0xfffff8a005ce5480  3924        0xc        0x3 Directory    KnownDlls32  
 0xfffffa800558a070  3924        0x10      0x100020 File       \Device\HarddiskVolume2\Windows  
 0xfffff8a001c49740  3924        0x14        0x9 Key       MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS  
 0xfffff8a005ce5480  3924        0x18        0x3 Directory    KnownDlls32  
 0xfffffa8005dd4b40  3924        0x1c      0x100020 File       \Device\HarddiskVolume2\Users\angel\Desktop\file  
 0xfffff8a003db5fa0  3924        0x20      0x20019 Key       MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS  
 0xfffffa800548fb00  3924        0x24      0x1f0001 Mutant  
 0xfffffa8005231e60  3924        0x28      0x1f0001 ALPC Port  
 0xfffff8a001d0c330  3924        0x2c        0x1 Key       MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER  
 0xfffffa8005657270  3924        0x30      0x100003 Semaphore  
 0xfffffa8003d69060  3924        0x34      0x100003 Semaphore  
 0xfffffa8005592060  3924        0x38      0x1f0001 Mutant  
 0xfffff8a003aeff20  3924        0x3c      0x20019 Key       MACHINE  
 0xfffffa8005b5e6b0  3924        0x40      0x1f0003 Event  
 0xfffffa800464e520  3924        0x44       0x804 EtwRegistration  
 0xfffffa8005e0fd40  3924        0x48      0x1f0001 Mutant  
 0xfffff8a003848880  3924        0x4c      0xf003f Key       USER\S-1-5-21-3207478364-1257758836-272776370-1001  
 0xfffffa8005ff2330  3924        0x50      0x100020 File       \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc  
 ....  
 ...  
 ...  

However, the output produced by 'handles' can be huge, so to filter out can be done with an additional parameter, like for example '-t mutant', which shows only the mutex (aka mutant). Mutex are programming objects used to synchronised threads in order to guarantee exclusives access to a resource in a specific moment. Malware makes use of such mutant in order to avoid multiple instances of the same malware running in the system.

 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp handles -p 3924 -t mutant  
 Volatility Foundation Volatility Framework 2.5  
 Offset(V)       Pid       Handle       Access Type       Details  
 ------------------ ------ ------------------ ------------------ ---------------- -------  
 0xfffffa800548fb00  3924        0x24      0x1f0001 Mutant  
 0xfffffa8005592060  3924        0x38      0x1f0001 Mutant  
 0xfffffa8005e0fd40  3924        0x48      0x1f0001 Mutant  
 0xfffffa8005e3e830  3924        0xcc      0x1f0001 Mutant  
 0xfffffa8005c91640  3924       0x2fc      0x1f0001 Mutant      ZonesCacheCounterMutex  
 0xfffffa8005b07fc0  3924       0x300      0x1f0001 Mutant      ZonesLockedCacheCounterMutex  
 0xfffffa8005c3e670  3924       0x444      0x100000 Mutant      MSCTF.Asm.MutexDefault1  
 0xfffffa8004e36ec0  3924       0x480      0x1f0001 Mutant      !IECompat!Mutex  
 0xfffffa8005c5d770  3924       0x53c      0x1f0001 Mutant  
 0xfffffa800595a600  3924       0x544      0x1f0001 Mutant  
 0xfffffa8005f67ec0  3924       0x5ec      0x1f0001 Mutant  
 0xfffffa8005a8e9a0  3924       0x5f4      0x1f0001 Mutant  
 0xfffffa80059b4d70  3924       0x5f8      0x1f0001 Mutant      __DDrawExclMode__  
 0xfffffa80052f21c0  3924       0x600      0x1f0001 Mutant      __DDrawCheckExclMode__  
 0xfffffa80045ff200  3924       0x604      0x1f0001 Mutant      DDrawWindowListMutex  
 0xfffffa800595c7c0  3924       0x608      0x1f0001 Mutant      DDrawDriverObjectListMutex  


Sometimes the mutex is unique and can be used as fingerprint.  Here we see there is several mutants, like "!IECompat!Mutex".

Same approach can be used to filter for the register key or any other object. This is done with '-t key'. With 'key' it might be possible to identify malware which creates autorun key to be persistent, or perform any other change in the register.


In this case there are not any autorun register involved.

If we want to look deeper if the malware is persistent, like running as a service, this is possible to do with the 'svcscan'.   On account that I am interested on detecting any suspicious binary executed through a service, I grep for it


 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp svcscan | egrep -e "(ImagePath|Binary Path)" | grep -v "Binary Path: -"  
 Volatility Foundation Volatility Framework 2.5  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\lsass.exe  
 Binary Path: \Driver\rspndr  
 Binary Path: C:\Windows\system32\svchost.exe -k RPCSS  
 Binary Path: C:\Windows\system32\svchost.exe -k RPCSS  
 Binary Path: \Driver\RFCOMM  
 Binary Path: \Driver\rdyboost  
 Binary Path: \Driver\RDPWD  
 Binary Path: \Driver\RDPREFMP  
 Binary Path: \Driver\RDPENCDD  
 Binary Path: \Driver\RDPDR  
 Binary Path: \Driver\RDPCDD  
 Binary Path: \Driver\rdpbus  
 Binary Path: \FileSystem\rdbss  
 Binary Path: \Driver\RasSstp  
 Binary Path: \Driver\RasPppoe  
 Binary Path: \Driver\Rasl2tp  
 Binary Path: \Driver\RasAgileVpn  
 Binary Path: \Driver\Psched  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\PptpMiniport  
 Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch  
 Binary Path: \Driver\PNPMEM  
 Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch  
 Binary Path: \Driver\PEAUTH  
 Binary Path: \Driver\pcw  
 Binary Path: \Driver\pci  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\partmgr  
 Binary Path: \Driver\Parport  
 Binary Path: \Driver\Null  
 Binary Path: \FileSystem\Ntfs  
 Binary Path: \Driver\nsiproxy  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: \FileSystem\Npfs  
 Binary Path: \Driver\NPF  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\NetBT  
 Binary Path: \FileSystem\NetBIOS  
 Binary Path: \Driver\NDProxy  
 Binary Path: \Driver\NdisWan  
 Binary Path: \Driver\NdisTapi  
 Binary Path: \Driver\NDIS  
 Binary Path: \FileSystem\Mup  
 Binary Path: \Driver\mssmbios  
 Binary Path: \Driver\msisadrv  
 Binary Path: \FileSystem\Msfs  
 Binary Path: C:\Windows\System32\msdtc.exe  
 Binary Path: \Driver\msahci  
 Binary Path: \FileSystem\mrxsmb20  
 Binary Path: \FileSystem\mrxsmb10  
 Binary Path: \FileSystem\mrxsmb  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork  
 Binary Path: \Driver\mpsdrv  
 Binary Path: \Driver\mountmgr  
 Binary Path: \Driver\mouhid  
 Binary Path: \Driver\mouclass  
 Binary Path: \Driver\monitor  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\MacHALDriver  
 Binary Path: \FileSystem\luafv  
 Binary Path: \Driver\LSI_SAS  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  
 Binary Path: \Driver\lltdio  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\ksthunk  
 Binary Path: \Driver\KSecPkg  
 Binary Path: \Driver\KSecDD  
 Binary Path: \Driver\KeyAgent  
 Binary Path: \Driver\kbdclass  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\intelppm  
 Binary Path: \Driver\intelide  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\i8042prt  
 Binary Path: \Driver\hwpolicy  
 Binary Path: \Driver\HTTP  
 Binary Path: \Driver\HidUsb  
 Binary Path: \Driver\HDAudBus  
 Binary Path: \Driver\HdAudAddService  
 Binary Path: C:\Windows\system32\svchost.exe -k GPSvcGroup  
 Binary Path: \Driver\fvevol  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: \FileSystem\FltMgr  
 Binary Path: \Driver\flpydisk  
 Binary Path: \FileSystem\FileInfo  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation  
 Binary Path: \Driver\fdc  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  
 Binary Path: \Driver\E1G60  
 Binary Path: \Driver\DXGKrnl  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: \Driver\Disk  
 Binary Path: \Driver\discache  
 Binary Path: C:\Windows\System32\svchost.exe -k utcsvc  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  
 Binary Path: \FileSystem\DfsC  
 Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\CSC  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}  
 Binary Path: \Driver\CompositeBus  
 Binary Path: \Driver\Compbatt  
 Binary Path: \Driver\CNG  
 Binary Path: \Driver\CmBatt  
 Binary Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe  
 Binary Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe  
 Binary Path: \Driver\CLFS  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\cdrom  
 Binary Path: \Driver\BTHUSB  
 Binary Path: C:\Windows\system32\svchost.exe -k bthsvcs  
 Binary Path: \Driver\BthEnum  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \FileSystem\bowser  
 Binary Path: \Driver\blbdrive  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork  
 Binary Path: \Driver\Beep  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\atapi  
 Binary Path: \Driver\AsyncMac  
 Binary Path: C:\Windows\system32\AppleTimeSrv.exe  
 Binary Path: C:\Windows\system32\AppleOSSMgr.exe  
 Binary Path: \Driver\AppleMNT  
 Binary Path: \FileSystem\AppleHFS  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\amdxata  
 Binary Path: \Driver\AFD  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"  
 Binary Path: \Driver\ACPI  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\usbuhci  
 Binary Path: \Driver\USBPcap  
 Binary Path: \Driver\usbhub  
 Binary Path: \Driver\usbehci  
 Binary Path: \Driver\usbccgp  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\umbus  
 Binary Path: \Driver\tunnel  
 Binary Path: \Driver\tssecsrv  
 Binary Path: C:\Windows\servicing\TrustedInstaller.exe  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: \Driver\TermDD  
 Binary Path: \Driver\tdx  
 Binary Path: \Driver\TDTCP  
 Binary Path: \Driver\tcpipreg  
 Binary Path: \Driver\Tcpip  
 Binary Path: \Driver\swenum  
 Binary Path: \Driver\storflt  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation  
 Binary Path: \FileSystem\srvnet  
 Binary Path: \FileSystem\srv2  
 Binary Path: \FileSystem\srv  
 Binary Path: C:\Windows\System32\spoolsv.exe  
 Binary Path: \Driver\spldr  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: \Driver\Serial  
 Binary Path: \Driver\Serenum  
 Binary Path: C:\Windows\system32\SearchIndexer.exe /Embedding  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted  
 Binary Path: \Driver\ws2ifsl  
 Binary Path: "C:\Program Files\Windows Media Player\wmpnetwk.exe"  
 Binary Path: C:\Windows\system32\svchost.exe -k NetworkService  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: C:\Windows\System32\svchost.exe -k secsvcs  
 Binary Path: \Driver\WfpLwf  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: C:\Windows\system32\svchost.exe -k LocalService  
 Binary Path: \Driver\Wdf01000  
 Binary Path: \Driver\Wanarpv6  
 Binary Path: \Driver\vsock  
 Binary Path: \Driver\volsnap  
 Binary Path: \Driver\volmgrx  
 Binary Path: \Driver\volmgr  
 Binary Path: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"  
 Binary Path: \Driver\vmusbmouse  
 Binary Path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"  
 Binary Path: \Driver\vmrawdsk  
 Binary Path: \Driver\vmmouse  
 Binary Path: \Driver\VMMEMCTL  
 Binary Path: \FileSystem\vmhgfs  
 Binary Path: \Driver\vmci  
 Binary Path: \Driver\vm3dmp  
 Binary Path: "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"  
 Binary Path: \Driver\VgaSave  
 Binary Path: \Driver\vdrvroot  
 Binary Path: C:\Windows\system32\lsass.exe  
 Binary Path: C:\Windows\system32\svchost.exe -k netsvcs  
 Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted  
 Binary Path: \Driver\WudfPf  

No suspicious Autorun Service detected, so the malware is not being persistent through a service,  neither through a autorun registry key as we saw previously.


I am interested also to see which files are being opened. For example, if something is downloaded from Internet (exe, a malicious JS, HTML, etc.)




In this case there is some website visited and some temporal files are stored.

3) Review network artifacts


Network artifacts provides lot of useful information in terms of listening ports due to some process, network connections from/to the host, etc. In the case of windows 7, the parameter is 'netscan'



 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp netscan  
 Volatility Foundation Volatility Framework 2.5  
 Offset(P)     Proto  Local Address         Foreign Address   State      Pid   Owner     Created  
 0x2230cf0     UDPv4  0.0.0.0:3702          *:*                  1512   svchost.exe  2016-02-13 20:09:12 UTC+0000  
 0x752ecf0     UDPv4  0.0.0.0:3702          *:*                  1512   svchost.exe  2016-02-13 20:09:12 UTC+0000  
 0x754e370     UDPv4  127.0.0.1:55616        *:*                  1512   svchost.exe  2016-02-13 20:08:52 UTC+0000  
 0x7576d00     UDPv4  0.0.0.0:51553         *:*                  1512   svchost.exe  2016-02-12 20:32:29 UTC+0000  
 0x7576d00     UDPv6  :::51553            *:*                  1512   svchost.exe  2016-02-12 20:32:29 UTC+0000  
 0x7577110     UDPv4  0.0.0.0:51552         *:*                  1512   svchost.exe  2016-02-12 20:32:29 UTC+0000  
....
 0x125d93200    TCPv6  :::5357            :::0         LISTENING    4    System  
 0x12732b110    UDPv4  0.0.0.0:51552         *:*                  1512   svchost.exe  2016-02-12 20:32:29 UTC+0000  
 0x13de0f890    UDPv4  192.168.113.229:1900      *:*                  1512   svchost.exe  2016-02-13 20:08:52 UTC+0000  
 0x13de3ec40    UDPv4  192.168.113.229:137      *:*                  4    System     2016-02-13 20:08:52 UTC+0000  
 0x13dfbe490    UDPv4  0.0.0.0:53670         *:*                  1076   svchost.exe  2016-02-13 20:19:35 UTC+0000  
 0x13e16f890    UDPv4  0.0.0.0:5355          *:*                  1076   svchost.exe  2016-02-13 20:08:55 UTC+0000  
 0x13e1f3300    UDPv4  192.168.113.229:138      *:*                  4    System     2016-02-13 20:08:52 UTC+0000  
 0x13de23010    TCPv4  192.168.113.229:49209     94.23.50.33:80    ESTABLISHED   3924   Verifikation.e  
 0x13de3dcf0    TCPv4  192.168.113.229:49207     103.198.0.2:80    CLOSE_WAIT    3924   Verifikation.e  
 0x13de5c010    TCPv4  192.168.113.229:49208     103.198.0.2:80    CLOSE_WAIT    3924   Verifikation.e  
 0x13de5d9d0    TCPv6  -:0              3842:3a05:80fa:ffff:3842:3a05:80fa:ffff:0 CLOSED      1076   svchost.exe  
 0x13e2a6ec0    UDPv4  127.0.0.1:1900         *:*                  1512   svchost.exe  2016-02-13 20:08:52 UTC+0000  
 0x13e5399a0    UDPv4  0.0.0.0:500          *:*                  956   svchost.exe  2016-02-12 20:32:29 UTC+0000  
...

 0x13f970010    TCPv6  -:0              c829:c703:80fa:ffff:c829:c703:80fa:ffff:0 CLOSED      4    System  

In this case, we see that our suspicious process has performed several connections to different IPs: 94.23.50.33 and 103.198.0.2. 



4) Look for code Injection

Malware uses code Injection in order to hide itself in other legitimate process. There are two main techniques for this: DLL injection and Process Hollowing. However, from a memory forensic point of view, both of them looks the same: some memory section/s  with executable code is injected to a valid process.


There are two very good plugins within Volatility for this purpose: malfind and ldrmodules

Malfind searchs for executables memory section.

Malfind has a very high rate of true positives but also false positives happens. 

 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp malfind --dump-dir=out-after/  
 Volatility Foundation Volatility Framework 2.5  
 Process: WmiPrvSE.exe Pid: 2596 Address: 0x1660000  
 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE  
 Flags: CommitCharge: 2, PrivateMemory: 1, Protection: 6  
 0x01660000 00 00 00 00 00 00 00 00 e0 56 1f 95 eb 19 00 01  .........V......  
 0x01660010 ee ff ee ff 00 00 00 00 28 01 66 01 00 00 00 00  ........(.f.....  
 0x01660020 28 01 66 01 00 00 00 00 00 00 66 01 00 00 00 00  (.f.......f.....  
 0x01660030 00 00 66 01 00 00 00 00 80 00 00 00 00 00 00 00  ..f.............  
 0x01660000 0000       ADD [EAX], AL  
 0x01660002 0000       ADD [EAX], AL  
 0x01660004 0000       ADD [EAX], AL  
 ...  
 ...  
 ..  

The output shows a few processes which might be injected





Obviously the Verifikation.exe is not worth to investigate as we know this is the suspicious process. For the rest of the process, and after checking, these are false positives. 

With ldrmodules, same analysis is performed but nothing brings my attention.

This piece of malware is not performing any code injection.


5) Rootkits

The main purpose of Rootkits is to hide information from the OS, like network connection, sockets, files, directories, etc. There are several plugins in volatility for this purpose: psxview, modscan, apihooks, ssdt. 




 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp psxview  
 Volatility Foundation Volatility Framework 2.5  
 Offset(P)     Name          PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime  
 ------------------ -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------  
 0x000000013fc88600 WmiPrvSE.exe      2596 True  False False  True  True True  True  
 0x000000013e8859c0 svchost.exe       884 True  False False  True  True True  True  
 0x000000013dc65060 Procmon.exe      3192 True  False False  True  True True  False  
 0x000000013e8d3b10 svchost.exe       956 True  False False  True  True True  True  
 0x000000013f246060 WmiPrvSE.exe      1872 True  False False  True  True True  True  
 0x000000013e107060 conhost.exe      2832 True  False False  True  True True  False  
 0x000000013e8b5b10 svchost.exe       928 True  False False  True  True True  True  
 0x000000013f42a510 wininit.exe       412 True  False False  True  True True  True  
 0x000000013def8b10 Verifikation.e     3924 True  False False  True  True True  False  
 0x000000013f233b10 vmacthlp.exe      692 True  False False  True  True True  True  
 0x000000013e796b10 svchost.exe      1512 True  False False  True  True True  True  
 0x000000013e0d7180 audiodg.exe      1556 True  False False  True  True True  True  
 0x000000013f5d85d0 svchost.exe      1900 True  False False  True  True True  True  
 0x000000013ead8610 SearchIndexer.     1776 True  False False  True  True True  True  
 0x000000013e9c9650 svchost.exe      1076 True  False False  True  True True  True  
 0x000000013e758b10 AppleOSSMgr.ex     1408 True  False False  True  True True  True  
 0x000000013ed19b10 dllhost.exe      2056 True  False False  True  True True  True  
 0x000000013ed75b10 Procmon64.exe     4036 True  False False  True  True True  False  
 0x000000013e047320 explorer.exe      2080 True  False False  True  True True  False  
 0x000000013e8fcb10 svchost.exe       360 True  False False  True  True True  True  
 0x000000013e1ea060 winpmem_1.6.2.     3748 True  False False  True  True True  False  
 0x000000013f25db10 svchost.exe       736 True  False False  True  True True  True  
 0x000000013e092530 vmtoolsd.exe      2300 True  False False  True  True True  False  
 0x000000013e71eb10 armsvc.exe       1376 True  False False  True  True True  True  
 0x000000013f77fb10 svchost.exe      1176 True  False False  True  True True  False  
 0x000000013fb01600 mscorsvw.exe      2924 True  False False  True  True True  True  
 0x000000013ed89940 msdtc.exe       2248 True  False False  True  True True  True  
 0x000000013e82cb10 svchost.exe       816 True  False False  True  True True  True  
 0x000000013eab7440 wmpnetwk.exe      2704 True  False False  True  True True  True  
 0x000000013e689060 svchost.exe      1280 True  False False  True  True True  True  
 0x000000013e018840 taskhost.exe      2176 True  False False  True  True True  True  
 0x000000013e780060 svchost.exe      1472 True  False False  True  True True  True  
 0x000000013eb54350 lsass.exe        528 True  False False  True  True True  False  
 0x000000013e646b10 spoolsv.exe      1248 True  False False  True  True True  True  
 0x000000013e088b10 Bootcamp.exe      2552 True  False False  True  True True  False  
 0x000000013eb2a510 winlogon.exe      476 True  False False  True  True True  True  
 0x000000013e189b10 GWX.exe        1668 True  False False  True  True True  False  
 0x000000013f5ff060 svchost.exe       632 True  False False  True  True True  True  
 0x000000013e77bb10 AppleTimeSrv.e     1444 True  False False  True  True True  True  
 0x00000000075583e0 mscorsvw.exe      2972 True  False False  True  True True  True  
 0x000000013eb61570 lsm.exe         536 True  False False  True  True True  True  
 0x000000013ea8eb10 TrustedInstall     2684 True  False False  True  True True  True  
 0x000000013eb81060 dwm.exe        2468 True  False False  True  True True  False  
 0x000000013e54fb10 VGAuthService.     1636 True  False False  True  True True  True  
 0x000000013eb30b10 services.exe      500 True  False False  True  True True  False  
 0x000000013e109060 cmd.exe        3872 True  False False  True  True True  False  
 0x000000013e5c2b10 vmtoolsd.exe      1700 True  False False  True  True True  True  
 0x000000013f434b10 csrss.exe        420 True  False False  True  False True  False  
 0x000000013ef01b10 csrss.exe        368 True  False False  True  False True  True  
 0x00000000074729c0 System          4 True  False False  True  False False  False  
 0x000000013f66eb10 smss.exe        272 True  False False  True  False False  False  
 0x00000000101f9420              0 False True  False  False False False  False  
 0x0000000016cb5420              0 False True  False  False False False  False  
 0x000000013dc39420              0 False True  False  False False False  False  
 0x0000000036c8a420              0 False True  False  False False False  False  
 0x0000000122d6c420              0 False True  False  False False False  False  
 0x00000000b75ee420              0 False True  False  False False False  False  


There is no evidence of rootkit on the system.



6) Acquiring processes and drivers

Last step is to dump any suspicious process, dll, driver, or memory sections for further analysis. The dumps are gathered with: dlldump, moddump, procdump,memdump and dumpfiles
In this case I am going to dump the suspicious process with PID 3924 and submit to to VT.
Note, that in some cases you do not want to share you samples in Virustotal, so you might analyse the suspicious file in your own lab with your own sandbox

To dump the process, with PID 3924 I do it with 'procdump'

 volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp procdump -p 3924 --dump-dir=out-after/  
 Volatility Foundation Volatility Framework 2.5  
 Process(V)     ImageBase     Name         Result  
 ------------------ ------------------ -------------------- ------  
 0xfffffa8005ef8b10 0x0000000000400000 Verifikation.e    OK: executable.3924.exe  


The file is dumped as executable.3924.exe. Once uploaded to VT, I see it is detected as malicious:








Conclusion

I have been able to identify malicious code through memory forensic, following six steps:
  1. Identify Rogue Processes 
  2. Analyze Process DLLs and Handles 
  3. Review Network Artifacts 
  4. Look for Evidence of Code Injection 
  5. Check for Signs of a Rootkit 
  6. Dump Suspicious Processes and Drivers 
Each of this steps give you evidence of malicious behaviour. In this case, it was straight forward to identify the malicious process.
There is no evidence that the malware is making itself persistent. Also, there is no evidence of code injection or rootkit code in order to hide itself. 
The malware perform TCP connection to suspicious IP.
Finally, I dumped the malicious process and I submit to VT and 16/54 detected it as malicious.

Next step is to reverse the malicious code :)