Some days ago I wrote about a version of Tinba affecting some Swiss bank which was using Tor, what information can be gathered from the memory of a infected system with such malware?
The first thing to do is to obtain a memory dump of the infected system. The are several tools and methods, however I find the tool winpmem from the rekall framework very easy to use. The tool can be used from a external USB to dump the memory in that same USB, which can be later on analysed in the Forensic workstation.
It exists several tools to perform the analysis of memory dumps. Some of them being commercial and some free.
From Mandiant, there is Redline, which I wrote about some time ago. Redline permits to gather the data from the system and / or analyse it as well. Also, there is Volatility which is multi-platform and can even be used to perform memory forensic on Android, as I wrote here.
In this post I am going to use Volatility, but in future post I will explain how you can do the same with Redline.
There is a set of steps to perform memory forensic. A good document that covers those steps and the set of commands to run are in the memory forensic cheat sheet from SANS:
https://digital-forensics.sans.org/media/memory-forensics-cheat-sheet.pdf. The six steps are:
- Identify Rogue Processes
- Analyze Process DLLs and Handles
- Review Network Artifacts
- Look for Evidence of Code Injection
- Check for Signs of a Rootkit
- Dump Suspicious Processes and Drivers
1) Identify Rogue Processes
The first step is to check the process running in memory with 'pslist'.
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp pslist
Volatility Foundation Volatility Framework 2.5
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8003c729c0 System 4 0 99 599 ------ 0 2016-02-12 20:32:20 UTC+0000
0xfffffa800466eb10 smss.exe 272 4 2 30 ------ 0 2016-02-12 20:32:20 UTC+0000
0xfffffa8004f01b10 csrss.exe 368 356 10 659 0 0 2016-02-12 20:32:21 UTC+0000
0xfffffa800482a510 wininit.exe 412 356 3 77 0 0 2016-02-12 20:32:24 UTC+0000
0xfffffa8004834b10 csrss.exe 420 404 10 321 1 0 2016-02-12 20:32:24 UTC+0000
0xfffffa800532a510 winlogon.exe 476 404 3 122 1 0 2016-02-12 20:32:25 UTC+0000
0xfffffa8005330b10 services.exe 500 412 15 259 0 0 2016-02-12 20:32:25 UTC+0000
0xfffffa8005354350 lsass.exe 528 412 7 637 0 0 2016-02-12 20:32:25 UTC+0000
0xfffffa8005361570 lsm.exe 536 412 11 206 0 0 2016-02-12 20:32:25 UTC+0000
0xfffffa80049ff060 svchost.exe 632 500 11 375 0 0 2016-02-12 20:32:26 UTC+0000
0xfffffa8004a33b10 vmacthlp.exe 692 500 3 55 0 0 2016-02-12 20:32:26 UTC+0000
0xfffffa8004a5db10 svchost.exe 736 500 8 321 0 0 2016-02-12 20:32:26 UTC+0000
0xfffffa800542cb10 svchost.exe 816 500 19 483 0 0 2016-02-12 20:32:27 UTC+0000
0xfffffa80054859c0 svchost.exe 884 500 18 438 0 0 2016-02-12 20:32:27 UTC+0000
0xfffffa80054b5b10 svchost.exe 928 500 17 625 0 0 2016-02-12 20:32:27 UTC+0000
0xfffffa80054d3b10 svchost.exe 956 500 47 1284 0 0 2016-02-12 20:32:27 UTC+0000
0xfffffa80054fcb10 svchost.exe 360 500 5 111 0 0 2016-02-12 20:32:27 UTC+0000
0xfffffa80055c9650 svchost.exe 1076 500 27 739 0 0 2016-02-12 20:32:28 UTC+0000
0xfffffa8005646b10 spoolsv.exe 1248 500 13 358 0 0 2016-02-12 20:32:28 UTC+0000
0xfffffa8005689060 svchost.exe 1280 500 19 321 0 0 2016-02-12 20:32:28 UTC+0000
0xfffffa800571eb10 armsvc.exe 1376 500 4 69 0 1 2016-02-12 20:32:29 UTC+0000
0xfffffa8005758b10 AppleOSSMgr.ex 1408 500 5 57 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa800577bb10 AppleTimeSrv.e 1444 500 4 55 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa8005780060 svchost.exe 1472 500 11 299 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa8005796b10 svchost.exe 1512 500 19 304 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa800594fb10 VGAuthService. 1636 500 3 88 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa80059c2b10 vmtoolsd.exe 1700 500 9 315 0 0 2016-02-12 20:32:29 UTC+0000
0xfffffa80049d85d0 svchost.exe 1900 500 6 94 0 0 2016-02-12 20:32:30 UTC+0000
0xfffffa8004a46060 WmiPrvSE.exe 1872 632 11 331 0 0 2016-02-12 20:32:30 UTC+0000
0xfffffa8005119b10 dllhost.exe 2056 500 13 194 0 0 2016-02-12 20:32:31 UTC+0000
0xfffffa8005189940 msdtc.exe 2248 500 12 146 0 0 2016-02-12 20:32:31 UTC+0000
0xfffffa8004088600 WmiPrvSE.exe 2596 632 9 244 0 0 2016-02-12 20:32:50 UTC+0000
0xfffffa8004301600 mscorsvw.exe 2924 500 6 111 0 1 2016-02-12 20:34:29 UTC+0000
0xfffffa8003d583e0 mscorsvw.exe 2972 500 6 84 0 0 2016-02-12 20:34:29 UTC+0000
0xfffffa800477fb10 svchost.exe 1176 500 14 390 0 0 2016-02-12 20:34:30 UTC+0000
0xfffffa80052b7440 wmpnetwk.exe 2704 500 14 429 0 0 2016-02-12 20:34:38 UTC+0000
0xfffffa80052d8610 SearchIndexer. 1776 500 12 619 0 0 2016-02-12 20:34:39 UTC+0000
0xfffffa800528eb10 TrustedInstall 2684 500 5 130 0 0 2016-02-12 20:35:27 UTC+0000
0xfffffa8005c18840 taskhost.exe 2176 500 11 281 1 0 2016-02-12 20:38:21 UTC+0000
0xfffffa8005381060 dwm.exe 2468 884 3 71 1 0 2016-02-12 20:38:21 UTC+0000
0xfffffa8005c47320 explorer.exe 2080 2824 44 1032 1 0 2016-02-12 20:38:21 UTC+0000
0xfffffa8005c88b10 Bootcamp.exe 2552 2080 6 139 1 0 2016-02-12 20:38:22 UTC+0000
0xfffffa8005c92530 vmtoolsd.exe 2300 2080 7 280 1 0 2016-02-12 20:38:22 UTC+0000
0xfffffa8005cd7180 audiodg.exe 1556 816 4 129 0 0 2016-02-12 20:38:22 UTC+0000
0xfffffa8005d89b10 GWX.exe 1668 620 4 196 1 0 2016-02-12 20:38:37 UTC+0000
0xfffffa8005d09060 cmd.exe 3872 2080 1 23 1 0 2016-02-13 20:11:42 UTC+0000
0xfffffa8005d07060 conhost.exe 2832 420 2 44 1 0 2016-02-13 20:11:42 UTC+0000
0xfffffa8006065060 Procmon.exe 3192 2080 5 174 1 1 2016-02-13 20:17:46 UTC+0000
0xfffffa8005175b10 Procmon64.exe 4036 3192 11 249 1 0 2016-02-13 20:17:46 UTC+0000
0xfffffa8005ef8b10 Verifikation.e 3924 2080 25 432 1 1 2016-02-13 20:19:30 UTC+0000
0xfffffa8005dea060 winpmem_1.6.2. 3748 3872 1 29 1 1 2016-02-13 20:19:41 UTC+0000
The process highlight in yellow is suspicious as it is not really a known process from the Windows OS. This is worth to investigate.
In some cases it might not be so obvious as the malicious process can use a valid process name (like svchost.exe) or might have "infected" a valid process through DLL injection or Process Hollowing techniques.
All the processes listed below are the ones in the list of running processes on the OS, but there is some malware which tries to hide bad process through unlinking it from that list (which is a double linked list). Without going into much details on that, I can see if there is such 'hidden' processes with 'psscan':
In this case Volatility shows it exist a process with PID 0, which it is also worth to investigate, as this is not something common.
2) Analyse Process DLLs and Handles
The next step is to identify the DLLs loaded by the process. There might be also some suspicious DLL loaded. This is done with 'dlllist'
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp dlllist -p 3924
Volatility Foundation Volatility Framework 2.5
************************************************************************
Verifikation.e pid: 3924
Command line : "C:\Users\angel\Desktop\file\Verifikation.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000400000 0x42000 0xffff C:\Users\angel\Desktop\file\Verifikation.exe
0x0000000076eb0000 0x1aa000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x0000000073480000 0x3f000 0x3 C:\Windows\SYSTEM32\wow64.dll
0x0000000073420000 0x5c000 0x1 C:\Windows\SYSTEM32\wow64win.dll
0x0000000073410000 0x8000 0x1 C:\Windows\SYSTEM32\wow64cpu.dll
In this case I do not see any suspicious DLL. As a note, in the field "Command line", I can see the exactly command which was executed to launch the malicious process.
Handles, which basically are any kind of object that the process deals with, like register key, files, Threads, processes, mutant (mutex), directories, etc, can provide very useful information. Running Volatility with 'handles' it is possible to obtain all the kind of handles.
olatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp handles -p 3924
Volatility Foundation Volatility Framework 2.5
Offset(V) Pid Handle Access Type Details
------------------ ------ ------------------ ------------------ ---------------- -------
0xfffff8a001c49610 3924 0x4 0x9 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a0007de800 3924 0x8 0x3 Directory KnownDlls
0xfffff8a005ce5480 3924 0xc 0x3 Directory KnownDlls32
0xfffffa800558a070 3924 0x10 0x100020 File \Device\HarddiskVolume2\Windows
0xfffff8a001c49740 3924 0x14 0x9 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a005ce5480 3924 0x18 0x3 Directory KnownDlls32
0xfffffa8005dd4b40 3924 0x1c 0x100020 File \Device\HarddiskVolume2\Users\angel\Desktop\file
0xfffff8a003db5fa0 3924 0x20 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
0xfffffa800548fb00 3924 0x24 0x1f0001 Mutant
0xfffffa8005231e60 3924 0x28 0x1f0001 ALPC Port
0xfffff8a001d0c330 3924 0x2c 0x1 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
0xfffffa8005657270 3924 0x30 0x100003 Semaphore
0xfffffa8003d69060 3924 0x34 0x100003 Semaphore
0xfffffa8005592060 3924 0x38 0x1f0001 Mutant
0xfffff8a003aeff20 3924 0x3c 0x20019 Key MACHINE
0xfffffa8005b5e6b0 3924 0x40 0x1f0003 Event
0xfffffa800464e520 3924 0x44 0x804 EtwRegistration
0xfffffa8005e0fd40 3924 0x48 0x1f0001 Mutant
0xfffff8a003848880 3924 0x4c 0xf003f Key USER\S-1-5-21-3207478364-1257758836-272776370-1001
0xfffffa8005ff2330 3924 0x50 0x100020 File \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
....
...
...
However, the output produced by 'handles' can be huge, so to filter out can be done with an additional parameter, like for example '-t mutant', which shows only the mutex (aka mutant). Mutex are programming objects used to synchronised threads in order to guarantee exclusives access to a resource in a specific moment. Malware makes use of such mutant in order to avoid multiple instances of the same malware running in the system.
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp handles -p 3924 -t mutant
Volatility Foundation Volatility Framework 2.5
Offset(V) Pid Handle Access Type Details
------------------ ------ ------------------ ------------------ ---------------- -------
0xfffffa800548fb00 3924 0x24 0x1f0001 Mutant
0xfffffa8005592060 3924 0x38 0x1f0001 Mutant
0xfffffa8005e0fd40 3924 0x48 0x1f0001 Mutant
0xfffffa8005e3e830 3924 0xcc 0x1f0001 Mutant
0xfffffa8005c91640 3924 0x2fc 0x1f0001 Mutant ZonesCacheCounterMutex
0xfffffa8005b07fc0 3924 0x300 0x1f0001 Mutant ZonesLockedCacheCounterMutex
0xfffffa8005c3e670 3924 0x444 0x100000 Mutant MSCTF.Asm.MutexDefault1
0xfffffa8004e36ec0 3924 0x480 0x1f0001 Mutant !IECompat!Mutex
0xfffffa8005c5d770 3924 0x53c 0x1f0001 Mutant
0xfffffa800595a600 3924 0x544 0x1f0001 Mutant
0xfffffa8005f67ec0 3924 0x5ec 0x1f0001 Mutant
0xfffffa8005a8e9a0 3924 0x5f4 0x1f0001 Mutant
0xfffffa80059b4d70 3924 0x5f8 0x1f0001 Mutant __DDrawExclMode__
0xfffffa80052f21c0 3924 0x600 0x1f0001 Mutant __DDrawCheckExclMode__
0xfffffa80045ff200 3924 0x604 0x1f0001 Mutant DDrawWindowListMutex
0xfffffa800595c7c0 3924 0x608 0x1f0001 Mutant DDrawDriverObjectListMutex
Sometimes the mutex is unique and can be used as fingerprint. Here we see there is several mutants, like "!IECompat!Mutex".
Same approach can be used to filter for the register key or any other object. This is done with '-t key'. With 'key' it might be possible to identify malware which creates autorun key to be persistent, or perform any other change in the register.
If we want to look deeper if the malware is persistent, like running as a service, this is possible to do with the 'svcscan'. On account that I am interested on detecting any suspicious binary executed through a service, I grep for it
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp svcscan | egrep -e "(ImagePath|Binary Path)" | grep -v "Binary Path: -"
Volatility Foundation Volatility Framework 2.5
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\lsass.exe
Binary Path: \Driver\rspndr
Binary Path: C:\Windows\system32\svchost.exe -k RPCSS
Binary Path: C:\Windows\system32\svchost.exe -k RPCSS
Binary Path: \Driver\RFCOMM
Binary Path: \Driver\rdyboost
Binary Path: \Driver\RDPWD
Binary Path: \Driver\RDPREFMP
Binary Path: \Driver\RDPENCDD
Binary Path: \Driver\RDPDR
Binary Path: \Driver\RDPCDD
Binary Path: \Driver\rdpbus
Binary Path: \FileSystem\rdbss
Binary Path: \Driver\RasSstp
Binary Path: \Driver\RasPppoe
Binary Path: \Driver\Rasl2tp
Binary Path: \Driver\RasAgileVpn
Binary Path: \Driver\Psched
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\PptpMiniport
Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch
Binary Path: \Driver\PNPMEM
Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch
Binary Path: \Driver\PEAUTH
Binary Path: \Driver\pcw
Binary Path: \Driver\pci
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\partmgr
Binary Path: \Driver\Parport
Binary Path: \Driver\Null
Binary Path: \FileSystem\Ntfs
Binary Path: \Driver\nsiproxy
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: \FileSystem\Npfs
Binary Path: \Driver\NPF
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\NetBT
Binary Path: \FileSystem\NetBIOS
Binary Path: \Driver\NDProxy
Binary Path: \Driver\NdisWan
Binary Path: \Driver\NdisTapi
Binary Path: \Driver\NDIS
Binary Path: \FileSystem\Mup
Binary Path: \Driver\mssmbios
Binary Path: \Driver\msisadrv
Binary Path: \FileSystem\Msfs
Binary Path: C:\Windows\System32\msdtc.exe
Binary Path: \Driver\msahci
Binary Path: \FileSystem\mrxsmb20
Binary Path: \FileSystem\mrxsmb10
Binary Path: \FileSystem\mrxsmb
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Binary Path: \Driver\mpsdrv
Binary Path: \Driver\mountmgr
Binary Path: \Driver\mouhid
Binary Path: \Driver\mouclass
Binary Path: \Driver\monitor
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\MacHALDriver
Binary Path: \FileSystem\luafv
Binary Path: \Driver\LSI_SAS
Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Binary Path: \Driver\lltdio
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\ksthunk
Binary Path: \Driver\KSecPkg
Binary Path: \Driver\KSecDD
Binary Path: \Driver\KeyAgent
Binary Path: \Driver\kbdclass
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\intelppm
Binary Path: \Driver\intelide
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\i8042prt
Binary Path: \Driver\hwpolicy
Binary Path: \Driver\HTTP
Binary Path: \Driver\HidUsb
Binary Path: \Driver\HDAudBus
Binary Path: \Driver\HdAudAddService
Binary Path: C:\Windows\system32\svchost.exe -k GPSvcGroup
Binary Path: \Driver\fvevol
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: \FileSystem\FltMgr
Binary Path: \Driver\flpydisk
Binary Path: \FileSystem\FileInfo
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Binary Path: \Driver\fdc
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Binary Path: \Driver\E1G60
Binary Path: \Driver\DXGKrnl
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: \Driver\Disk
Binary Path: \Driver\discache
Binary Path: C:\Windows\System32\svchost.exe -k utcsvc
Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Binary Path: \FileSystem\DfsC
Binary Path: C:\Windows\system32\svchost.exe -k DcomLaunch
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\CSC
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Binary Path: \Driver\CompositeBus
Binary Path: \Driver\Compbatt
Binary Path: \Driver\CNG
Binary Path: \Driver\CmBatt
Binary Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Binary Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Binary Path: \Driver\CLFS
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\cdrom
Binary Path: \Driver\BTHUSB
Binary Path: C:\Windows\system32\svchost.exe -k bthsvcs
Binary Path: \Driver\BthEnum
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \FileSystem\bowser
Binary Path: \Driver\blbdrive
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Binary Path: \Driver\Beep
Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\atapi
Binary Path: \Driver\AsyncMac
Binary Path: C:\Windows\system32\AppleTimeSrv.exe
Binary Path: C:\Windows\system32\AppleOSSMgr.exe
Binary Path: \Driver\AppleMNT
Binary Path: \FileSystem\AppleHFS
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\amdxata
Binary Path: \Driver\AFD
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Binary Path: \Driver\ACPI
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\usbuhci
Binary Path: \Driver\USBPcap
Binary Path: \Driver\usbhub
Binary Path: \Driver\usbehci
Binary Path: \Driver\usbccgp
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\umbus
Binary Path: \Driver\tunnel
Binary Path: \Driver\tssecsrv
Binary Path: C:\Windows\servicing\TrustedInstaller.exe
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: \Driver\TermDD
Binary Path: \Driver\tdx
Binary Path: \Driver\TDTCP
Binary Path: \Driver\tcpipreg
Binary Path: \Driver\Tcpip
Binary Path: \Driver\swenum
Binary Path: \Driver\storflt
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Binary Path: \FileSystem\srvnet
Binary Path: \FileSystem\srv2
Binary Path: \FileSystem\srv
Binary Path: C:\Windows\System32\spoolsv.exe
Binary Path: \Driver\spldr
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: \Driver\Serial
Binary Path: \Driver\Serenum
Binary Path: C:\Windows\system32\SearchIndexer.exe /Embedding
Binary Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Binary Path: \Driver\ws2ifsl
Binary Path: "C:\Program Files\Windows Media Player\wmpnetwk.exe"
Binary Path: C:\Windows\system32\svchost.exe -k NetworkService
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: C:\Windows\System32\svchost.exe -k secsvcs
Binary Path: \Driver\WfpLwf
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: C:\Windows\system32\svchost.exe -k LocalService
Binary Path: \Driver\Wdf01000
Binary Path: \Driver\Wanarpv6
Binary Path: \Driver\vsock
Binary Path: \Driver\volsnap
Binary Path: \Driver\volmgrx
Binary Path: \Driver\volmgr
Binary Path: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
Binary Path: \Driver\vmusbmouse
Binary Path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
Binary Path: \Driver\vmrawdsk
Binary Path: \Driver\vmmouse
Binary Path: \Driver\VMMEMCTL
Binary Path: \FileSystem\vmhgfs
Binary Path: \Driver\vmci
Binary Path: \Driver\vm3dmp
Binary Path: "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
Binary Path: \Driver\VgaSave
Binary Path: \Driver\vdrvroot
Binary Path: C:\Windows\system32\lsass.exe
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Binary Path: \Driver\WudfPf
No suspicious Autorun Service detected, so the malware is not being persistent through a service, neither through a autorun registry key as we saw previously.
I am interested also to see which files are being opened. For example, if something is downloaded from Internet (exe, a malicious JS, HTML, etc.)
In this case there is some website visited and some temporal files are stored.
3) Review network artifacts
Network artifacts provides lot of useful information in terms of listening ports due to some process, network connections from/to the host, etc. In the case of windows 7, the parameter is 'netscan'
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp netscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x2230cf0 UDPv4 0.0.0.0:3702 *:* 1512 svchost.exe 2016-02-13 20:09:12 UTC+0000
0x752ecf0 UDPv4 0.0.0.0:3702 *:* 1512 svchost.exe 2016-02-13 20:09:12 UTC+0000
0x754e370 UDPv4 127.0.0.1:55616 *:* 1512 svchost.exe 2016-02-13 20:08:52 UTC+0000
0x7576d00 UDPv4 0.0.0.0:51553 *:* 1512 svchost.exe 2016-02-12 20:32:29 UTC+0000
0x7576d00 UDPv6 :::51553 *:* 1512 svchost.exe 2016-02-12 20:32:29 UTC+0000
0x7577110 UDPv4 0.0.0.0:51552 *:* 1512 svchost.exe 2016-02-12 20:32:29 UTC+0000
....
0x125d93200 TCPv6 :::5357 :::0 LISTENING 4 System
0x12732b110 UDPv4 0.0.0.0:51552 *:* 1512 svchost.exe 2016-02-12 20:32:29 UTC+0000
0x13de0f890 UDPv4 192.168.113.229:1900 *:* 1512 svchost.exe 2016-02-13 20:08:52 UTC+0000
0x13de3ec40 UDPv4 192.168.113.229:137 *:* 4 System 2016-02-13 20:08:52 UTC+0000
0x13dfbe490 UDPv4 0.0.0.0:53670 *:* 1076 svchost.exe 2016-02-13 20:19:35 UTC+0000
0x13e16f890 UDPv4 0.0.0.0:5355 *:* 1076 svchost.exe 2016-02-13 20:08:55 UTC+0000
0x13e1f3300 UDPv4 192.168.113.229:138 *:* 4 System 2016-02-13 20:08:52 UTC+0000
0x13de23010 TCPv4 192.168.113.229:49209 94.23.50.33:80 ESTABLISHED 3924 Verifikation.e
0x13de3dcf0 TCPv4 192.168.113.229:49207 103.198.0.2:80 CLOSE_WAIT 3924 Verifikation.e
0x13de5c010 TCPv4 192.168.113.229:49208 103.198.0.2:80 CLOSE_WAIT 3924 Verifikation.e
0x13de5d9d0 TCPv6 -:0 3842:3a05:80fa:ffff:3842:3a05:80fa:ffff:0 CLOSED 1076 svchost.exe
0x13e2a6ec0 UDPv4 127.0.0.1:1900 *:* 1512 svchost.exe 2016-02-13 20:08:52 UTC+0000
0x13e5399a0 UDPv4 0.0.0.0:500 *:* 956 svchost.exe 2016-02-12 20:32:29 UTC+0000
...
0x13f970010 TCPv6 -:0 c829:c703:80fa:ffff:c829:c703:80fa:ffff:0 CLOSED 4 System
In this case, we see that our suspicious process has performed several connections to different IPs: 94.23.50.33 and 103.198.0.2.
4) Look for code Injection
Malware uses code Injection in order to hide itself in other legitimate process. There are two main techniques for this: DLL injection and Process Hollowing. However, from a memory forensic point of view, both of them looks the same: some memory section/s with executable code is injected to a valid process.
Malfind searchs for executables memory section.
There are two very good plugins within Volatility for this purpose: malfind and ldrmodules
Malfind searchs for executables memory section.
Malfind has a very high rate of true positives but also false positives happens.
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp malfind --dump-dir=out-after/
Volatility Foundation Volatility Framework 2.5
Process: WmiPrvSE.exe Pid: 2596 Address: 0x1660000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, PrivateMemory: 1, Protection: 6
0x01660000 00 00 00 00 00 00 00 00 e0 56 1f 95 eb 19 00 01 .........V......
0x01660010 ee ff ee ff 00 00 00 00 28 01 66 01 00 00 00 00 ........(.f.....
0x01660020 28 01 66 01 00 00 00 00 00 00 66 01 00 00 00 00 (.f.......f.....
0x01660030 00 00 66 01 00 00 00 00 80 00 00 00 00 00 00 00 ..f.............
0x01660000 0000 ADD [EAX], AL
0x01660002 0000 ADD [EAX], AL
0x01660004 0000 ADD [EAX], AL
...
...
.. The output shows a few processes which might be injected
Obviously the Verifikation.exe is not worth to investigate as we know this is the suspicious process. For the rest of the process, and after checking, these are false positives.
With ldrmodules, same analysis is performed but nothing brings my attention.
This piece of malware is not performing any code injection.
5) Rootkits
The main purpose of Rootkits is to hide information from the OS, like network connection, sockets, files, directories, etc. There are several plugins in volatility for this purpose: psxview, modscan, apihooks, ssdt. volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp psxview
Volatility Foundation Volatility Framework 2.5
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
------------------ -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x000000013fc88600 WmiPrvSE.exe 2596 True False False True True True True
0x000000013e8859c0 svchost.exe 884 True False False True True True True
0x000000013dc65060 Procmon.exe 3192 True False False True True True False
0x000000013e8d3b10 svchost.exe 956 True False False True True True True
0x000000013f246060 WmiPrvSE.exe 1872 True False False True True True True
0x000000013e107060 conhost.exe 2832 True False False True True True False
0x000000013e8b5b10 svchost.exe 928 True False False True True True True
0x000000013f42a510 wininit.exe 412 True False False True True True True
0x000000013def8b10 Verifikation.e 3924 True False False True True True False
0x000000013f233b10 vmacthlp.exe 692 True False False True True True True
0x000000013e796b10 svchost.exe 1512 True False False True True True True
0x000000013e0d7180 audiodg.exe 1556 True False False True True True True
0x000000013f5d85d0 svchost.exe 1900 True False False True True True True
0x000000013ead8610 SearchIndexer. 1776 True False False True True True True
0x000000013e9c9650 svchost.exe 1076 True False False True True True True
0x000000013e758b10 AppleOSSMgr.ex 1408 True False False True True True True
0x000000013ed19b10 dllhost.exe 2056 True False False True True True True
0x000000013ed75b10 Procmon64.exe 4036 True False False True True True False
0x000000013e047320 explorer.exe 2080 True False False True True True False
0x000000013e8fcb10 svchost.exe 360 True False False True True True True
0x000000013e1ea060 winpmem_1.6.2. 3748 True False False True True True False
0x000000013f25db10 svchost.exe 736 True False False True True True True
0x000000013e092530 vmtoolsd.exe 2300 True False False True True True False
0x000000013e71eb10 armsvc.exe 1376 True False False True True True True
0x000000013f77fb10 svchost.exe 1176 True False False True True True False
0x000000013fb01600 mscorsvw.exe 2924 True False False True True True True
0x000000013ed89940 msdtc.exe 2248 True False False True True True True
0x000000013e82cb10 svchost.exe 816 True False False True True True True
0x000000013eab7440 wmpnetwk.exe 2704 True False False True True True True
0x000000013e689060 svchost.exe 1280 True False False True True True True
0x000000013e018840 taskhost.exe 2176 True False False True True True True
0x000000013e780060 svchost.exe 1472 True False False True True True True
0x000000013eb54350 lsass.exe 528 True False False True True True False
0x000000013e646b10 spoolsv.exe 1248 True False False True True True True
0x000000013e088b10 Bootcamp.exe 2552 True False False True True True False
0x000000013eb2a510 winlogon.exe 476 True False False True True True True
0x000000013e189b10 GWX.exe 1668 True False False True True True False
0x000000013f5ff060 svchost.exe 632 True False False True True True True
0x000000013e77bb10 AppleTimeSrv.e 1444 True False False True True True True
0x00000000075583e0 mscorsvw.exe 2972 True False False True True True True
0x000000013eb61570 lsm.exe 536 True False False True True True True
0x000000013ea8eb10 TrustedInstall 2684 True False False True True True True
0x000000013eb81060 dwm.exe 2468 True False False True True True False
0x000000013e54fb10 VGAuthService. 1636 True False False True True True True
0x000000013eb30b10 services.exe 500 True False False True True True False
0x000000013e109060 cmd.exe 3872 True False False True True True False
0x000000013e5c2b10 vmtoolsd.exe 1700 True False False True True True True
0x000000013f434b10 csrss.exe 420 True False False True False True False
0x000000013ef01b10 csrss.exe 368 True False False True False True True
0x00000000074729c0 System 4 True False False True False False False
0x000000013f66eb10 smss.exe 272 True False False True False False False
0x00000000101f9420 0 False True False False False False False
0x0000000016cb5420 0 False True False False False False False
0x000000013dc39420 0 False True False False False False False
0x0000000036c8a420 0 False True False False False False False
0x0000000122d6c420 0 False True False False False False False
0x00000000b75ee420 0 False True False False False False False
There is no evidence of rootkit on the system.
6) Acquiring processes and drivers
Last step is to dump any suspicious process, dll, driver, or memory sections for further analysis. The dumps are gathered with: dlldump, moddump, procdump,memdump and dumpfiles
In this case I am going to dump the suspicious process with PID 3924 and submit to to VT.
Note, that in some cases you do not want to share you samples in Virustotal, so you might analyse the suspicious file in your own lab with your own sandbox
Note, that in some cases you do not want to share you samples in Virustotal, so you might analyse the suspicious file in your own lab with your own sandbox
To dump the process, with PID 3924 I do it with 'procdump'
volatility --plugins=plugins/ --profile=Win7SP1x64 -f mem-2.dmp procdump -p 3924 --dump-dir=out-after/
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa8005ef8b10 0x0000000000400000 Verifikation.e OK: executable.3924.exe
The file is dumped as executable.3924.exe. Once uploaded to VT, I see it is detected as malicious:
Conclusion
I have been able to identify malicious code through memory forensic, following six steps:
- Identify Rogue Processes
- Analyze Process DLLs and Handles
- Review Network Artifacts
- Look for Evidence of Code Injection
- Check for Signs of a Rootkit
- Dump Suspicious Processes and Drivers
Each of this steps give you evidence of malicious behaviour. In this case, it was straight forward to identify the malicious process.
There is no evidence that the malware is making itself persistent. Also, there is no evidence of code injection or rootkit code in order to hide itself.
The malware perform TCP connection to suspicious IP.
Finally, I dumped the malicious process and I submit to VT and 16/54 detected it as malicious.
Next step is to reverse the malicious code :)
