Memory Forensics

For Detecting Malicious Executables

The cyber kill chain methodology is a component of intelligence-driven defense for the identification and
Cyber kill chain
prevention of malicious intrusion activities
It helps security professionals to understand the adversary’s tactics, techniques, and procedures beforehand

Create a deliverable Exploit a vulnerability Create a command and control

malicious payload using by executing code on channel to communicate and
an exploit and a backdoor the victim’s system pass data back and forth
Weaponization Exploitation Command and Control

Reconnaissance Delivery Installation Actions on Objectives

Gather data on the target Send weaponized bundle to the Install malware on Perform actions to achieve
to probe for weak points victim using email, USB, etc. the target system intended objectives/goals

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly

Information Gathering/Reconnaissance
• Process of collecting as much information as possible about target
network
• First step before mounting an attack
• Objective to identify weak points- known vulnerabilities – to exploit
• Useful information?
• IP address, list of open ports, secure ports, vulnerabilities etc.
• Network info – domain name, IP addr, internal domain name, services
running (TCP UDP)

• System info – usernames, routing table config(subnet mask, default

gateway), system names, system architecture, password etc.

• Organization info – employee details, organization names, location,

contact info, security policies.

• Two types of Reconnaissance – Active vs Passive

Passive Reconnaissance
• Information about target collected indirectly
• Without direct communication- advantage?
• Collect data publicly available (webpage/application) from third
parties.
• Archive.org, Whois, Netcraft ..tools
• Website mirroring
• Search engine and search operator (filtering) available with search
engines
Active Reconnaissance
• Collect information directly by communicating with victim system
• Send unusual packets to that server, to try and get a response
containing information.
• More detailed information
• Risk associated
• NMAP (network mapper), Nessus, Metasploit framework
• Mail tracker, DNS enumeration etc
Weaponization

• Create the attack vector.

• This could include remote access malware, ransomware, or a virus or worm
that can exploit a vulnerability identified during the reconnaissance phase
• Identifying appropriate malware payload based on the analysis
• Creating a new malware payload or selecting, reusing, modifying the
available malware payloads based on the identified vulnerability
• Attackers may also try to reduce the likelihood of being detected by any
security solutions in place.
Delivery

• Sending phishing emails to employees of the target organization

• Distributing USB drives containing malicious payload to employees of
the target organization
• Performing attacks such as watering hole on the compromised
website
• Implementing various hacking tools against the operating systems,
applications, and servers of the target organization
Exploitation
• exploitation triggers the adversary’s malicious code to exploit a
vulnerability in the operating system,process, application, or server
on a target system.
• At this stage, the organization may face threats such as authentication
and authorization attacks, arbitrary code execution, etc
• Exploit software or hardware vulnerabilities to gain remote access to
the target system
Installation
• Downloading and installing malicious software such as backdoors
• Gaining remote access to the target system
• Leveraging various methods to keep backdoor hidden and running
• Maintaining access to the target system
Command and Control
• Establishing a two-way communication channel between the victim’s
system and the adversary-controlled server
• Applying privilege escalation techniques
• The malicious code will typically spread to more computers, creating
a botnet
• Result - Malware delivery, data theft, shut down, ddos, reboot,
• Try for Persistence
Indicators of Compromise - clues, artifacts, and pieces of forensic data found on the network or
operating system of an organization that indicate a potential intrusion or malicious activity

• Unusual outbound traffic and increase in bandwidth usage

• Unusual activity through privileged user account
• Illegitimate files and software’s
• Multiple login failure
• Multiple requests for same file
• Large html response size
• Increase in database read volume
• Unusual usage of ports
• Unusual DNS requests
• Malicious emails
• Signs of DDoS
• Service interruption and defacement
• Misplaced data
RAM Contains – Importance in Memory Forensics
• what programs accessed what files
• programs, files and applications executed
• Where open files are/were located on a disk
• Anything typed – password, usernames, email, chats
• Opened web pages – even in private mode
• Web page contents – images, videos
• Decrypted content
• Content that was never on disk
• Network traffic
Why/What of Memory Forensics
• Involves finding and extracting artifacts from computers RAM

• Memory stores valuable information about the runtime state of the

system
• Helps determine the applications running on the system, active
network connections
• Some malware samples do not write components to disk (resides only
in memory)
Forensic Value of Memory Forensics
• Idea about user activity – File usage examination – Did someone do
something on a system??

• Host Compromise – memory forensics to identify suspicious

processes, network activity, malware triage, persistence , fileless
malware
• “Malware can hide but it has to run”

• Memory forensics can help to detect malware by looking for specific

indicators or anomalies that suggest malicious activity.
• Malware can be designed to evade detection by hiding or encrypting
its files, modifying the registry, injecting code into other processes etc

• Memory forensics can help to overcome these challenges by

accessing the memory directly, without relying on the file system or
the operating system.

• Memory forensics can also provide a snapshot of the malware's

behaviour and functionality, which can help to identify its purpose,
origin, and impact.
• Memory forensics requires a tool (FTK Imager, DumpIt) that can
capture and analyze the memory image of a system. A memory image
is a file that contains the exact copy of the RAM contents at a given
point in time

• Once the memory image is obtained, it can be loaded into a memory

analysis tool, such as Volatility.

• These tools can extract various types of information from the

memory image, such as process lists, network connections, registry
entries, strings, and malware signatures.
Processes
• Process is an application or part of an application being executed in
memory (Booting OS, opening word doc, spreadsheet etc are supported by
number of processes running on the system).

• Processes are Created , suspended, terminated by OS

• PID- process ID number, PPID –parent PID , the processes that spawned the
child process (in investigations tracing back the process that spawned the
malicious process is imp to understand events that led to compromise of
the system)

• Process also has address space allocated in memory to run

https://dfir-world.tumblr.com/post/669636129468956672/windows-10-core-processes
 Interpreting processes for investigative leads (Triage)

• Demo - Process view interpretation with System Informer.

• Windows core process – processes necessary to run OS
• Attackers target and exploit vulnerabilities in these processes
• Knowing windows process and expected behavior helps
• Example - Right click svchost and select properties – can check if path
shown is the expected one – if not it’s clue to something malicious
• Can check parent of the process (svchost) in properties – check
parent child relationships (services.exe-svchost.exe) – if not expected
parent – clue to something malicious
 Interpreting processes for investigative leads

• Can check start time – certain process start at boot time

• Interpretation ex - (lass.exe, lssass.exe, lsasss.exe, etc.)(LSASS.EXE-
correct). These “fake” names will not be a child of wininit.exe.
• Another example – scvhost.exe instead of svchost.exe
• Checking no of known instances
Volatility Tool

• volatilityfoundation.org , open source code

• Python Tool for extracting, decoding & analyzing evidence artifacts
from memory.
• Command line and GUI versions (Volatility Workbench)
• Volatility Standalone version (overcomes python dependencies)
• Pre-installed on SIFT Workstation
• Supported OS – windows, linux, mac
• Artificat specific plugins (running process)
Volatility in SIFT workstation and Volatility Standalone version

• Command on cmd --> vol.py --info | more (SIFT workstation)

• In Standalone version of windows – Navigate to the folder in cmd –
volatility --info | more
• Shows supported OS (profiles) and plugins with description
Plugins

• Code targeting a specific artifact for specific output (running

processes, loaded DLL, network connections, malware detection etc)
• List plugins and Scan plugins – volatility --info
• imageinfo | kdgbscan plugins – analyses memory sample to identify
OS, hardware and version profile.
• The profile is used by volatility to properly parse memory structure of
the sample.
• Volatility –f imagepath imageinfo
• Demo – Identifying correct profile from image
• What are different profiles – Changes in memory structure as OS is
upgraded
pslist
• Equivalent to running task manager
• volatility –f imagepath --profile=Win7SP0x86 pslist

• Saving output to a file for later analysis

• volatility –f imagepath --profile=Win7SP0x86 pslist > destination/name.txt

• Can refer the saved output to dump any process know offset
Psscan
• Finds terminated processes, processes that may be hidden by malwares.
• If the attackers unlink their malicious processes via the double-linked list,
the related processes cannot be viewed via the pslist plugin.

• The psscan plugin doesn’t trust the linked list (called ActiveProcessLinks) of
the processes

• Helps to find malware activity that had run and shutdown and not gets
listed in pslist. processes that are hidden by malware and terminated
processes can also be found

• volatility –f imagepath --profile=Win7SP0x86 psscan

• volatility –f imagepath --profile=Win7SP0x86 psscan > destination/name.txt

• Compare output of pslist and psscan

Windows Core Processes
 Interpreting processes for investigative leads

• Check Parent child relationships (services.exe-svchost.exe)

• Parent (none) – because starts some process and logs out
• Expected Path – ex: svchost running from another directory other
than system32
• Singleton- should have only one instance running
• Account – ex: wininit.exe running from user account is a deviation
• Can check start time – certain process start at boot time
• Interpretation ex - (lass.exe, lssass.exe, lsasss.exe, etc.)(LSASS.EXE-
correct). These “fake” names will not be a child of wininit.exe.
• Checking no of known instances
• svchost – most abused – knowing expected behaviour helps
 Filtering Windows Core Process
• Grep as filtering tool
• grep -E –i “(system|wininit|lsass|lsm|services|sms|taskhost|wimlogon|iexplore|explorer|svchost|csrss)”
destpath/pslist.txt > destpath/pslist_all_wincore.txt

• -i – case insensitive
• Check parent child relationship of processes:
• Ex services.exe-svchost.exe for all instances
• Check pid for services and ppid for svchost are the same
• Similalry look for other processes
 Filtering Windows Non- Core process
• Ex to check for misspelling
• grep -E –i –v “(system|wininit|lsass|lsm|services|sms|taskhost|wimlogon|iexplore|explorer|svchost|csrss)”
destpath/pslist.txt > destpath/pslist_all_non_wincore.txt

• -v – not in list
• Ex may find scvhost.exe – abuse of svchost
 Singleton Check
• grep –E –i “(system|wininit|lsass|lsm|services)” dest/pslist.txt > dest/pslist_singleton.txt

• 2 instances of lsass may be lead to check

 Boot Time Check
• grep –E –i “(system|wininit|lsass|lsm|services|sms|csrss)” dest/pslist.txt > pslist_boot_wincore.txt

• Check system start time and compare with other processes – check if any other
process starts long after system boot time.
• Ex: 2 instances of lsass but not anomaly in boot time (5 sec difference) but
anomalous since its singleton.
 Psscan- Non Core process
• grep -E –i –v “(system|wininit|lsass|lsm|services|sms|taskhost|wimlogon|iexplore|explorer|svchost|csrss)”
destpath/psscan.txt > destpath/psscan_all_non_wincore.txt

• o/p – q.exe, 3.exe, there in pslist and psscan

• Malware naming conventions
• q.exe started and just ran for 1 min and terminated. Its not there in pslist as it’s
a terminated process. What did it do?
• xmcminer.exe found under q.exe with q.exe as ppid, running similar time as
q.exe, no exit time shown. Not found in pslist too. Thus its unlinked from
doubly link list – investigative lead – Examine.
Sorting psscan – view no of instances of each process
Process not starting at Boot Time
Analysis of cridex.vmem file

Observe the standalone process reader_sl.exe running on explorer process id

• Reader_sl.exe(1640) spawned from explorer.exe(1484)
• Alg.exe and wuauclt.exe part of winlogin process
• Explorer and reader_sl started at boot together – investigative lead
• Shows pid 1484 (explorer.exe) and reader_sl.exe are accessing IP
addresses – trying to open network connections
• IoC – these IP may belong to attackers website or botnet
• Analyze process 1640 (pid of reader_sl.exe), where its running?
• cmdline –p 1640
• Running inside pgmfiles\Adobe\Reader_sl.exe – so is it suspicious?
• Upload executable dump in virustotal.com and check other names of files uploaded.
In the organization other systems might contain the file in that name
Analyzing the process dump

• Analyze dump using strings and dump contents to a text file –

strings 1640.dmp > dest/name.txt
• Can see banking website domains
• Thus trojan is accessing banking URLs
• Check if memdump file contains the IP address found initially to check
if its interacting with it.
• strings 1640.dmp | grep –Fi “41.168.5.140”
• Can see the IP is part of the file. Thus the process is accessing the IP
address.
• strings 1640.dmp | grep 41.168.5.140 –C 5 (5 lines abv n below)

• Can see IP address in the dump and its making a POST request
• Sending information to
• May be a directory at the IP address
Cridex Banking Trojan
• Trojan gets onto the machine and disguises itself as adobe reader
• Watches if someone goes to banking website and steals their login
information
• Sends banking information to Command and Control server
• Associated with Russian
website and can see it
changed its IP multiple
times
• Remedy measure – block
the IP incoming/outgoing
• Check which computer is
communicating with the IP
Check for persistence
• See if malware residing only on memory or HDD too
• If found in HDD it can be triggered when computer restarts

• Hivelist plugin is used to check persistence gained by malware

• Windows keep hive data used for running the machine like registry
key, data needed to start up the machine (start up values/commands)

• Registry key stores information need for long time (ex: screen
resolution, list of programs that starts at boot)
• Nothing anomalous in hivelist results
• Info kept in registries, the one we are interested in is located in start up
values located at above location.
Print Keys out of registry location
• The command looks inside
registry editor and
printsout whatever the
keys are inside of there.
• We find one entry that’s
odd
• Program with weird name
(KB00207877.exe) running
out of documents and
settings.
• Associated with the
malware- take and reverse
engineer
• This indicates persistence
mechanism.
 Conclusion
• Turns out that (KB00207877.exe) is the one loading
malware into explorer.exe
• Memory inside explorer replaced by malware and
malware is the one disguised as explorer now.

• Reader_sl spawned out of explorer.exe on boot -

(IoC) – it also started at same time as explorer.exe, if
it was done by a user it would have taken some time.

• Reason its starting immediately is because malware

is injecting itself into explorer process and explorer is
starting reader_sl (process hallowing – taking a non
suspicious process to run)
Analysis of Shylock mem file
• 1752 – explorer.exe
• Local
host
conn as
using
VM
• Checks connections made by process 1752
dlllist
• If process needs to access any object such as a file, registry key,
process, thread, it must first create a handle. Then the process can
access the object referenced by the handle using this handle
• It is used to view DLLs loaded by a process
• When a process calls the DLL, it is automatically added to this list
• To view the DLLs of a hidden or unlinked process, we use physical
offset obtained in the psscan output.
DLLs loaded by 1752
• 1752-explorer should not be running cryptography related stuff
• Shows places in
memory that looks
suspicious

• Starts with MZ means

its an executable

• Can put the executable

saved into virustotal
• Vads Protection - PAGE_EXECUTE_READWRITE
• Possible sign of tampering explorer.exe
• Normally it should not be possible to mess with process while they
are running
• Malware through process injection or hallowing changes control of
memory to make it readable writable
Summary