Carving CNC Artifacts using Memory Forensics

Read Lab Instruction

Scenario: Investigating the volatile memory of the suspected endpoint.

Approach: In memory strings extraction

This approach answers the question(s):

How does the malware persist on the system?

      • Remote process injection on svchost.exe:1412

What is the URL used by the malware sample to beacon and contact its owner?

      • http://200.2.126.61:443/upjcb.php?id=003254111D301G0G78

What is the network-based indicators of compromise for this sample?

      • 200.2.126.61
      • 211.232.98.9
      • 128.91.197.123

Below are the detailed step-by-step analysis taken to extract valuable information from the given memory sample.

#note: Use a separate isolated machine to perform this task.

In this step, we will extract all the strings inside our captured volatile memory.

In this case, we are using Windows platform for analysis and we can use Sysinternals strings.exe to perform this task.

– –

To perform this task,

First, copy strings.exe to directory.

Next, open command prompt and run as administrator.

Then, run the following syntax: strings -o <memory.dump> > <somestrings>.txt

Depending on the size of the memory dump, this will take some time.

– –

After extraction we can now then open the .txt file generated by strings.exe and we can see that the output strings are less valuable.

Now, it needs to be translated to match its process and address in the memory

In this step, we will translate our newly captured raw strings to memory.

What it does is match the corresponding strings to its owner process and offset address.

– –

To perform this task, we will use Volatility strings plugin.

First, we need to download volatility.

Next, open command prompt with administrator privilege.

Then, run the following Volatility syntax:

In Windows: vol.exe -f <mem.dmp> –profile=<OS> strings -s <raw_strings>.txt > <somestrings>.txt

In Linux: python vol.py -f <mem.dmp> –profile=<OS> strings -s <raw_strings>.txt > <somestrings>.txt

– –

After we execute the command, volatility strings plugin mapped the strings to its owner process with address.

In the image below, (1)raw dumped strings using strings.exe and (2)translated strings.

We now have valuable strings that can help us with our investigation.

– –

We can now perform step 3: Extracting CNC artifacts.

In this step, we will use regex to find our strings of interests.

Regex search in the form of patterns, all that matches this pattern will be dumped.

– –

To perform this step, we will use Eric Zimmerman bstrings.exe tool.

First, download bstrings.exe from EZ tools.

Next, open cmd prompt or powershell with administrator privilege.

Then, run the following syntax to check regex search names: bstrings.exe -f <file>.txt -p

Finally, we will use ipv4 regex pattern to be fed to –lr option.

Our syntax will be like:

Syntax 1: bstrings.exe -f <file>.txt -p

Syntax 2: bstrings.exe -f <file>.txt –lr ipv4 > <dump>.txt

– –

After searching for ipv4 regex patterns, we can then use text editing tool to view our dumped strings.

Next, perform a quick search ctrl + F to find “http://” keyword.

Then, use the http://<some_ip> as a search keyword.

Now, we can see 5 hits from PID 1412, 2424, 596

– –

Now, we are ready for step 4: Hunting Suspicious Process.

In this step, we already know the process IDs who performed external beacon.

In our case, Process IDs 1412, 2424, 596 are the processes who performed the actions.

We will check these processes using Volatility pslist plugin.

– –

To perform this task,

First, open command prompt with administrator privilege.

Next, run the following syntax:

In Windows: vol.exe -f <memdump> –profile=<OS> pslist -p 1412,2424,596

In Linux: python vol.py -f <memdump> –profile=<OS> pslist -p 1412,2424,596

– –

After running the syntax, we can now map the following PIDs.

Process Name: winlogon.exe PID:596

Process Name: TPAutoConnect PID: 2424

Process Name: svchost.exe PID: 1412

– –

First, we list all svchost.exe to compare and find discrepancies.

We will use piping to filter process only on svchost.exe. To perform, run the following syntax:

In Windows: vol.exe -f <memdump> –profile=<OS> pslist | findstr -i “svchost”

In Linux: python vol.py -f <memdump> –profile=<OS> pslist | grep -i “svchost”

Now, we have listed all svchost.exe.

– –

We can now then view all svchost.exe. Can you spot the odd detail?

When listing all svchost.exe all processes have 448 as Parent Process ID.

Remember, we are looking for discrepancies.

Now, only svchost:1412 has different Parent Process ID means it spawned by other process which is odd.

– –

We now identified svchost.exe:1412 as suspected process.

We are now ready for Step 5: Digging Deep on Suspicious Process.

 

In this step, we already identified a suspicious process svchost.exe:1412

Quick note that legitimate svchost.exe resides at C:\Windows\System32 otherwise, not legitimate.

In this case, we need to know if svchost.exe:1412 is legitimate or not.

– –

To perform this task,

First, we will use Volatility dlllist plugin. We can run the following syntax.

In Windows: vol.exe -f <memdump> –profile=<OS> dlllist -p <PID>

In Linux: python vol.py -f <memdump> –profile=<OS> dlllist -p <PID>

Next, check if the process is residing inside the legitimate directory.

– –

In this case, svchost.exe:1412 is legitimate process because it is found in C:\Windows\System32

This should raise the question:

“How was this possible that a legitimate process contacting a malicious server?”

– –

In this state, we identified that the svchost.exe:1412 is a legitimate process but the details is not enough.

We are now ready for Step 6: Detecting Process Injection.
 

We already know that our suspected process is a legitimate process but it does not make sense since it is contacting a malicious server.

In this step, we will answer the question “How does that possible?”.

From a malware analysis perspective, a malware can bypass detection from security tools by performing remote process injection.

This way malware can use legitimate process to perform its malicious intent without being detected by AV or security product.

– –

We will use Volatility malfind plugin. What malfind does is, it looks for discrepancies inside the process memory.

To detect type of malware approach,

First, open command prompt with administrator privilege.

Next, run the following syntax:

In Windows: vol.exe -f <memdump> –profile=<OS> malfind -p <PID>

In Linux: python vol.py -f <memdump> –profile=<OS> malfind -p <PID>

– –

After running volatility malfind, it flagged 0x400000 offset address.

Why? Because, it finds 4d5a MZ signature inside the process memory and also the PAGE_EXECUTE_READWRITE Memory protection.

#note: When the memory is assigned with PAGE_EXECUTE_READWRITE(0x40) memory protection it can edit the content inside that process(like a super user privilege). By that, malware uses this trick to inject its malware inside other’s process’s memory that is why there is an executable 4d5a MZ inside 0x400000 memory address.

– –

We have now answered our question. We detected that svchost.exe:1412 is spawned to launch the malicious code found at the specific address.

We are now ready for Step 7: Dumping Suspicious Memory.

In this step, we already identified that the process svchost.exe:1412 is injected with malicious code and can be found at 0x400000 memory address.

We can perform dumping for this specific memory address using Volatility vaddump plugin.

– –

To perform this task,

First, open command prompt with administrator privilege and run the following syntax:

In Windows: vol.exe -f <memdump> –profile=<OS> vaddump -p <PID> -b <memory_address> -D <dir>

In Linux: python vol.py -f <memdump> –profile=<OS> vaddump -p <PID> -b <memory_address> -D <dir>

– –

Now, we dumped the suspicious memory address 0x400000 to disk.

We are now ready for Step 8: Wrapping our Investigation.

 

In this step, we already identified the malicious process and how was the process malicious.

We can now perform further analysis on the dumped memory address 0x400000.

To perform this task,

– –

First, we collect the hash value of the memory address.

In our case, we use the tool HashMyFiles to get the hash value to be used later for submission.

– –

Then, we search the strings inside.

In our case, we use bstrings.exe with ipv4 regex pattern and found more CNC artifact aside from the detected IP address.

– –

Finally, we submit the hash value to online heuristic platform Virustotal[.]com.

In our case, VT flagged our submitted sample malicious.

38/71 AV Vendor flagged it as malicious and some named it Win32.Trojan.Einstein