To detect the presence of a spyware info-stealing malware in the memory we need to enumerate Windows station.

Windows Station contains information about clipboard activity and by analyzing this data source the analyst can detect clipboard snooping along with the frequency of clipboard usage which is a normal capability of a spyware.

To perform this task, we need to run Volatility wndscan plugin.

– –

First, open command prompt with administrator privilege and run the following syntax:

In Windows: vol.exe -f <mem.dmp> –profile=<OS> wndscan

In Linux: python vol.py -f <mem.dmp> –profile=<OS> wndscan

– –

We need to pay attention on the details inside spwndClipViewer which give us an overview on what process tries to own the clipboard function.

In this case, we see IEXPLORE.EXE:1560 in WinSta0 which a reg flag for us because why is the internet facing process such as internet explorer tries to access and monitor our clipboard.

– –

Through this data we can now then start our triage to support our investigation.

From performing this approach we are able to answer the question:

“What is name of malicious process?” A: IEXPLORE.EXE:1560

We are now proceeding to Step 2: Enumerating the Target Process.

Now, we have identified our target process from enumerating Windows Station.

We can now list the process using Volatility pslist and cmdline plugin.

To perform this task.

– –

First, run Volatility pslist plugin.

In Windows: vol.exe -f <mem.dmp> –profile=<OS> pslist -p 1560

In Linux: python vol.py -f <mem.dmp> –profile=<OS> pslist -p 1560

– –

Next, run Volatility cmdline plugin to know if this process resides on its original location.

In Windows: vol.exe -f <mem.dmp> –profile=<OS> cmdline -p 1560

In Linux: python vol.py -f <mem.dmp> –profile=<OS> cmdline -p 1560

In this case, we see internet explorer is a legitimate process.

– –

We have identified that the process is legitimate but it does not make sense because this process is monitoring our clipboard function.

From performing this approach, we can now answer the following question:

“When was the process started?” A: 2016-04-30 17:41:34 UTC+0000

Now, we are ready to dig deeper and proceed to Step 3: Identifying Process Injection.

We identified that our target process is a legitimate Internet Explorer process but this doesn’t seem right.

We have to dig deeper.

From a malware analysis perspective, we know that a malware can inject code from another process(legitimate process mostly) to perform its malicious intent and to avoid detection.

To hunt for this injection process,

– –

First, run Volatility malfind plugin.

In Windows: vol.exe -f <mem.dmp> –profile=<OS> malfind -p 1560

In Linux: python vol.py -f <mem.dmp> –profile=<OS> malfind -p 1560

In this case, we see that malfind detects discrepancies on 0x10000000 virtual address.

– –

What we see from this result are:

Red Flag #1: 0x10000000 has PAGE_EXECUTE_READWRITE Memory Protection

Red Flag #2: 5a4d MZ – Executable running from this memory region.

This can give us an idea that this memory region was injected with malicious code.

– –

Now, we identified the discrepancies and also see why our target process IEXPLORE.EXE:1560 is behaving oddly.

From this approach, we can now answer the question:

“What technique does this malware use for stealth operation?” A: Remote Process Injection

Now, we are ready to proceed on the next step. Step 4: Extraction of Suspicious Memory Region.

Now, we have identified the reason why our target process is monitoring Windows Station clipboard activity.

The next step we need to do is to extract this memory region that we suspectedly identified being injected with a malicious code.

To perform this task,

– –

First, we need to copy the identified injected memory region.

In Windows: vol.exe -f <mem.dmp> –profile=<OS> vaddump -p 1560 -b 0x10000000 -D <dir>

In Linux: python vol.py -f <mem.dmp> –profile=<OS> vaddump -p 1560 -b 0x10000000 -D <dir>

In this case, we successfully dump the suspicious memory region.

– –

Next, we extract strings from our extracted memory region.

The syntax will be like: strings.exe <memoryaddress_dmp> | findstr -i key

We pipe our result to findstr command to match “key” keyword.

– –

By performing the actions above, we were able to extract strings.

We can now see that this memory region has GetKeyboardState(), TServerKeylogger and etc. strings.

Now, we were able to identify that this memory region is injected with malicious keylogger malware.

– –

We can now able to answer the question:

“What type of malware was detected? How so?” A: Spyware or Info-stealing malware, it can monitor keyboard.

Now, we proceed to Step 5: Wrapping our Investigation.

Now, we are able to identify why our target process is behaving oddly.

We can now able to wrap our investigation, by hashing the extracted memory region and then submit to VirusTotal.

To perform this task,

– –

First, drag the dumped memory region to HashMyFiles tool and get the hash value.

Next, submit hash value to VirusTotal[.]com

Now, we are able to detect that our sample was then flagged by VirusTotal as malicious.

We can see that 40/67 AV Vendor detect it as malicious and some labeled it as Trojan.Fugrafa and RAT.XTREME malware.

– –

We can now answer the following question:

“In what family and variant does this malware belong?” A: XTREME RAT Family && Gen.Variant.Fugrafa.