Memory analysis is extremely important in incident response, malware analysis and reverse engineering to examine memory of the infected system to extract artifacts relevant to the malicious program. Memory analysis has gained popularity in the context of reverse-engineering malware. Memory analysis can help identify malicious code and explain how the specimen was used on the suspect system.
When performing memory analysis on the suspect system, I try to answer some simple questions in an attempt to identify malicious code:
What processes were running on the suspect system at the time memory image was taken?
What artifacts of previous processes existed?
Are there any active or previous network connections?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses associated with a process?
Are there any suspicious files associated with a process?
Are there any suspicious strings associated with a particular process?
Are there any suspicious files present? Can you extract them?
In this article, we will be performing the memory analysis using the completely open collection of tools called Volatility. Volatility's versatility through the various plugins and ease of use for obtaining basic forensic information for memory image files makes it an invaluable tool in the malware analyst toolbox. While there are other commercially available tools for memory analysis, Volatility is my tool of choice when a memory image file is available.
Assuming we have already done the memory acquisition of the suspect system, the first step is to identify the image file. While you might already know this information, especially if you are the one that performed the memory acquisition, identifying the profile is important when certain plugins may be OS dependent.
Figure 1: ImageInfo
The important information that will be used during the rest of the analysis will be the suggested profile: WinXPSP2x86.
To answer the question of what processes were running on the suspect system at the time of the memory acquisition, we will use pslist to list the processes.
Figure 2: PSList
As we can see, there were quite a few processes running on the suspect system. At first glance there doesn’t appear to be anything suspicious. However, explorer.exe (PID 1752) has a parent process ID (PPID 1696) that is not listed and has spawned a few other processes. Looking at the PPID column for PID 1752 you can see the processes that were spawned from explorer.exe. The processes that were spawned by explorer.exe are suspicious to me because of the functionality of those processes and there's no need for explorer.exe to need that functionality. Based on this information, we will target explorer.exe for analysis.
Let’s look at the network connections that existed on the suspect system. The connections and connscan commands will identify the active and previous network connections, respectively.
Figure 3: Connections
While there were no active connections at the time of the memory acquisition, we can see in the connscan output that several connections were made that are associated with PID 1752. This is odd behavior for explorer.exe. There is no reason for explorer.exe to make network connections to a remote IP. A quick whois of the IP addresses returns:
OrgName: eNET Inc.
Address: 3000 East Dublin Granville Rd.
OrgName: ThePlanet.com Internet Services, Inc.
Address: 315 Capitol
Address: Suite 205
This in and of itself is not necessarily an indicator of some malicious, but it is still suspicious. Further digging using something like spamhaus.org and malwaredomainlist.com may yield additional information if the IP addresses are associated with known malicious activity.
Additionally, running sockets and sockscan will show any listening sockets that may have been initiated by a running process. As suspected, explorer.exe PID 1752 is listed.
Figure 4: Sockets
Since we can conclude that explorer.exe (PID 1752) is suspicious, we will start digging into that process to determine the purpose and intent of the process and find any associated files that can give us an indicator of what the malicious code may be.
By using the malfind plugin, we scan the memory image file or a specified process for suspicious executables that might be malware. In this case, running malfind against PID 1752 yields two suspect processes.
Figure 5: Malfind
Memory sections marked as Page_Execute_ReadWrite, which allows a piece of code to run and write itself, are indicative of code injection and are easy to identify. Code injection is a very common technique for malware to maintain persistence and ensure that the malicious code continues to run. We’ll actually dump those processes for further analysis using the –D option.
We can see that malfind found two Dynamic Linked Libraries (DLLs).
Figure 6: Dumped DLLs
At this point, we could actually take the DLLs that we found and submit them or the md5 hash to virustotal.com to see if it could identify the malware for us. VirusTotal is a free online service that analyzes suspicious files and URLs and provides detection of malware using multiple malware scanning engines. For example:
File Name: process.0x818f5cd0.0x3380000.dmp
Detect Ratio: 6 / 44
Analysis Date: 2012-11-04 21:12:57 UTC
File Name: process.0x818f5cd0.0x36e0000.dmp
Detect Ratio: 17 / 44
Analysis Date: 2012-11-04 21:08:11 UTC
ESET-NOD32: probably a variant of Win32/Agent.COSXJPL
However, let’s continue to use Volatility to see what other information we can find out about the explorer.exe process.
The handles plugin will enumerate the mutant objects for the explorer.exe processes using the –t Mutant option to narrow the search to just the mutant objects. Mutant objects or mutexes as they are more commonly known are global objects that coordinate multiple processes and threads. Mutexes are mainly used to control access to shared resources, and are often used by malware.
Figure 7: Mutexes
By using some of the mutex objects in Google queries, we may be able to identify objects that have been seen in other malware or previous malware reports.
Next, we can dump the Virtual Address Descriptor using the vaddump plugin and examine the dumped sections with the strings command. Strings are the plaintext found within the code.
Figure 8: VADDump
The following images show some of the interesting strings that I found which contained network connection information complete with host domain.
Figure 9: Connection Strings 1
Figure 10: Connection Strings 2
This image shows that the malicious code running on our suspect system is in fact the Shylock Trojan.
Figure 11: Shylock
So, in this quick analysis, we have been able to utilize Volatility to quickly extract key information about the running suspicious explorer.exe process. This also equips us to further analyze this process as well as other associated processes.
Memory analysis is a powerful technique, and with a tool like Volatility it is possible to find and extract the forensic artifacts from the memory. There is much more that we can do with this memory image. For example, you can use apihooks and then drop into volshell for further analysis to include disassembling the process. As a matter of fact, in this blog, we have only begun to scratch the surface on what you can do when you are hunting malware with memory analysis.
Read more on Solutionary Minds about: