Memory Forensics: Analysing an infected Memory

Image with Volatility

College of Technological Innovation - Zayed University, Abu Dhabi

Haifa Al Hosani M80007823

Maryam Yousef M80007809
Shaima Al Shouq M80007780

Submitted to Dr Farkhund Iqbal

Abstract

During the past years, forensic analysis of volatile memory played a major role in cyber-
crimes investigation. Originally, digital forensic examiners mainly relied on memory forensics in
incident response and malware analysis. However, this changed quickly over the past years as
investigators come to realize the contribution of memory forensics in all kinds of investigations,
including, but not limited to intellectual property disputes, cyberterrorism, child exploitation, anti-
forensic examination, discovering vulnerabilities, enhancing security, etc. As traditional network
and endpoint security solutions fail to detect malware written directly to systems’ physical
memory; memory analysis is adopted in return to detect it, especially in scenarios where malware
leaves no traces on non-volatile storage devices and cannot be discovered by security scans. This
paper's discussion will present our critical findings of an infected memory image using the
Volatility framework as well, a substantial amount of volatile data we gathered and analyzed in a
forensically sound manner.

2
Table of Contents

1. Introduction 5
2. Literature Review 6
3. Investigative Methodology 7
4. Implementation and Analysis 8
5. Discussion 17
6. Conclusion and Future Work 18
7. References 19
8. Appendix 20

3
List of Figures

Figure 1: Memory analysis with Volatility Flowchart 7

List of Tables

Table 1: Memory Image Information 5

Table 2: Output of the Pslist Plugin 9
Table 3: Output of the Pstree Plugin 10
Table 4: Output of the Psscan Plugin 11
Table 5: Output of the Psxview Plugin 11
Table 6: Output of the Connscan Plugin 13
Table 7: Output of the Sockscan Plugin 13
Table 8: Output of the Sockets Plugin 13

4
 1. Introduction
Over the past decade, the employment of digital forensics in law enforcement has witnessed
a massive increase, especially in a number of critical areas, such as the investigation of identity
theft, cyber-terrorism, child exploitation, and more. Typically, the method applied to gather the
evidence is primarily focused on "dead" analysis, where investigators recover erased files or
fragments, observe web browsing activities, examines and determines the patterns of file access
from a powered-off system image [6].
Recently, digital forensic practitioners have increasingly begun to recognize the value of
memory forensics. In comparison with traditional forensic approaches, memory forensic
techniques can often confirm suspicions and provide instant results when examining infected
systems. Hence, it is considered as one of the most productive, successful, yet challenging
types of live forensics. The mechanisms applied in memory analysis can reveal a generous
amount of volatile data that might be entirely lost if traditional "pull the plug" forensic methods
were employed. These volatile data can be details about running processes, open network
connections, recently executed commands. As well as other critical data exists solely in the
memory, such as "disk encryption keys, memory-resident injected code fragments, off-the-
record chat messages, unencrypted e-mail messages, and non-cacheable Internet history records
[7]". In addition to details about session and clipboard, loaded dlls, passwords and more [8].
Aside from retrieving and preserving the mentioned artifacts, memory forensics can be further
utilized as an incident response to combat malware, where malware leaves no traces or
detectable trails on non-volatile storage devices. Considering most devices nowadays are
connected to networks, the possibility of a malware running in the system is high and cannot be
ignored. Details concerning the malware can aid the investigation process by providing
information about the stolen data, attacker's IP address, disturbed operations, malicious
activities’ history, suspicious processes, unauthorized access, etc. [6, 8].
Taking into consideration the importance of memory forensics in detecting malware, it is
critical for forensic examiners to attain the required knowledge and understanding of how
malware operate, and in what ways it can be identified from the RAM dump or live memory
image. The work discussed in this paper is exclusively based on the Volatility Framework
which is extremely beneficial for forensic analysts, especially in detecting and identifying
malware in memory image. In this paper, we investigated an infected memory image using
Volatility which is an open-source command line tool for advanced memory forensics. The
paper is organized as follows: Section II discusses the necessary background on memory
forensic and the existing works. Section III outlines the methodology proposed by this
research. Section IV presents the results and discussion, and section V concludes the paper with
closing thoughts in addition to future work.

5
 2. Literature Review
With the increasing number of digital devices that are everywhere surrounding us, the forensic
investigation process becomes more challenging. Investigators today are not just examining a
desktop system for evidence, they examine a full network with a huge number of nodes and digital
devices that are connected to each other. Researchers have come up with a memory forensic
analysis technique in which the investigators analyse the system's volatile memory for forensic
artefacts. These techniques allow investigators to find a large amount of volatile evidence that
would be lost if they examine traditional storage forensic. Volatile evidence includes network
connections, running process, encryption key, chat messages and injected code. Mainly, the
traditional forensic focus only on “dead” analysis and memory forensic focus on the live analysis
of the memory and it gives run time system activities.

Memory forensic analysis is becoming one of the main parts of the digital forensic
investigation. The result of the memory analysis is used in more areas other than presenting it to
the court, such as discovering vulnerabilities, enhancing security and managing cloud security.
Memory acquisition and analysis can be done using different available tools and technique,
different tools are providing different features [1]. Volatility is one of the leading open source
memory forensic platform. It supports memory images from Windows, Linux and Mac OSX
operating systems. Volatility is written in Python and is based on years of published academic
research into advanced memory analysis and forensics [2]. The tool is used for malware analysis as
well. Using Volatility, the investigator can extract information about open network socket, running
process, cashed registry, hidden/ terminated process and DLLs loaded for each process.
WindowsSCOPE cyber forensic is another memory forensic tool for Windows that capture and
examine both virtual and physical memory aiming forensics/incident response, cyber analysis, and
education [3].

Recently, there is an increased focus on volatile memory analysis research. Memory forensic
researcher Andre M. DiMino demonstrate the use of Volatility which is one of the reliable forensic
tools to analyze the Trojan banking malware, they show what command they used as a reference to
other forensic investigators [4]. Other research was undertaken to understand the current Volatility
plugins that is affected by creating Windows Subsystem for Linux (WSL), the research aims is to
highlight the required updates the plugin needs to support WSL and to understand which existing
Volatility plugins are affected by the introduction of WSL to fully support memory forensics of
Windows Subsystem for Linux. Moreover, the research the development of new Volatility analysis
plugins [5].

6
 3. Investigative Methodology
Fig.1 depicts the methodology followed to carry out the analysis on the infected memory
image using the Volatility FrameWork.

Figure 1 Memory analysis with Volatility Flowchart

Part 1:
1. Set up a safe environment: The Oracle VM Virtual Box software [11] was installed, to
allocate a closed and isolated environment from the production environment to keep it safe
and secure.
2. Protect the memory image: Prevent any accidental modifications or changes to the image
sample [12].

Part 2:
Volatility Memory Analysis FrameWork (First Analysis):
1. Collect system and image information: Extracting information about the underlying
system including but not limited to, the suggested profile, the time of the acquisition,
number of processors.

7
 2. Analyse Processes: Processes usually hold valuable information such as executable
program code, execution threads, imported libraries and other elements necessary for a
program to function. Malicious code or malware can run on the victim’s system either as an
individual process or by injecting code into an already running process. Therefore,
analysing processes is an essential aspect of memory forensics [15].
3. Analyse Network Activities: Examining network activities to detect anomalies concerning
the memory image’s last running known state [12].

Part 3:
Volatility Memory Analysis FrameWork (Second Analysis):
Once a rogue process, malware thread, DLL or data file has been identified:
1. Dump the suspicious (process, malware thread, DLL or data file) for further analysis
2. Hash and verify the dumped (process, malware thread, DLL or data file) using virus
analysis services
3. Examine the registry for more information
If no other suspicious (process, malware thread, DLL or data file) can be found:
1. Cease further analysis and document all work, analyses and results so that others can
reproduce results.

4. Implementation and Analysis

This section demonstrates the implementation and analysis conducted on the infected
memory image while applying the methodology outlined in the previous section. The goal
is to gain practical experience investigating and analysing memory images, as well as to
detect anomalies and other indicators or potential infection evidence.

The image sample used in this research is infected with a Trojan Banking Malware known
as “Cridex”, and was discovered in 2012. The malware was designed to add the infected
computer to a botnet and injects itself into the victim’s web browser to steal information,
including banking credentials. This type of malware is known to use anti-forensic
techniques to prevent forensic detection [14,13].

The infected memory image was taken from the following location:
[Link] Its SHA1 hash, in
uncompressed form is demonstrated in the table below:

Table 1 Memory Image Information

Memory Image name Size (MB) SHA1

[Link] 536.9 83021aa1114f409b8014edc4e8e71f9fec560c99

Setting up a safe environment:

After obtaining the infected memory image sample, we set up a controlled environment
using virtualisation. The Oracle VM Virtualbox software [11] was installed, to allocate a
closed and isolated environment from the production environment to keep it safe and
secure. The operating system that have been used for this experiment is “Ubuntu Desktop
18.04.1”.
8
 Protecting the memory image:
The infected memory sample was set as “read-only” using the following command to
prevent any accidental modifications or changes [2]:

~/Desktop/Infectedmem$ sudo chattr +i [Link]

The following steps will examine the output of different volatility plugins used to collect
system and image information, analyse processes and network activities, identify rogue
activities, and examine the registry. A list of the used plugins and their capabilities is
provided in Appendix A [2].

Step 1: The imageinfo plugin

Command used: volatility -f [Link] imageinfo

Volatility Foundation Volatility Framework 2.6
INFO : [Link] : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/ituser/Desktop/Infectedmem/[Link])
PAE type : PAE
DTB : 0x2fe000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-07-22 02:45:08 UTC+0000
Image local date and time : 2012-07-21 22:45:08 -0400

Step 2: The Pstree plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] pstree

Table 2 Output of the pstree Plugin

Name PID PPID Thds Hnds Time

0x823c89c8:System 4 0 53 240 1/1/70 0:00
. 0x822f1020:[Link] 368 4 3 19 7/22/12 2:42
.. 0x82298700:[Link] 608 368 23 519 7/22/12 2:42
... 0x81e2ab28:[Link] 652 608 16 243 7/22/12 2:42
.... 0x821dfda0:[Link] 1056 652 5 60 7/22/12 2:42
.... 0x81eb17b8:[Link] 1512 652 14 113 7/22/12 2:42
.... 0x81e29ab8:[Link] 908 652 9 226 7/22/12 2:42
.... 0x823001d0:[Link] 1004 652 64 1118 7/22/12 2:42
..... 0x8205bda0:[Link] 1588 1004 5 132 7/22/12 2:44
..... 0x821fcda0:[Link] 1136 1004 8 173 7/22/12 2:43
.... 0x82311360:[Link] 824 652 20 194 7/22/12 2:42

9
 .... 0x820e8da0:[Link] 788 652 7 104 7/22/12 2:43
.... 0x82295650:[Link] 1220 652 15 197 7/22/12 2:42
... 0x81e2a3b8:[Link] 664 608 24 330 7/22/12 2:42
.. 0x822a0598:[Link] 584 368 9 326 7/22/12 2:42
0x821dea70:[Link] 1484 1464 17 415 7/22/12 2:42
. 0x81e7bda0:reader_sl.exe 1640 1484 5 39 7/22/12 2:42

Step 3: The pslist plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] pslist

Table 3Output of the Pslist Plugin

Wow6 Exis
Offset(V) Name PID PPID Thds Hnds Sess Start
4 t
0x823c89c
8 System 4 0 53 240 ------ 0
0x822f102
0 [Link] 368 4 3 19 ------ 0 2012-07-22 02:42:31
0x822a059
8 [Link] 584 368 9 326 0 0 2012-07-22 02:42:32
0x8229870 winlogon.e
0 xe 608 368 23 519 0 0 2012-07-22 02:42:32
0x81e2ab2 [Link]
8 e 652 608 16 243 0 0 2012-07-22 02:42:32
0x81e2a3b
8 [Link] 664 608 24 330 0 0 2012-07-22 02:42:32
0x8231136 [Link]
0 e 824 652 20 194 0 0 2012-07-22 02:42:33
0x81e29ab [Link]
8 e 908 652 9 226 0 0 2012-07-22 02:42:33
0x823001d [Link]
0 e 1004 652 64 1118 0 0 2012-07-22 02:42:33
0x821dfda [Link]
0 e 1056 652 5 60 0 0 2012-07-22 02:42:33
0x8229565 [Link]
0 e 1220 652 15 197 0 0 2012-07-22 02:42:35
0x821dea7 [Link]
0 e 1484 1464 17 415 0 0 2012-07-22 02:42:36
0x81eb17b [Link]
8 e 1512 652 14 113 0 0 2012-07-22 02:42:36
0x81e7bda reader_sl.e
0 xe 1640 1484 5 39 0 0 2012-07-22 02:42:36
0x820e8da
0 [Link] 788 652 7 104 0 0 2012-07-22 02:43:01
0x821fcda [Link]
0 e 1136 1004 8 173 0 0 2012-07-22 02:43:46
0x8205bda [Link]
0 e 1588 1004 5 132 0 0 2012-07-22 02:44:01

10
 Step 4: The Psscan plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] psscan

Table 4 Output of the psscan Plugin

Offset(P) Name PID PPID PDB Time Time exited

created
0x0000000002029ab8 [Link] 908 652 0x079400e0 7/22/12
2:42
0x000000000202a3b8 [Link] 664 608 0x079400a0 7/22/12
2:42
0x000000000202ab28 [Link] 652 608 0x07940080 7/22/12
2:42
0x000000000207bda0 reader_sl.exe 1640 1484 0x079401e0 7/22/12
2:42
0x00000000020b17b8 [Link] 1512 652 0x079401c0 7/22/12
2:42
0x000000000225bda0 [Link] 1588 1004 0x07940200 7/22/12
2:44
0x00000000022e8da0 [Link] 788 652 0x07940140 7/22/12
2:43
0x00000000023dea70 [Link] 1484 1464 0x079401a0 7/22/12
2:42
0x00000000023dfda0 [Link] 1056 652 0x07940120 7/22/12
2:42
0x00000000023fcda0 [Link] 1136 1004 0x07940180 7/22/12
2:43
0x0000000002495650 [Link] 1220 652 0x07940160 7/22/12
2:42
0x0000000002498700 [Link] 608 368 0x07940060 7/22/12
2:42
0x00000000024a0598 [Link] 584 368 0x07940040 7/22/12
2:42
0x00000000024f1020 [Link] 368 4 0x07940020 7/22/12
2:42
0x00000000025001d0 [Link] 1004 652 0x07940100 7/22/12
2:42
0x0000000002511360 [Link] 824 652 0x079400c0 7/22/12
2:42
0x00000000025c89c8 System 4 0 0x002fe000

Step 5: The Psxview plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] psxview

Table 5 Output of the Psxview Plugin

Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd
0x02498700 [Link] 608 True True True True True True True

11
 0x02511360 [Link] 824 True True True True True True True
0x022e8da0 [Link] 788 True True True True True True True
0x020b17b8 [Link] 1512 True True True True True True True
0x0202ab28 [Link] 652 True True True True True True True
0x02495650 [Link] 1220 True True True True True True True
0x0207bda0 reader_sl.exe 1640 True True True True True True True
0x025001d0 [Link] 1004 True True True True True True True
0x02029ab8 [Link] 908 True True True True True True True
0x023fcda0 [Link] 1136 True True True True True True True
0x0225bda0 [Link] 1588 True True True True True True True
0x0202a3b8 [Link] 664 True True True True True True True
0x023dea70 [Link] 1484 True True True True True True True
0x023dfda0 [Link] 1056 True True True True True True True
0x024f1020 [Link] 368 True True True True False False False
0x025c89c8 System 4 True True True True False False False
0x024a0598 [Link] 584 True True True True False True True

Step 6: The Cmdscan Plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] cmdscan
No output.

Step 7: Consoles
Command used: volatility --profile WinXPSP2x86 -f [Link] consoles
no output.

Step 8: The Conscan Plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] Connscan

Table 6 Output of the Connscan Plugin

Offset(P) Local Address Remote Address PID

0x02087620 [Link]:1038 [Link]:8080 1484
0x023a8008 [Link]:1037 [Link]:8080 1484

Step 9: Whois ip [16].

IP Address: [Link]
netname: NeoHost
descr: Neotel_Hosting_Alloction
role: Neotel Operations
address: 44 Old Pretoria Rd,Midrand,JHB
person: Darlington Moyo
address: 44 Old Pretoria Main Road- Midrand - Johannesburg

12
 IP Address: [Link]
netname: SGIC-780627-Jaipur
descr: SHRIRAM GENERAL INSURANCE COMPANY LTD
address: Phase III, New Delhi-110020, INDIA

Step 10 : The Sockscan and the Sockets plugins

Command used: volatility --profile WinXPSP2x86 -f [Link] sockscan

Table 7 Output of the Sockscan Plugin

Offset(P) PID Port Proto Protocol Address Create Time

0x01fd7618 1220 1900 17 UDP [Link] 7/22/12 2:43
0x01fdb780 664 500 17 UDP [Link] 7/22/12 2:42
0x0203f460 4 138 17 UDP [Link] 7/22/12 2:42
0x02076620 1004 123 17 UDP [Link] 7/22/12 2:43
0x020c23b0 908 135 6 TCP [Link] 7/22/12 2:42
0x02325610 788 1028 6 TCP [Link] 7/22/12 2:43
0x02372808 664 0 255 Reserved [Link] 7/22/12 2:42
0x02372c50 664 4500 17 UDP [Link] 7/22/12 2:42
0x0239cc08 4 445 6 TCP [Link] 7/22/12 2:42
0x023f0630 1004 123 17 UDP [Link] 7/22/12 2:43
0x023f0d00 4 445 17 UDP [Link] 7/22/12 2:42
0x02440d08 1484 1038 6 TCP [Link] 7/22/12 2:44
0x02476878 4 139 6 TCP [Link] 7/22/12 2:42
0x02477460 4 137 17 UDP [Link] 7/22/12 2:42
0x024cd2b0 1220 1900 17 UDP [Link] 7/22/12 2:43

Command used: volatility --profile WinXPSP2x86 -f [Link] sockets

Table 8 Output of the Sockets Plugin

Offset(V) PID Port Proto Protocol Address Create

Time
0x81ddb780 664 500 17 UDP [Link] 7/22/12 2:42
0x82240d08 1484 1038 6 TCP [Link] 7/22/12 2:44
0x81dd7618 1220 1900 17 UDP [Link] 7/22/12 2:43
0x82125610 788 1028 6 TCP [Link] 7/22/12 2:43
0x8219cc08 4 445 6 TCP [Link] 7/22/12 2:42
0x81ec23b0 908 135 6 TCP [Link] 7/22/12 2:42
0x82276878 4 139 6 TCP [Link] 7/22/12 2:42
0x82277460 4 137 17 UDP [Link] 7/22/12 2:42
0x81e76620 1004 123 17 UDP [Link] 7/22/12 2:43
0x82172808 664 0 255 Reserved [Link] 7/22/12 2:42

13
 0x81e3f460 4 138 17 UDP [Link] 7/22/12 2:42
0x821f0630 1004 123 17 UDP [Link] 7/22/12 2:43
0x822cd2b0 1220 1900 17 UDP [Link] 7/22/12 2:43
0x82172c50 664 4500 17 UDP [Link] 7/22/12 2:42
0x821f0d00 4 445 17 UDP [Link] 7/22/12 2:42

Step 11: Dumping the (“[Link]” and “reader_sl.exe”) for further analysis using
the memdump and the procdump plugins

Commands Used:
Volatility –f [Link] procdump –p 1484, 1640 –dump-dir=procdump
Volatility –f [Link] memdump–p 1484, 1640 –dump-dir=memdump

md5sum [Link]; md5sum [Link]; md5sum [Link]; md5sum

[Link]

output:
d9aeef106f65b819872c7809d4d531b2 [Link]
1b4664adba7c33a4dd6c497d8814727e [Link]
f5d61a0ccf96e07228a4818918aa33e8 [Link]
12cf6583f5a9171a1d621ae02b4eb626 [Link]

Virus Total Results:

SHA256: e56f3a5dfa6274c668b77700dd5fde4c6ab8fa7e1ff2bb6ed5dce06948907108
File name: [Link]
Detection ratio: 0 / 54

SHA256: a18fa7d736daad7e5453a3ee6f96dd3d73677d46854fc59f467f10c6ae799df8
File name: [Link]
Detection ratio: 0 / 55

SHA256: 48db195007e5ae9fc1246506564af154927e9f3fbfca0b4054552804027abbf2
File name: [Link]
Detection ratio: 26 / 68

SHA256: 5b136147911b041f0126ce82dfd24c4e2c79553b65d3240ecea2dcab4452dcb5
File name: [Link]
Detection ratio: 32/ 70
Step 12: malfind

Command used: volatility --profile WinXPSP2x86 -f [Link] malfind -p

1484

Process: [Link] Pid: 1484 Address: 0x1460000

Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6

14
 0x01460000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x01460010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x01460020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01460030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................

0x01460000 4d DEC EBP

0x01460001 5a POP EDX
0x01460002 90 NOP
0x01460003 0003 ADD [EBX], AL
0x01460005 0000 ADD [EAX], AL
0x01460007 000400 ADD [EAX+EAX], AL
0x0146000a 0000 ADD [EAX], AL
0x0146000c ff DB 0xff
0x0146000d ff00 INC DWORD [EAX]
0x0146000f 00b800000000 ADD [EAX+0x0], BH
0x01460015 0000 ADD [EAX], AL
0x01460017 004000 ADD [EAX+0x0], AL
0x0146001a 0000 ADD [EAX], AL
0x0146001c 0000 ADD [EAX], AL
0x0146001e 0000 ADD [EAX], AL
0x01460020 0000 ADD [EAX], AL
0x01460022 0000 ADD [EAX], AL
0x01460024 0000 ADD [EAX], AL
0x01460026 0000 ADD [EAX], AL
0x01460028 0000 ADD [EAX], AL
0x0146002a 0000 ADD [EAX], AL
0x0146002c 0000 ADD [EAX], AL
0x0146002e 0000 ADD [EAX], AL
0x01460030 0000 ADD [EAX], AL
0x01460032 0000 ADD [EAX], AL
0x01460034 0000 ADD [EAX], AL
0x01460036 0000 ADD [EAX], AL
0x01460038 0000 ADD [EAX], AL
0x0146003a 0000 ADD [EAX], AL
0x0146003c e000 LOOPNZ 0x146003e
0x0146003e 0000 ADD [EAX], AL

Step 13: dumping processes

Command used: volatility --profile WinXPSP2x86 -f [Link] malfind -p

1484 –D malfind

Output: [Link]

volatility --profile WinXPSP2x86 -f [Link] malfind –D malfind

rw-r--r-- 1 ituser ituser 135168 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 135168 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]

15
 -rw-r--r-- 1 ituser ituser 16384 22:38 10 ‫ ﻓﺑر‬[Link]
-rw-r--r-- 1 ituser ituser 1048576 22:38 10 ‫ ﻓﺑر‬[Link]

Step 14: Generating md5 hashes:

md5sum [Link] ; md5sum

[Link]

Output:
fb367e7c360735a58ac80fe625d9bf5a [Link]
16a6b5e927845866d8a57eb8b7cd718e [Link]

Step 15: Validating and verifying hashes using VirusTotal

Process: process.0x81e7bda0.0x3d0000
SHA256: cbe5f4afd18753839d7e47ee41e6a6c1a1d03e806a77ba7a585ac7b7cad92450
File name: [Link]
Detection ratio: 47 / 68
Analysis date: 2019-02-06 14:56:00 UTC

Microsoft Worm:Win32/Cridex.E
Rising [Link]!8.BB3 (CLOUD)
VBA32 [Link]
NANO-Antivirus [Link]
BitDefender [Link]
AhnLab-V3 Trojan/[Link].C256674

Process: [Link]
SHA256: e00a1143fea8568f5bcbe2793c6b87032ba57f2fdd122266ea799658169d36b2
File name: [Link]
Detection ratio: 50 / 69
Analysis date: 2019-02-06 16:10:28 UTC

Microsoft Worm:Win32/Cridex.E
Rising [Link]!8.BB3 (CLOUD)
VBA32 [Link]
NANO-Antivirus [Link]

Step 16: Examining the registry entry during start up using the Hivelist Plugin

Command used: volatility --profile WinXPSP2x86 -f [Link] hivelist

Volatility Foundation Volatility Framework 2.6

Virtual Physical Name
---------- ---------- ----
0xe18e5b60 0x093f8b60 \Device\HarddiskVolume1\Documents and Settings\Robert\Local
Settings\Application Data\Microsoft\Windows\[Link]

16
 0xe1a19b60 0x0a5a9b60 \Device\HarddiskVolume1\Documents and
Settings\Robert\[Link]
0xe18398d0 0x08a838d0 \Device\HarddiskVolume1\Documents and
Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\[Link]
0xe18614d0 0x08e624d0 \Device\HarddiskVolume1\Documents and
Settings\LocalService\[Link]
0xe183bb60 0x08e2db60 \Device\HarddiskVolume1\Documents and
Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\[Link]
0xe17f2b60 0x08519b60 \Device\HarddiskVolume1\Documents and
Settings\NetworkService\[Link]
0xe1570510 0x07669510
\Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1571008 0x0777f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15709b8 0x076699b8
\Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15719e8 0x0777f9e8 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe13ba008 0x02e4b008 [no name]
0xe1035b60 0x02ac3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a7d008 [no name]

Step 17: Printing Registry keys using the printkey Plugin

Command used: volatility --profile WinXPSP2x86 printkey –K

Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\[Link]

Key name: Run (S)
Last updated: 2012-07-22 02:31:51 UTC+0000
Subkeys:
Values:
REG_SZ [Link] : (S) "C:\Documents and Settings\Robert\Application
Data\[Link]"
----------------------------
Step 17: Determine whether the executable [Link] is associated with the
malicious process or not.

strings [Link] | grep -Fi "[Link]"

strings [Link] | grep -Fi "[Link]"

[Link]
C:\Documents and Settings\Robert\Application Data\[Link](,
[Link]
[Link]
[Link]
C:\Documents and Settings\Robert\Application Data\[Link](,

17
 5. Discussion

This section examines the results collected after following the aforementioned methodology and
procedures on the obtained memory sample.

(First analysis)
In the beginning of the experiment, we used the “imageinfo” plugin to collect system
information and determine the system profile. According to the output, the image appeared to be
running on a WindowsXP computer system with Service Pack 3. It was running with one processor
and was captured on July 22, 2012 at 02:45:08. Next we used the (Pslist, Pstree, Psscan, and
Psxview) plugins to examine the processes that were running on the system. There was no
discernible difference in the output yielded by these plugins, and no indication of compromise was
found, but we found two odd processes named “[Link]” and “reader_sl.exe”, that were one of
the last processes running on the machine. The “reader_sl.exe process was actually started by the
“[Link]”. Generally, the “[Link]” process can be located in the Windows folder, but it
is not a Windows core file, and the technical security rating is (75%) dangerous [16]. Hence these
two processes could be malicious, and further analysis is required.

Following, different state specific plugins were used including the (Consoles, cmdscan, and
the conscan) plugins to list all active network connections, including connections that have been
terminated. The first two plugins (Consoles, cmdscan ) yielded no output. However, the conscan
plugin revealed that there were two established connections to remote ip addresses “[Link]”
and “[Link]” on port “8080”. The process that established these connections was “1484”,
which is in fact [Link]. According to Whois IP service [19], the false remote ip addresses,
“[Link]” and “[Link]” have been determined to belong to private web addresses,
the first one is based in South Africa, and the second one is based in India. The next plugins used
were the Sockscan and Sockets plugins. Both plugins yielded the almost the same output.

(Second analysis)
The purpose of the second analysis was to validate whether or not the processes
(“[Link]” and “reader_sl.exe”) are malicious. To do that, we dumped their process memory
allocations using two different plugins, which are the memdump and procdump plugins. The
“memdump” plugin executed a brief inception of the addressable memory pages in the processes.
The “procdump” plugin dumped the processes into executable file samples [12]. Dumping
processes is a useful task as it may reveal additional information about the processes. Once the
dumping was completed, the dumped files were hashed using the MD5 checksum and then
submitted to Virus Total. Virus Total indicated that the submitted MD5 hash values of the
executable dump processes contain malicious code. Following, to find the malicious code inside
the processes, we used the malfind plugin. The malfind plugin is used to display the suspicious
memory protection of a process. After running the command, the output indicated that the
suspicious memory protection of the process 1484 is “PAGE_EXECUTE_READWRITE”.
Executable files that are loaded normally will have a memory protection of
“PAGE_EXECUTE_WRITECOPY” [17]. Hence we can determine that the process,
“[Link]” was not loaded normally, but was injected. The malfind plugin was also used to
dump the processes containing the injected code. The dumped files were also hashed using the
MD5 checksum, and then submitted to Virus total. Virus Total was successful in detecting the
malware type “Cridex”, as shown in the results in the previous section. Lastly, we examined the
18
registry entry during start up using the hivelist plugin, and printed the subkeys and the values to see
which hive had been changed or modified. The output indicated that only one hive (REG_SZ
[Link] : (S) "C:\Documents and Settings\Robert\Application Data\[Link])
had been modified. The hive included an executable file called “[Link]”. To check
whether this executable is linked to the infected processes (“[Link]” and “reader_sl.exe”), we
searched inside the dumped files of these two processes using the string command. The results
indicated that the executable “[Link]” is indeed linked to the two malicious processes
[18].

6. Conclusion and Future Work

Recently, with the growing sophistication of attack techniques, there has been a high
demand in memory forensics tools and skills. Traditional network and endpoint security measures
including firewalls, antivirus, and antispyware software fail to detect malware injected directly into
the system's physical memory or RAM. Considering that traditional security systems only examine
the input sources i.e., email, networks, USB drives, CD/DVD, keyboards, and often lack the
capability of examining volatile data stored in the memory. Indeed, traditional security solutions
are feasible options to combat malware in BIOS, network storage, and external hard drives.
However, volatile data stored in the memory are predominantly at risk due to attacks that load
malware directly to memory locations reserved for authorized processes. Hence, to protect the vital
data from stealthy attacks, security teams should look more into memory forensics tools and seek
its specialists; as it has proven to be one of the most versatile and powerful means to analyze
systems’ memory [9].
In this paper, we investigated an infected memory image using the Volatility framework
and presented the findings of our analysis in a forensically sound manner. For future research, we
would like to further investigate the detected malware (Cridex). Through conducting a dynamic
malware analysis, we would like to execute the malware in a safe environment to further examine
the changes occurred to the system, possible network communications or modification. Executing
the malware in a controlled and monitored environment can greatly assist with observing the
malware behavior, understanding its functionality, identifying its origin, potential impact, what
kind of data it will download or execute, and what information it might exfiltrate. This might help
us as forensic investigators and incident responders with developing an effective detection and
prevention techniques, as well, keeping us updated with malware evolution to prevent other
security incidents in the future [10].

7. References
[1] R. P. F. F. Tobias Latzo, "A universal taxonomy and survey of forensic memory acquisition
techniques," Elsevier, vol. 28, pp. 56-69, 2019.
[2] "Volatility Foundation," The Volatility Foundation, 2018. [Online]. Available:
[Link] [Accessed 09 Feb 2019].
[3] "WindowsSCOPE Cyber Forensics 3.2," WindowsSCOPE Group, 2016-2017. [Online].
Available: [Link] [Accessed 09 Feb
2019].
19
 [4] A. M. DiMino, "Cridex Analysis using Volatility," 07 August 2012. [Online].
Available:[Link]
[Accessed 09 Feb 2019].
[5] A. A.-G. G. G. NathanLewisc, "Memory forensics and the Windows Subsystem for Linux,"
Elsevier , vol. 26, pp. S3-S11, July 2018.
[6] A. Case, & G.G. Richard. (2017). Memory forensics: The path forward. Digital
Investigation, 20, 23-33.
[7] M. Ligh, A. Case, J. Levy, A. Walters. (2014). The Art of Memory Forensics: Detecting
Malware and Threats in Windows, Linux, and Mac Memory. Wiley, New York.
[8] P. H. Rughani, ForMaLity: Automated FORensic MAlware Analysis using VolatiLity, vol.
8, no. 0976-5697, Mar. 2017.
[9] Digital Guardian. (2019). What Are Memory Forensics? A Definition of Memory Forensics.
[online] Available at: [Link]
memory-forensics [Accessed 5 Feb. 2019].
[10] J. Scott, (2017) Detecting malware through static and dynamic techniques. NTT Security.
[Online]. Available at: [Link]
through-static-and-dynamic-techniques. [Accessed: 10-Feb-2019].
[11] VirtualBox, "Oracle VM VirtualBox", [Link], 2019. [Online]. Available:
[Link] [Accessed: 11- Feb- 2019].
[12] R. Carbone, "Malware memory analysis for non- specialists", [Link], 2013.
[Online]. Available: [Link]
[13]"[Link] | Symantec", [Link], 2019. [Online]. Available:
[Link] [Accessed: 11- Feb-
2019].
[14] ]A. P. Heriyanto, "What is the Proper Forensics Approach on Trojan Banking Malware
Incidents?", 2012. [Online]. Available:
[Link]
dt=0%2C5&q=Cridex+malware&btnG=&httpsredir=1&article=1106&context=adf. [Accessed:
11- Feb- 2019].

[15]S. Anson, Windows Memory Analysis with Volatility. Forward defense, 2017.
[16] "WHOIS IP Lookup Tool | UltraTools", [Link]. [Online]. Available:
[Link] [Accessed: 11- Feb- 2019].
[17]Monnappa K A, "What Malware Authors Don't Want You to Know - Evasive Hollow
Process Injection", [Link]. [Online]. Available: [Link]
17/materials/asia-17-KA-What-Malware-Authors-Don%27t-Want-You-To-Know-Evasive-
[Link]. [Accessed: 11- Feb- 2019].
[18] First steps to volatile memory analysis – P4N4Rd1 – Medium", Medium, 2019. [Online].
Available: [Link]
dcbd4d2d56a1. [Accessed: 11- Feb- 2019].
[19] W. [Link], "Windows [Link] Windows process - What is it?", [Link].
[Online]. Available: [Link]

20
 8. Appendix
Appendix A: The table below represents a list of all the plugins used in this experiment and
their capabilities as per the (volatility –h) output.

Plugin Capabilities
imageinfo Identify information for the image


Pslit Print all running processes by following the EPROCESS lists

pstree Print process list as a tree

psscan Scan Physical memory for _EPROCESS pool allocations

psxview Find hidden processes with various process listings

cmdscan Extract command history by scanning for _COMMAND_HISTORY

connection Print list of open connections [Windows XP and 2003 Only]

sockets Print list of open sockets

sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)

procmem Dump a process to an executable memory sample


memdump Dump the addressable memory for a process


hivelist Print list of registry hives.


21
 printkey Print a registry key, and its subkeys and values


Malfind Find hidden and injected code


Appendix B:
Virus Total Results of the dumped files using the malfind plugin:

5c061497b14902ad36a6c042524d60c9 [Link]

SHA256: 5859fbfe263e0d352560a48606b78f5469faf80ca27121ad1d38934dfd885f22
File name: [Link]
Detection ratio: 0 / 60
Analysis date: 2018-06-05 06:31:54 UTC ( 8 months, 1 week ago )

ca40c3956582159c63329d4ec5231330 [Link]

SHA256: 33d017e2e5231b607b08d02308a602c5bd96fd98660eac9d3bb87d1c236f91e7
File name: [Link]
Detection ratio: 0 / 59
Analysis date: 2018-06-05 06:34:17 UTC ( 8 months, 1 week ago )

4a63f6d2e033826cae9900f5365ec9b9 [Link]

SHA256: 01afe692c59b6c02c45186fda17b6c30827bee4f7d534e21872eb58b1609c7e4
File name: 608_2.dmp
Detection ratio: 0 / 55
Analysis date: 2017-06-15 08:25:52 UTC ( 1 year, 8 months ago )

1cd6bb015516b72ad745ce9ec6c75c54 [Link]

SHA-256 4fb69ea0e369eb1a685067dae30c682b1405dad14656e20a1eb2828dc1106220
File name 608_3.dmp
File size 16 KB
Last analysis 2017-06-15 08:26:09 UTC

804b5f296f2879a78a4afb39f8126b37 [Link]

SHA-256 2b7ca4a6a48cbe6ff854b992dec063aa91bbb96d656439080113c72dc8f99a87
File name 608_5 (4).dmp
File size 16 KB
Last analysis 2017-06-15 08:27:23 UTC
Community score -44
22
4115e105c82319730a2f9d6a9ed65648 [Link]

SHA-256 f5a23fcb3b04519ac33707e8fd96752efbd2d47002def6c664103f57140847a9
File name 608_4.dmp
File size 16 KB
Last analysis 2017-06-15 08:26:25 UTC

23