Memory Investigations
Memory Investigations
Analyzing an image of RAM has become a staple of investigations
First, we need to collect memory (WinPmem)
Then we use the same strategies for examining memory images as on live systems
E:\> .\winpmem_mini.exe .\win10.0.22000.556.rawMemory forensics, which involves analyzing RAM images, is essential in digital investigations due to the valuable data stored in memory but not on disk. Additionally, analyzing memory snapshots ensures the evidence remains unchanged during the investigation.
Volatility Overview
Volatility is a Python framework for analyzing memory
Runs on Windows, macOS, Linux
Analyzes Windows, macOS, and Linux memory captures
Specify a memory capture and a desired plugin for analysis
Listing Processes
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pslist.PsList
Volatility 3 Framework 2.0.2
PID PPID ImageFileName CreateTime
4 0 System 2022-03-28 11:10:44.000000
344 4 smss.exe 2022-03-28 11:10:44.000000
640 564 lsass.exe 2022-03-28 11:10:52.000000
5248 640 nc.exe 2022-03-28 11:31:56.000000
2612 5248 conhost.exe 2022-03-28 11:31:56.000000
...The windows.pslist.PsList plugin lists processes, similar to live analysis tools like Get-Process. The output shows details such as the process name, PID, PPID, start time, and occasionally the termination time. Process names are often truncated to 14 characters due to the structure of the Windows EPROCESS block.
Parent and Child Processes
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pstree.PsTree
Volatility 3 Framework 2.0.2
PID PPID ImageFileName CreateTime
4 0 System 2022-03-28 11:10:44
* 344 4 smss.exe 2022-03-28 11:10:44
564 448 wininit.exe 2022-03-28 11:10:52
* 640 564 lsass.exe 2022-03-28 11:10:52
** 5248 640 nc.exe 2022-03-28 11:31:56
*** 2612 5248 conhost.exe 2022-03-28 11:31:56The windows.pstree.PsTree plugin creates a visual representation (in text) of the parent-child relationships for running processes.
Scanning for Network Connections
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.netscan.NetScan
Volatility 3 Framework 2.0.2
Proto LocalAddr Port State PID Owner
TCPv4 0.0.0.0 49667 LISTENING 1844 svchost.exe
TCPv4 0.0.0.0 49667 LISTENING 1844 svchost.exe
TCPv4 10.10.0.4 139 LISTENING 4 System
TCPv4 0.0.0.0 135 LISTENING 948 svchost.exe
TCPv4 0.0.0.0 49665 LISTENING 564 wininit.exe
TCPv4 0.0.0.0 49664 LISTENING 640 lsass.exe
UDPv4 10.10.0.4 137 0 4 System
UDPv4 10.10.0.4 138 0 4 System
TCPv4 0.0.0.0 1508 LISTENING 5248 nc.exe
TCPv4 0.0.0.0 49670 LISTENING 3220 svchost.exeThe windows.netscan.NetScan plugin scans memory for network-related data, including active connections and listening sockets, similar to the netstat command or PowerShell's Get-NetTCPConnection and Get-NetUDPEndpoint cmdlets. The example shows its output.
Process Command Line
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.cmdline.CmdLine
Volatility 3 Framework 2.0.2
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
948 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
1012 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1040 svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s HvHost
3532 MsMpEng.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe"
5248 nc.exe C:\Windows\System32\nc.exe -Ldp 1508 -e cmd.exe
3264 cmd.exe Required memory at 0xc88aa08020 is not valid ...The windows.cmdline.CmdLine plugin shows the process ID, and command line for processes that were running when the image was collected.
windows.dlllist.DllList
List DLLs for processes
windows.driverscan.DriverScan
List kernel modules
windows.envars.Envars
List environment variables
windows.filescan.FileScan
Scan for files
windows.dumpfiles.DumpFiles
Carve out files
windows.info.Info
Examine Windows version information
windows.hashdump.Hashdump
Retrieve password hashes
windows.privileges.Privs
List privileges by process
windows.registry.hivelist.HiveList
List registry hive offsets
windows.registry.printkey.PrintKey
Access keys with --offset
windows.registry.userassist.UserAssist
Enumerate programs run from the Start menu
windows.registry.certificates.Certificates
List trusted certificates in Windows cert. store
windows.svcscan.SvcScan
List service name, display name, and PID
Applying Memory Investigation
Memory investigation steps are similar to live investigation steps:
We use Volatility to analyze memory instead of PowerShell cmdlets
The analysis process starts with the EOI:
Suspicious process? Start with PsList and PsTree
Suspicious network listener? Start with NetScan, then move to processes
Suspicious program? Start with CmdLine, then processes
Memory analysis, like live investigations, starts with an event of interest (EOI). For suspicious processes, use Volatility's PsList and PsTree plugins to examine process details (name, ID, parent ID, start time). For suspicious network listeners, the NetScan plugin identifies IPs, ports, process names, connection status, and process IDs, which can then be further analyzed using PsList and PsTree. For suspicious programs, start with the CmdLine plugin and proceed with detailed process analysis using PsList and PsTree.
Lab 1.3: Memory Investigation
In this lab we will analyze memory evidence from the Falsimentis compromise.
Preprocessing with Volatility
Let's run Volatility's vol command several times for each of the following plugins and saving the output a file.
windows.netscan.NetScan
windows.pstree.PsTree
windows.pslist.PsList
windows.cmdline.CmdLine
windows.filescan.FileScan
windows.dlllist.DllList
vol -q -f FM-TETRIS.mem windows.netscan.NetScan > fm-tetris.netscan.txt
vol -q -f FM-TETRIS.mem windows.pstree.PsTree > fm-tetris.pstree.txt
vol -q -f FM-TETRIS.mem windows.pslist.PsList > fm-tetris.pslist.txt
vol -q -f FM-TETRIS.mem windows.cmdline.CmdLine > fm-tetris.cmdline.txt
vol -q -f FM-TETRIS.mem windows.filescan.FileScan > fm-tetris.filescan.txt
vol -q -f FM-TETRIS.mem windows.dlllist.DllList > fm-tetris.dlllist.txt
Instead of running all of these commands individually, we could opt to run them all at once using a shell loop with the following command:
for plugin in windows.netscan.NetScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine
windows.filescan.FileScan windows.dlllist.DllList; do vol -q -f FM-TETRIS.mem $plugin > fm-tetris.$plugin.txt; donePreprocessing with Strings
Let's use the Linux strings utility to extract ASCII, 16-bit little endian, and 16-bit big endian strings from the memory image for preprocessing analysis.
strings FM-TETRIS.mem > fm-tetris.strings-asc.txt # ASCII
strings -e l FM-TETRIS.mem > fm-tetris.strings-unile.txt # 16-bit little endian
strings -e b FM-TETRIS.mem > fm-tetris.strings-unibe.txt # 16-bit big endian
By default, the strings command extracts ASCII text. The -e l option extracts 16-bit little-endian, while -e b extracts 16-bit big-endian strings. All three formats (ASCII, little-endian, big-endian) can reveal valuable system information.
Examining Network Connections
From Lab 1.2, we identified beacon traffic from Falsimentis systems to the site www1-google-analytics.com (IP: 167.172.201.123). Now, let's search for processes communicating with this IP.
grep 167.172.201.123 fm-tetris.netscan.txt
Notice the name of the process that connected to the suspicious IP address, analytics.exe with process ID 5736.
Next, let's see if analytics.exe is communicating with any other sites using grep again.
grep analytics.exe fm-tetris.netscan.txt
From examining the output, it appears the only remote systems analytics.exe connected to was 167.172.201.123 , at least at the time of capture.
Examining Processes
Let's examine the running processes using the windows.pslist.PsList and windows.pstree.PsTree plugins. These show details like process name, ID, and parent-child relationships, with PsTree providing a visual representation for easier analysis.
grep -C 3 analytics.exe fm-tetris.pstree.txt
In this grep command, the -C 3 argument displays three lines of context before and after each string match.
This is an odd-looking process tree. ONENOTE.EXE (process ID 8016) spawned cmd.exe (process ID 4452). This cmd.exe spawned analytics.exe (process ID 2532). This copy of analytics spawned another copy of analytics.exe (process ID 5736). The second analytics.exe spawned another cmd.exe (process ID 5804). ONENOTE.EXE also spawned a random-looking process named bJKRJiSAnPkf.e (process ID 5568).
Examining File Objects
Next let's examine file objects to see if there is anything else useful for our analysis.
grep analytics.exe fm-tetris.filescan.txt
grep bJKRJiSAnPkf.e fm-tetris.filescan.txt
The output shows analytics.exe is in the \Windows\System32 directory, which helps in creating indicators for detecting the malware on a system.
Examining Loaded DLLs
Next, let's take a look at loaded DLLs and command lines for the processes of interest ( analytics.exe and bJKRJiSAnPkf.e ).
grep -C 5 analytics.exe fm-tetris.dlllist.txt
Volatility can't list DLLs for the analytics.exe process due to potential issues like swapped-out memory pages or changes occurring during capture.
Examining Command Lines
Next, let's check for any command line details associated with the analytics.exe process.
grep analytics.exe fm-tetris.cmdline.txt
The memory capture does not indicate any command line information for other process, though the child process reports inaccessible memory.
Examining Strings
Searching for analytics.exe
grep -i analytics.exe fm-tetris.strings-*.txt
Instead of manually sifting through all the data, let's search for something more specific to reduce the output. For example, the filescan output indicated that the analytics.exe process had the file analytics.exe open in \Windows\System32.
grep -i -h 'windows\\system32\\analytics' fm-tetris.strings-*.txt | sort -u
Let's break down the command:
The command
grep -i -h 'windows\\system32\\analytics' fm-tetris.strings- *.txtperforms a case-insensitive search (-i) for lines containingwindows\system32\analyticsin text files, excluding filename information (-h). It uses double backslashes (\\) to escape the backslash character in the search string, enclosed in single quotes.sort -u - sort the lines of output, returning unique lines ( -u )
Examining the output, it appears there are two more files that might be of interest:
C:\Windows\System32\analyticsbackup.bat
C:\Windows\system32\AnalyticsInstaller.exe
Searching for bJKRJiSAnPkF.e
grep -i -h bJKRJiSAnPkf fm-tetris.strings-*.txt | sort -u
It appears bJKRJiSAnPkf.exe is located in the \Users\jchadwick\appdata\local\temp directory.
Summary
Key findings about the Falsimentis incident include:
The program analytics.exe (process ID 5736) communicates with www1-google- analytics.com .
A suspicious program named bJKRJiSAnPkf.exe is located in \Users\jchadwick\appdata\local\temp .
At 17:33:03 AM UTC, ONENOTE.EXE spawned a copy of bJKRJiSAnPkf.exe (process ID 5568).
At 17:34:06 AM UTC, ONENOTE.EXE spawned a copy of cmd.exe (process ID 4452)
At 17:34:09 AM UTC, cmd.exe (process ID 4452) spawned analytics.exe (process ID 2532).
At 17:34:10 AM UTC, analytics.exe (process ID 2532) spawned analytics.exe (process ID 5736).
At 18:08:06 AM UTC, analytics.exe (process ID 5736) spawned cmd.exe (process ID 5804).
Bonus Lab
Investigating Other Strings
Let's search for the string "midnitemeerkats" in all text files generated by Volatility and the strings utility.
grep midnitemeerkats fm-tetris.*txt
There's a reference to the "midnitemeerkats" string, which suggests a command to open the URL http://www.midnitemeerkats.com/note in full-screen mode using the default browser and Windows start utility. We should investigate this website for further analysis.
Open https://midnitemeerkats.com/note/ in Firefox using a separate system with a privacy-focused VPN. Avoid connecting from your investigation host or company network to prevent the attacker from tracking your investigation through their website logs.
In this page we see the ransom note, but the attackers also included a link to a YouTube video. Let's click on the YouTube video Share link to get the short URL string, as shown here.
The share link for this YouTube video is https://youtu.be/GSMCRD35ch4 . Let's compare the shortened identifier GSMCRD35ch4 with the memory investigation files' output.
grep GSMCRD35ch4 fm-tetris.*txt | sort -u
The origin=http://lolcats.org parameter at the end of the YouTube embed URL indicates that the video was originally embedded on http://lolcats.org.
Identifying the lolcats.org domain in this incident is crucial as it exposes another site used by the Midnite Meerkats attacker, offering key insights into the attacks on Falsimentis.
Revisit Network Investigation Data
grep lolcats.org access.log
Searching the access.log file confirms that there is activity directed to the lolcats.org domain.
TZ=America/Los_Angeles awk '/lolcats.org/ {print strftime("%T", $1), $3, $7, $9}' access.log
The output shows that 172.16.42.103 (FM-TETRIS) and 172.16.42.105 (FM-ELECTRONICA) contacted lolcats.org.
Last updated