Memory Investigations

Memory Investigations

  • Analyzing an image of RAM has become a staple of investigations

  • First, we need to collect memory (WinPmem)

  • Then we use the same strategies for examining memory images as on live systems

E:\> .\winpmem_mini.exe .\win10.0.22000.556.raw

Memory forensics, which involves analyzing RAM images, is essential in digital investigations due to the valuable data stored in memory but not on disk. Additionally, analyzing memory snapshots ensures the evidence remains unchanged during the investigation.

Volatility Overview

  • Volatility is a Python framework for analyzing memory

  • Runs on Windows, macOS, Linux

  • Analyzes Windows, macOS, and Linux memory captures

  • Specify a memory capture and a desired plugin for analysis

Listing Processes

sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pslist.PsList
Volatility 3 Framework 2.0.2
PID     PPID     ImageFileName     CreateTime
4       0        System            2022-03-28 11:10:44.000000
344     4        smss.exe          2022-03-28 11:10:44.000000
640     564      lsass.exe         2022-03-28 11:10:52.000000
5248    640      nc.exe            2022-03-28 11:31:56.000000
2612    5248     conhost.exe       2022-03-28 11:31:56.000000
...

The windows.pslist.PsList plugin lists processes, similar to live analysis tools like Get-Process. The output shows details such as the process name, PID, PPID, start time, and occasionally the termination time. Process names are often truncated to 14 characters due to the structure of the Windows EPROCESS block.

Parent and Child Processes

sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pstree.PsTree
Volatility 3 Framework 2.0.2
PID         PPID     ImageFileName     CreateTime
4           0        System            2022-03-28 11:10:44
* 344       4        smss.exe          2022-03-28 11:10:44
564         448      wininit.exe       2022-03-28 11:10:52
* 640       564      lsass.exe         2022-03-28 11:10:52
** 5248     640      nc.exe            2022-03-28 11:31:56
*** 2612    5248     conhost.exe       2022-03-28 11:31:56

The windows.pstree.PsTree plugin creates a visual representation (in text) of the parent-child relationships for running processes.

Scanning for Network Connections

sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.netscan.NetScan
Volatility 3 Framework 2.0.2

Proto     LocalAddr     Port     State         PID        Owner
TCPv4     0.0.0.0       49667    LISTENING     1844       svchost.exe
TCPv4     0.0.0.0       49667    LISTENING     1844       svchost.exe
TCPv4     10.10.0.4     139      LISTENING     4          System
TCPv4     0.0.0.0       135      LISTENING     948        svchost.exe
TCPv4     0.0.0.0       49665    LISTENING     564        wininit.exe
TCPv4     0.0.0.0       49664    LISTENING     640        lsass.exe
UDPv4     10.10.0.4     137      0             4          System
UDPv4     10.10.0.4     138      0             4          System
TCPv4     0.0.0.0       1508     LISTENING     5248       nc.exe
TCPv4     0.0.0.0       49670    LISTENING     3220       svchost.exe

The windows.netscan.NetScan plugin scans memory for network-related data, including active connections and listening sockets, similar to the netstat command or PowerShell's Get-NetTCPConnection and Get-NetUDPEndpoint cmdlets. The example shows its output.

Process Command Line

sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.cmdline.CmdLine
Volatility 3 Framework 2.0.2

PID     Process         Args
4       System          Required memory at 0x20 is not valid (process exited?)
948     svchost.exe     C:\Windows\system32\svchost.exe -k RPCSS -p
1012    svchost.exe     C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1040    svchost.exe     C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s HvHost
3532    MsMpEng.exe     "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe"
5248    nc.exe          C:\Windows\System32\nc.exe -Ldp 1508 -e cmd.exe
3264    cmd.exe         Required memory at 0xc88aa08020 is not valid ...

The windows.cmdline.CmdLine plugin shows the process ID, and command line for processes that were running when the image was collected.

Volatility 3 Module
Capability

windows.dlllist.DllList

List DLLs for processes

windows.driverscan.DriverScan

List kernel modules

windows.envars.Envars

List environment variables

windows.filescan.FileScan

Scan for files

windows.dumpfiles.DumpFiles

Carve out files

windows.info.Info

Examine Windows version information

windows.hashdump.Hashdump

Retrieve password hashes

windows.privileges.Privs

List privileges by process

windows.registry.hivelist.HiveList

List registry hive offsets

windows.registry.printkey.PrintKey

Access keys with --offset

windows.registry.userassist.UserAssist

Enumerate programs run from the Start menu

windows.registry.certificates.Certificates

List trusted certificates in Windows cert. store

windows.svcscan.SvcScan

List service name, display name, and PID

Applying Memory Investigation

Memory investigation steps are similar to live investigation steps:

  • We use Volatility to analyze memory instead of PowerShell cmdlets

The analysis process starts with the EOI:

  • Suspicious process? Start with PsList and PsTree

  • Suspicious network listener? Start with NetScan, then move to processes

  • Suspicious program? Start with CmdLine, then processes

Memory analysis, like live investigations, starts with an event of interest (EOI). For suspicious processes, use Volatility's PsList and PsTree plugins to examine process details (name, ID, parent ID, start time). For suspicious network listeners, the NetScan plugin identifies IPs, ports, process names, connection status, and process IDs, which can then be further analyzed using PsList and PsTree. For suspicious programs, start with the CmdLine plugin and proceed with detailed process analysis using PsList and PsTree.

Lab 1.3: Memory Investigation

In this lab we will analyze memory evidence from the Falsimentis compromise.

Preprocessing with Volatility

Let's run Volatility's vol command several times for each of the following plugins and saving the output a file.

  • windows.netscan.NetScan

  • windows.pstree.PsTree

  • windows.pslist.PsList

  • windows.cmdline.CmdLine

  • windows.filescan.FileScan

  • windows.dlllist.DllList

vol -q -f FM-TETRIS.mem windows.netscan.NetScan > fm-tetris.netscan.txt
vol -q -f FM-TETRIS.mem windows.pstree.PsTree > fm-tetris.pstree.txt
vol -q -f FM-TETRIS.mem windows.pslist.PsList > fm-tetris.pslist.txt
vol -q -f FM-TETRIS.mem windows.cmdline.CmdLine > fm-tetris.cmdline.txt
vol -q -f FM-TETRIS.mem windows.filescan.FileScan > fm-tetris.filescan.txt
vol -q -f FM-TETRIS.mem windows.dlllist.DllList > fm-tetris.dlllist.txt

Instead of running all of these commands individually, we could opt to run them all at once using a shell loop with the following command:

for plugin in windows.netscan.NetScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine 
windows.filescan.FileScan windows.dlllist.DllList; do vol -q -f FM-TETRIS.mem $plugin > fm-tetris.$plugin.txt; done

Preprocessing with Strings

Let's use the Linux strings utility to extract ASCII, 16-bit little endian, and 16-bit big endian strings from the memory image for preprocessing analysis.

strings FM-TETRIS.mem > fm-tetris.strings-asc.txt           # ASCII
strings -e l FM-TETRIS.mem > fm-tetris.strings-unile.txt    # 16-bit little endian
strings -e b FM-TETRIS.mem > fm-tetris.strings-unibe.txt    # 16-bit big endian

By default, the strings command extracts ASCII text. The -e l option extracts 16-bit little-endian, while -e b extracts 16-bit big-endian strings. All three formats (ASCII, little-endian, big-endian) can reveal valuable system information.

Examining Network Connections

From Lab 1.2, we identified beacon traffic from Falsimentis systems to the site www1-google-analytics.com (IP: 167.172.201.123). Now, let's search for processes communicating with this IP.

grep 167.172.201.123 fm-tetris.netscan.txt

Notice the name of the process that connected to the suspicious IP address, analytics.exe with process ID 5736.

Next, let's see if analytics.exe is communicating with any other sites using grep again.

grep analytics.exe fm-tetris.netscan.txt

From examining the output, it appears the only remote systems analytics.exe connected to was 167.172.201.123 , at least at the time of capture.

Examining Processes

Let's examine the running processes using the windows.pslist.PsList and windows.pstree.PsTree plugins. These show details like process name, ID, and parent-child relationships, with PsTree providing a visual representation for easier analysis.

grep -C 3 analytics.exe fm-tetris.pstree.txt

In this grep command, the -C 3 argument displays three lines of context before and after each string match.

This is an odd-looking process tree. ONENOTE.EXE (process ID 8016) spawned cmd.exe (process ID 4452). This cmd.exe spawned analytics.exe (process ID 2532). This copy of analytics spawned another copy of analytics.exe (process ID 5736). The second analytics.exe spawned another cmd.exe (process ID 5804). ONENOTE.EXE also spawned a random-looking process named bJKRJiSAnPkf.e (process ID 5568).

Examining File Objects

Next let's examine file objects to see if there is anything else useful for our analysis.

grep analytics.exe fm-tetris.filescan.txt
grep bJKRJiSAnPkf.e fm-tetris.filescan.txt

The output shows analytics.exe is in the \Windows\System32 directory, which helps in creating indicators for detecting the malware on a system.

Examining Loaded DLLs

Next, let's take a look at loaded DLLs and command lines for the processes of interest ( analytics.exe and bJKRJiSAnPkf.e ).

grep -C 5 analytics.exe fm-tetris.dlllist.txt

Volatility can't list DLLs for the analytics.exe process due to potential issues like swapped-out memory pages or changes occurring during capture.

Examining Command Lines

Next, let's check for any command line details associated with the analytics.exe process.

grep analytics.exe fm-tetris.cmdline.txt

The memory capture does not indicate any command line information for other process, though the child process reports inaccessible memory.

Examining Strings

Searching for analytics.exe

grep -i analytics.exe fm-tetris.strings-*.txt

Instead of manually sifting through all the data, let's search for something more specific to reduce the output. For example, the filescan output indicated that the analytics.exe process had the file analytics.exe open in \Windows\System32.

grep -i -h 'windows\\system32\\analytics' fm-tetris.strings-*.txt | sort -u

Let's break down the command:

  • The command grep -i -h 'windows\\system32\\analytics' fm-tetris.strings- *.txt performs a case-insensitive search (-i) for lines containing windows\system32\analytics in text files, excluding filename information (-h). It uses double backslashes (\\) to escape the backslash character in the search string, enclosed in single quotes.

  • sort -u - sort the lines of output, returning unique lines ( -u )

Examining the output, it appears there are two more files that might be of interest:

  • C:\Windows\System32\analyticsbackup.bat

  • C:\Windows\system32\AnalyticsInstaller.exe

Searching for bJKRJiSAnPkF.e

grep -i -h bJKRJiSAnPkf fm-tetris.strings-*.txt | sort -u

It appears bJKRJiSAnPkf.exe is located in the \Users\jchadwick\appdata\local\temp directory.

Summary

Key findings about the Falsimentis incident include:

  • The program analytics.exe (process ID 5736) communicates with www1-google- analytics.com .

  • A suspicious program named bJKRJiSAnPkf.exe is located in \Users\jchadwick\appdata\local\temp .

  • At 17:33:03 AM UTC, ONENOTE.EXE spawned a copy of bJKRJiSAnPkf.exe (process ID 5568).

  • At 17:34:06 AM UTC, ONENOTE.EXE spawned a copy of cmd.exe (process ID 4452)

  • At 17:34:09 AM UTC, cmd.exe (process ID 4452) spawned analytics.exe (process ID 2532).

  • At 17:34:10 AM UTC, analytics.exe (process ID 2532) spawned analytics.exe (process ID 5736).

  • At 18:08:06 AM UTC, analytics.exe (process ID 5736) spawned cmd.exe (process ID 5804).

Bonus Lab

Investigating Other Strings

Let's search for the string "midnitemeerkats" in all text files generated by Volatility and the strings utility.

grep midnitemeerkats fm-tetris.*txt

There's a reference to the "midnitemeerkats" string, which suggests a command to open the URL http://www.midnitemeerkats.com/note in full-screen mode using the default browser and Windows start utility. We should investigate this website for further analysis.

Open https://midnitemeerkats.com/note/ in Firefox using a separate system with a privacy-focused VPN. Avoid connecting from your investigation host or company network to prevent the attacker from tracking your investigation through their website logs.

In this page we see the ransom note, but the attackers also included a link to a YouTube video. Let's click on the YouTube video Share link to get the short URL string, as shown here.

The share link for this YouTube video is https://youtu.be/GSMCRD35ch4 . Let's compare the shortened identifier GSMCRD35ch4 with the memory investigation files' output.

grep GSMCRD35ch4 fm-tetris.*txt | sort -u

The origin=http://lolcats.org parameter at the end of the YouTube embed URL indicates that the video was originally embedded on http://lolcats.org.

Identifying the lolcats.org domain in this incident is crucial as it exposes another site used by the Midnite Meerkats attacker, offering key insights into the attacks on Falsimentis.

Revisit Network Investigation Data

grep lolcats.org access.log

Searching the access.log file confirms that there is activity directed to the lolcats.org domain.

TZ=America/Los_Angeles awk '/lolcats.org/ {print strftime("%T", $1), $3, $7, $9}' access.log

The output shows that 172.16.42.103 (FM-TETRIS) and 172.16.42.105 (FM-ELECTRONICA) contacted lolcats.org.

Last updated