Memory Forensics -The Road Not Taken

HackTheBox SRMIST
19 min readSep 11, 2023

What is Memory Forensics?

Memory Forensics a.k.a Memory Analysis this terms means analyzing of volatile data(temporary memory i.e. is stored on RAM) from a memory dump of an computer. This is majorly used by IT Security professional to find out the root cause or things that can be found on the memory dump of an attack.

What is the Importance of Memory Forensics?

Memory Forensics provides an new perspective to an investigate of an attack or system activity. The memory consist of majorly most of the things as to run an program, make network connection, chatting and internet history can be in the memory dump of the ram you analyzing that can make thing easier to identify. Majorly during attack people clear the track usually on the secondary memory which like HDD or SSD but not the RAM as the many people aren’t aware of the memory analysis part. This skill is in high demand for security professionals.

What is tools that is majorly used for the Memory Forensics?

Volatility — This is a famous tools among security professional for memory forensics. Volatility is free, open source and has support to many third party plugins. They organize an event where the user develops an innovative extension to the framework isn’t this a fun fact.

How to install Volatility?

  1. Clone the volatility package from GitHub
┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~]
└─$ git clone <https://github.com/volatilityfoundation/volatility3.git>
Cloning into 'volatility3'...
remote: Enumerating objects: 30339, done.
remote: Counting objects: 100% (1181/1181), done.
remote: Compressing objects: 100% (620/620), done.
remote: Total 30339 (delta 756), reused 924 (delta 554), pack-reused 29158
Receiving objects: 100% (30339/30339), 6.15 MiB | 1024.00 KiB/s, done.
Resolving deltas: 100% (22944/22944), done.

2. Change The Directory to Volatility

┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~]
└─$ cd volatility3/
┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~/volatility3]
└─$

3. Install the dependencies for the tools.

┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo pip3 install -r requirements.txt
Requirement already satisfied: pefile>=2017.8.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2022.5.30)
Requirement already satisfied: yara-python>=3.8.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 8)) (4.2.0)
Collecting capstone>=3.0.5
Downloading capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 616.6 kB/s eta 0:00:00
Collecting pycryptodome
Downloading pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 645.7 kB/s eta 0:00:00
Collecting leechcorepyc>=2.4.0
Downloading leechcorepyc-2.14.1-cp36-abi3-manylinux1_x86_64.whl (126 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 126.8/126.8 kB 1.2 MB/s eta 0:00:00
Installing collected packages: pycryptodome, leechcorepyc, capstone
Successfully installed capstone-4.0.2 leechcorepyc-2.14.1 pycryptodome-3.17
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: <https://pip.pypa.io/warnings/venv>

4. Now run the volatility script. To Run without installation

┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ python3 vol.py -h
Volatility 3 Framework 2.4.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND]
[-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
[--clear-cache] [--cache-path CACHE_PATH] [--offline]
[--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
[--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...

5. Install volatility

┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo python3 setup.py build 130 ⨯

┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo python3 setup.py install

Understand The Core Windows Processes

We need to have a proper understanding of core windows processes. This will help us to identify the third party malicious process that could be running in the background.

Task Manager

Task Manager is a GUI based Windows utility tools that allow the user to see what are the things running on his system. Usually its used to kill the apps that are not responding.

To open the task manager right click on the taskbar and select Task Manager.

Empty white space is all you see

Click on the more details to see all the process.

We will by default land on Processes page.

The things are stored according the Apps, Background processes and Windows processes.

When you right on any of the column i.e. Name, Status, CPU and Memory it will open more options.

Let’s have a view what this options means:

Type — As explained previous there are three types of processes that are Apps, Background processes and Windows processes.

Publisher — Its shows by whom is the app developed by.

PID — Process Identifier is a unique that is assigned to each and every process that is running on the windows system.

Process name — This is the file name for that process like explorer.exe

Command Line — The command that is used to launch that process

CPU — The amount of CPU that process is using

Memory — The amount of memory that process is using.

In details it show some core processes too.

this is the basic you should knows rest is to explore

System

We are going to use Process Explorer — https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

System is the first process on the list of Windows process. As we discussed processes are assigned random PID but not for System Process. Its always 4.

The details we get in Process Explorer

Image Path: N/A

Parent Process: None

Number of Instances : One

User Account: Local System

Start Time: At boot time.

System → smss.exe

The process we are gonna see now is smss.exe. The full form of smss is Session Manager System also known as Windows Session Manager. Its responsible for creation of new sessions.

Smss.exe starts an executable file names csrss.exe and wininit.exe in Session 0. There is an isolated windows session for the operating system, and crss.exe and winlogon.exe in Session 1 this session is for the user.

Session 0 (csrss.exe & wininit.exe)

Open Process Hacker you will see this process.

Let’s see the session number.

Session 1(csrss.exe & winlogon.exe)

Let’s see the session number

csrss.exe

We have seen in the previous task about csrss(Client Server Runtime Process) it is the user-mode side of the windows subsystem.

Let’s check the general properties of both csrss.exe

Session 0

Session 1 (PID 512)

Remember, these two process are spawned by smss.exe, that self-terminates itself.

wininit.exe

Wininit(Windows Initialization Process) it is responsible for launching services.exe — (Service Control Manager), lsass.exe(Local Security Authority), and lsaiso.exe within Session 0. This one of the important windows process that runes in the background with its child process.

The lsaiso.exe is a process works with Credential Guard and KeyGaurd.exe. You will only see this process if Credentials Guard is enabled.

General Details of the Process.

wininit.exe > services.exe

Service Control Manager (SCM) or services.exe. Its is responsible for managing the system services like services, interacting with services and starting or ending services.

You can work with SCM using Command Prompt

This process is parent of the process like spoolsv.exe, svchost.exe, msmpeng.exe and dllhost.exe.

Image Path: %SystemRoot%\System32\services.exe

Parent Process: wininit.exe

Number of Instance: One

User Account: Local System

Start Time: Just after the boot.

wininit.exe > services.exe > svchost.exe

Svchost (Service Host) is Host Process for Windows services or svchost.exe. It handles hosting and managing Windows services.

The services that are running in the background are implemented as DLLs.

Check the service dll section

lsass.exe

LSASS — Local Security Authority Subsystem Services is process in windows that enforces security policy. It makes security tokens for NETLOGON, Security Account Manager and Active Directory.

Image Path: %SystemRoot%\System32\lsass.exe

Parent Process: wininit.exe

Number of Instances: One

User Account: Local System

Start Time: Within seconds of boot time

winlogon.exe

winlogon — Windows Logon manages the Secure Attention Sequence. Its the ALT+CTRL+DELETE key when your system is not responding.

explorer.exe

This app is something that everyone uses to open files and folder. It is called Windows Explorer. Userinit.exe is the parent process for this process.

Basics Hands-On Experience

TryHackMe — Volatility

Memory Extraction

Memory extraction can be done in various way and this changes according to our investigation.

Tools -

  1. Redline
  2. DumpIt.exe
  3. Memoryze
  4. FTK Imager
  5. FastDump

The extracted file can be in this format.

  1. VMWare — .vmem
  2. Hyper-V — .bin
  3. Parallels — .mem
  4. VirtualBox — .sav

Plugins Overview

Before using the plugin you have to specify the operating system for example — windows.info, linux.info.

Few of the operating system plugin syntax:

.windows

.linux

.mac

There are several third party plugins with Volatility.

Identifying Image Info and Profiles

If you are using volatility 2 than you can use ‘imageinfo’ commands. We have to use plugin in the new version for details.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.info
Variable Value

Kernel Base 0x804d7000
DTB 0x2fe000
Symbols file:///usr/local/lib/python3.11/dist-packages/volatility3-2.4.2-py3.11.egg/volatility3/symbols/windows/ntkrnlpa.pdb/bc1qre8jdw2azrg6tf49wmp652w00xltddxmpk98xp-1.json.xz
Is64Bit False
IsPAE True
layer_name 0 WindowsIntelPAE
memory_layer 1 FileLayer
KdDebuggerDataBlock 0x80545ae0
NTBuildLab 2600.xpsp.080413-2111
CSDVersion 3
KdVersionBlock 0x80545ab8
Major/Minor 15.2600
MachineType 332
KeNumberProcessors 1
SystemTime 2012-07-22 02:45:08
NtSystemRoot C:\WINDOWS
NtProductType NtProductWinNt
NtMajorVersion 5
NtMinorVersion 1
PE MajorOperatingSystemVersion 5
PE MinorOperatingSystemVersion 1
PE Machine 332
PE TimeDateStamp Sun Apr 13 18:31:06 2008

Listing Processes and Connection

There are 5 different plugin that helps you to dump process and network connections.

pslist → This will give you list of processes from the doubly-linked list that see all the process in memory kinda Task Manager stuff.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.pslist 2 ⨯
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

4 0 System 0x823c89c8 53 240 N/A False N/A N/A Disabled
368 4 smss.exe 0x822f1020 3 19 N/A False 2012-07-22 02:42:31.000000 N/A Disabled
584 368 csrss.exe 0x822a0598 9 326 0 False 2012-07-22 02:42:32.000000 N/A Disabled
608 368 winlogon.exe 0x82298700 23 519 0 False 2012-07-22 02:42:32.000000 N/A Disabled
652 608 services.exe 0x81e2ab28 16 243 0 False 2012-07-22 02:42:32.000000 N/A Disabled
664 608 lsass.exe 0x81e2a3b8 24 330 0 False 2012-07-22 02:42:32.000000 N/A Disabled
824 652 svchost.exe 0x82311360 20 194 0 False 2012-07-22 02:42:33.000000 N/A Disabled
908 652 svchost.exe 0x81e29ab8 9 226 0 False 2012-07-22 02:42:33.000000 N/A Disabled
1004 652 svchost.exe 0x823001d0 64 1118 0 False 2012-07-22 02:42:33.000000 N/A Disabled
1056 652 svchost.exe 0x821dfda0 5 60 0 False 2012-07-22 02:42:33.000000 N/A Disabled
1220 652 svchost.exe 0x82295650 15 197 0 False 2012-07-22 02:42:35.000000 N/A Disabled
1484 1464 explorer.exe 0x821dea70 17 415 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1512 652 spoolsv.exe 0x81eb17b8 14 113 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1640 1484 reader_sl.exe 0x81e7bda0 5 39 0 False 2012-07-22 02:42:36.000000 N/A Disabled
788 652 alg.exe 0x820e8da0 7 104 0 False 2012-07-22 02:43:01.000000 N/A Disabled
1136 1004 wuauclt.exe 0x821fcda0 8 173 0 False 2012-07-22 02:43:46.000000 N/A Disabled
1588 1004 wuauclt.exe 0x8205bda0 5 132 0 False 2012-07-22 02:44:01.000000 N/A Disabled

Few of the malware hide their processes and unlink itself from the list. You can’t see them in pslist. You have to use psscan for that.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.psscan
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

908 652 svchost.exe 0x2029ab8 9 226 0 False 2012-07-22 02:42:33.000000 N/A Disabled
664 608 lsass.exe 0x202a3b8 24 330 0 False 2012-07-22 02:42:32.000000 N/A Disabled
652 608 services.exe 0x202ab28 16 243 0 False 2012-07-22 02:42:32.000000 N/A Disabled
1640 1484 reader_sl.exe 0x207bda0 5 39 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1512 652 spoolsv.exe 0x20b17b8 14 113 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1588 1004 wuauclt.exe 0x225bda0 5 132 0 False 2012-07-22 02:44:01.000000 N/A Disabled
788 652 alg.exe 0x22e8da0 7 104 0 False 2012-07-22 02:43:01.000000 N/A Disabled
1484 1464 explorer.exe 0x23dea70 17 415 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1056 652 svchost.exe 0x23dfda0 5 60 0 False 2012-07-22 02:42:33.000000 N/A Disabled
1136 1004 wuauclt.exe 0x23fcda0 8 173 0 False 2012-07-22 02:43:46.000000 N/A Disabled
1220 652 svchost.exe 0x2495650 15 197 0 False 2012-07-22 02:42:35.000000 N/A Disabled
608 368 winlogon.exe 0x2498700 23 519 0 False 2012-07-22 02:42:32.000000 N/A Disabled
584 368 csrss.exe 0x24a0598 9 326 0 False 2012-07-22 02:42:32.000000 N/A Disabled
368 4 smss.exe 0x24f1020 3 19 N/A False 2012-07-22 02:42:31.000000 N/A Disabled
1004 652 svchost.exe 0x25001d0 64 1118 0 False 2012-07-22 02:42:33.000000 N/A Disabled
824 652 svchost.exe 0x2511360 20 194 0 False 2012-07-22 02:42:33.000000 N/A Disabled
4 0 System 0x25c89c8 53 240 N/A False N/A N/A Disabled

pstree → This plugin helps you list all the parent process ID.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.pstree
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime

4 0 System 0x823c89c8 53 240 N/A False N/A N/A
* 368 4 smss.exe 0x822f1020 3 19 N/A False 2012-07-22 02:42:31.000000 N/A
** 584 368 csrss.exe 0x822a0598 9 326 0 False 2012-07-22 02:42:32.000000 N/A
** 608 368 winlogon.exe 0x82298700 23 519 0 False 2012-07-22 02:42:32.000000 N/A
*** 664 608 lsass.exe 0x81e2a3b8 24 330 0 False 2012-07-22 02:42:32.000000 N/A
*** 652 608 services.exe 0x81e2ab28 16 243 0 False 2012-07-22 02:42:32.000000 N/A
**** 1056 652 svchost.exe 0x821dfda0 5 60 0 False 2012-07-22 02:42:33.000000 N/A
**** 1220 652 svchost.exe 0x82295650 15 197 0 False 2012-07-22 02:42:35.000000 N/A
**** 1512 652 spoolsv.exe 0x81eb17b8 14 113 0 False 2012-07-22 02:42:36.000000 N/A
**** 908 652 svchost.exe 0x81e29ab8 9 226 0 False 2012-07-22 02:42:33.000000 N/A
**** 1004 652 svchost.exe 0x823001d0 64 1118 0 False 2012-07-22 02:42:33.000000 N/A
***** 1136 1004 wuauclt.exe 0x821fcda0 8 173 0 False 2012-07-22 02:43:46.000000 N/A
***** 1588 1004 wuauclt.exe 0x8205bda0 5 132 0 False 2012-07-22 02:44:01.000000 N/A
**** 788 652 alg.exe 0x820e8da0 7 104 0 False 2012-07-22 02:43:01.000000 N/A
**** 824 652 svchost.exe 0x82311360 20 194 0 False 2012-07-22 02:42:33.000000 N/A
1484 1464 explorer.exe 0x821dea70 17 415 0 False 2012-07-22 02:42:36.000000 N/A
* 1640 1484 reader_sl.exe 0x81e7bda0 5 39 0 False 2012-07-22 02:42:36.000000 N/A

netstat → This will check all the memory structure with a network connection.

This plugin is unstable and doesn’t provide any output usually for windows based image.

dlllist → This will give all the DLLs that are working along with processes at the time of extraction.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.dlllist 1 ⨯
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID Process Base Size Name Path LoadTime File output

368 smss.exe 0x48580000 0xf000 smss.exe \SystemRoot\System32\smss.exeN/A Disabled
368 smss.exe 0x7c900000 0xaf000 ntdll.dll C:\WINDOWS\system32\ntdll.dllN/A Disabled
584 csrss.exe 0x4a680000 0x5000 csrss.exe \??\C:\WINDOWS\system32\csrss.exe N/A Disabled
584 csrss.exe 0x7c900000 0xaf000 ntdll.dll C:\WINDOWS\system32\ntdll.dllN/A Disabled
584 csrss.exe 0x75b40000 0xb000 CSRSRV.dll C:\WINDOWS\system32\CSRSRV.dll N/A Disabled
584 csrss.exe 0x75b50000 0x10000 basesrv.dll C:\WINDOWS\system32\basesrv.dll N/A Disabled
584 csrss.exe 0x75b60000 0x4b000 winsrv.dll C:\WINDOWS\system32\winsrv.dll N/A Disabled
584 csrss.exe 0x77f10000 0x49000 GDI32.dll C:\WINDOWS\system32\GDI32.dllN/A Disabled

Volatility Hunting and Detection Capabilities

There are many plugins available for hunting and detection.

The first plugin that are going to use is malfind. This plugin finds injects processes and their PIDs with their Offset ,and Hex,Asciia dn Disassembly view of the infected part.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.malfind 130 ⨯
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemoryFile output Hexdump Disasm

584 csrss.exe 0x7f6f0000 0x7f7effff Vad PAGE_EXECUTE_READWRITE 0 0Disabled
c8 00 00 00 91 01 00 00 ........
ff ee ff ee 08 70 00 00 .....p..
08 00 00 00 00 fe 00 00 ........
00 00 10 00 00 20 00 00 ........
00 02 00 00 00 20 00 00 ........
8d 01 00 00 ff ef fd 7f ........
03 00 08 06 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x7f6f0000: enter 0, 0
0x7f6f0004: xchg eax, ecx
0x7f6f0005: add dword ptr [eax], eax
0x7f6f0007: add bh, bh
0x7f6f0009: out dx, al
608 winlogon.exe 0x13410000 0x13413fff VadS PAGE_EXECUTE_READWRITE 4 1Disabled

Advanced Memory Forensics

The evasion technique that will be hunted is hooking; there are five in total:

  • SSDT
  • IRP
  • IAT
  • EAT
  • Inline

SSDT → It is System Service Descriptor Table. This table help to look up system function. An adversary can hook in this table and pointer is modified to point towards a location of root kit controls

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.ssdt 2 ⨯
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Index Address Module Symbol

0 0x80599948 ntoskrnl NtAcceptConnectPort
1 0x805e6db6 ntoskrnl NtAccessCheck
2 0x805ea5fc ntoskrnl NtAccessCheckAndAuditAlarm
3 0x805e6de8 ntoskrnl NtAccessCheckByType
4 0x805ea636 ntoskrnl NtAccessCheckByTypeAndAuditAlarm
5 0x805e6e1e ntoskrnl NtAccessCheckByTypeResultList
6 0x805ea67a ntoskrnl NtAccessCheckByTypeResultListAndAuditAlarm
7 0x805ea6be ntoskrnl NtAccessCheckByTDNEpUTHQoQUJMHLrErGJyHg89uy71MyuHe
8 0x8060bdfe ntoskrnl NtAddAtom
9 0x8060cb50 ntoskrnl NtAddBootEntry
9 0x8060cb50 ntoskrnl NtEnumerateBootEntries
9 0x8060cb50 ntoskrnl NtQueryBootEntryOrder
9 0x8060cb50 ntoskrnl NtQueryBootOptions
9 0x8060cb50 ntoskrnl NtSetBootEntryOrder
9 0x8060cb50 ntoskrnl NtSetBootOptions

Modules → This will list the loaded kernel modules can be helpful to identify active malware. This can’t identify idle or hidden malware.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.modules
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Offset Base Size Name Path File output

0x823fc3b0 0x804d7000 0x1f8580 ntoskrnl.exe \WINDOWS\system32\ntkrnlpa.exe Disabled
0x823fc348 0x806d0000 0x20300 hal.dll \WINDOWS\system32\hal.dll Disabled
0x823fc2e0 0xf8b9a000 0x2000 kdcom.dll \WINDOWS\system32\KDCOM.DLL Disabled
0x823fc270 0xf8aaa000 0x3000 BOOTVID.dll \WINDOWS\system32\BOOTVID.dll Disabled
0x823fc208 0xf856b000 0x2e000 ACPI.sys ACPI.sys Disabled
0x823fc198 0xf8b9c000 0x2000 WMILIB.SYS \WINDOWS\system32\DRIVERS\WMILIB.SYSDisabled
0x823fc130 0xf855a000 0x11000 pci.sys pci.sys Disabled
0x823fc0c0 0xf869a000 0xa000 isapnp.sys isapnp.sys Disabled
0x823fc050 0xf8aae000 0x3000 compbatt.sys compbatt.sys Disabled
0x823ed008 0xf8ab2000 0x4000 BATTC.SYS \WINDOWS\system32\DRIVERS\BATTC.SYS Disabled

Drivescan → This will list all the drivers there were present at the time of extraction.

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.driverscan
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Offset Start Size Service Key Driver Name Name

0x201fb10 0xf7c6f000 0x3900 Ndisuio N/A \Driver\Ndisuio
0x202f268 0xf8288000 0x2fe80 rdpdr N/A \Driver\rdpdr
0x2033d28 0xf874a000 0xcd00 i8042prt N/A \Driver\i8042prt
0x206fca8 0xf804d000 0x2ae80 Rdbss N/A \FileSystem\Rdbss
0x2071978 0xf884a000 0x8780 NetBIOS N/A \FileSystem\NetBIOS
0x20736e8 0xf7fdd000 0x6f780 MRxSmb N/A \FileSystem\MRxSmb
0x207b880 0xf886a000 0xae00 Fips N/A \Driver\Fips
0x2085598 0xf878a000 0x8a00 PCnet N/A \Driver\PCnet
0x2085700 0xf8b3a000 0x3d80 serenum N/A \Driver\serenum
0x20859e0 0xf876a000 0xf600 Cdrom N/A \Driver\Cdrom
0x20a16b8 0xf87fa000 0x8900 Gpc N/A \Driver\Gpc
0x20a9bd8 0xf853b000 0x1e880 Ftdisk N/A \Driver\Ftdisk
0x20b03c0 0xf8ba2000 0x1100 swenum N/A \Driver\swenum

Practical Investigation

Description:

Case 001 — BOB! THIS ISN’T A HORSE!

Your SOC has informed you that they have gathered a memory dump from a quarantined endpoint thought to have been compromised by a banking trojan masquerading as an Adobe document. Your job is to use your knowledge of threat intelligence and reverse engineering to perform memory forensics on the infected host.

You have been informed of a suspicious IP in connection to the file that could be helpful. 41.168.5.140

The memory file is located in /Scenarios/Investigations/Investigation-1.vmem

Case 002 — That Kind of Hurt my Feelings

You have been informed that your corporation has been hit with a chain of ransomware that has been hitting corporations internationally. Your team has already retrieved the decryption key and recovered from the attack. Still, your job is to perform post-incident analysis and identify what actors were at play and what occurred on your systems. You have been provided with a raw memory dump from your team to begin your analysis.

The memory file is located in /Scenarios/Investigations/Investigation-2.raw

Case 001

Build version

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.info
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
Variable Value

Kernel Base 0x804d7000
DTB 0x2fe000
Symbols file:///usr/local/lib/python3.11/dist-packages/volatility3-2.4.2-py3.11.egg/volatility3/symbols/windows/ntkrnlpa.pdb/bc1qre8jdw2azrg6tf49wmp652w00xltddxmpk98xp-1.json.xz
Is64Bit False
IsPAE True
layer_name 0 WindowsIntelPAE
memory_layer 1 FileLayer
KdDebuggerDataBlock 0x80545ae0
NTBuildLab 2600.xpsp.080413-2111
CSDVersion 3
KdVersionBlock 0x80545ab8
Major/Minor 15.2600
MachineType 332
KeNumberProcessors 1
SystemTime 2012-07-22 02:45:08
NtSystemRoot C:\WINDOWS
NtProductType NtProductWinNt
NtMajorVersion 5
NtMinorVersion 1
PE MajorOperatingSystemVersion 5
PE MinorOperatingSystemVersion 1
PE Machine 332
PE TimeDateStamp Sun Apr 13 18:31:06 2008

Ans. 2600.xpsp.080413–2111

Time of the memory file acquired

Ans. 2012–07–22 02:45:08

Suspicious process

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' windows.psscan
Volatility 3 Framework 2.4.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

908 652 svchost.exe 0x2029ab8 9 226 0 False 2012-07-22 02:42:33.000000 N/A Disabled
664 608 lsass.exe 0x202a3b8 24 330 0 False 2012-07-22 02:42:32.000000 N/A Disabled
652 608 services.exe 0x202ab28 16 243 0 False 2012-07-22 02:42:32.000000 N/A Disabled
1640 1484 reader_sl.exe 0x207bda0 5 39 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1512 652 spoolsv.exe 0x20b17b8 14 113 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1588 1004 wuauclt.exe 0x225bda0 5 132 0 False 2012-07-22 02:44:01.000000 N/A Disabled
788 652 alg.exe 0x22e8da0 7 104 0 False 2012-07-22 02:43:01.000000 N/A Disabled
1484 1464 explorer.exe 0x23dea70 17 415 0 False 2012-07-22 02:42:36.000000 N/A Disabled
1056 652 svchost.exe 0x23dfda0 5 60 0 False 2012-07-22 02:42:33.000000 N/A Disabled
1136 1004 wuauclt.exe 0x23fcda0 8 173 0 False 2012-07-22 02:43:46.000000 N/A Disabled
1220 652 svchost.exe 0x2495650 15 197 0 False 2012-07-22 02:42:35.000000 N/A Disabled
608 368 winlogon.exe 0x2498700 23 519 0 False 2012-07-22 02:42:32.000000 N/A Disabled
584 368 csrss.exe 0x24a0598 9 326 0 False 2012-07-22 02:42:32.000000 N/A Disabled
368 4 smss.exe 0x24f1020 3 19 N/A False 2012-07-22 02:42:31.000000 N/A Disabled
1004 652 svchost.exe 0x25001d0 64 1118 0 False 2012-07-22 02:42:33.000000 N/A Disabled
824 652 svchost.exe 0x2511360 20 194 0 False 2012-07-22 02:42:33.000000 N/A Disabled
4 0 System 0x25c89c8 53 240 N/A False N/A N/A Disabled

as the situation lets about adobe documents it will be reader_sl.exe

Ans. reader_sel.exe

Parent Process of the suspicious process

PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime

4 0 System 0x823c89c8 53 240 N/A False N/A N/A
* 368 4 smss.exe 0x822f1020 3 19 N/A False 2012-07-22 02:42:31.000000 N/A
** 584 368 csrss.exe 0x822a0598 9 326 0 False 2012-07-22 02:42:32.000000 N/A
** 608 368 winlogon.exe 0x82298700 23 519 0 False 2012-07-22 02:42:32.000000 N/A
*** 664 608 lsass.exe 0x81e2a3b8 24 330 0 False 2012-07-22 02:42:32.000000 N/A
*** 652 608 services.exe 0x81e2ab28 16 243 0 False 2012-07-22 02:42:32.000000 N/A
**** 1056 652 svchost.exe 0x821dfda0 5 60 0 False 2012-07-22 02:42:33.000000 N/A
**** 1220 652 svchost.exe 0x82295650 15 197 0 False 2012-07-22 02:42:35.000000 N/A
**** 1512 652 spoolsv.exe 0x81eb17b8 14 113 0 False 2012-07-22 02:42:36.000000 N/A
**** 908 652 svchost.exe 0x81e29ab8 9 226 0 False 2012-07-22 02:42:33.000000 N/A
**** 1004 652 svchost.exe 0x823001d0 64 1118 0 False 2012-07-22 02:42:33.000000 N/A
***** 1136 1004 wuauclt.exe 0x821fcda0 8 173 0 False 2012-07-22 02:43:46.000000 N/A
***** 1588 1004 wuauclt.exe 0x8205bda0 5 132 0 False 2012-07-22 02:44:01.000000 N/A
**** 788 652 alg.exe 0x820e8da0 7 104 0 False 2012-07-22 02:43:01.000000 N/A
**** 824 652 svchost.exe 0x82311360 20 194 0 False 2012-07-22 02:42:33.000000 N/A
1484 1464 explorer.exe 0x821dea70 17 415 0 False 2012-07-22 02:42:36.000000 N/A
* 1640 1484 reader_sl.exe 0x81e7bda0 5 39 0 False 2012-07-22 02:42:36.000000 N/A

The PPID for reader_sl.exe is 1484 and the PID for explorer.exe is 1484

Ans. explorer.exe

The PID of suspicious process

Ans. 1640

Parent Process PID

Ans. 1484

What user-agent was employed by the adversary

To find this we have to use memory map.

The command we have to use is

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-1.vmem' -o /tmp/ windows.memmap.Memmap --pid 1640 --dump

-o is for the output

pid for the suspicious process

—dump to dump the data.

Now lets grep the “user-agen” form the file

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# strings /tmp/*.dmp | grep -i "user-agent"
User-Agent
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
cs(User-Agent)
USER-AGENT:
User-Agent:

Ans. Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) cs(User-Agent)

CASE 002

suspicious process is running at PID 740

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-2.raw' windows.psscan | grep "740"
740 1940 @WanaDecryptor@ 0x1fde308 2 70 0 False 2017-05-12 21:22:22.000000 N/A Disabled

Ans. @WanaDecryptor@

the full path of the suspicious binary in PID 740

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-2.raw' windows.dlllist | grep "740"
1024resssvchost.exe 0x5f740000 0xe000 ncprov.dll C:\\WINDOWS\\system32\\wbem\\ncprov.dll N/A Disabled
740 @WanaDecryptor@ 0x400000 0x3d000 @WanaDecryptor@.exe C:\\Intel\\ivecuqmanpnirkt615\\@WanaDecryptor@.exe N/A Disabled

Ans. C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

the parent process of PID 740

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-2.raw' windows.pstree | grep "740"
** 740 1940 @WanaDecryptor@ 0x81fde308 2 70 0 False 2017-05-12 21:22:22.000000 N/A

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-2.raw' windows.pstree | grep "1940"
* 1940 1636 tasksche.exe 0x82218da0 7 51 0 False 2017-05-12 21:22:14.000000 N/A
** 740 1940 @WanaDecryptor@ 0x81fde308 2 70 0 False 2017-05-12 21:22:22.000000 N/A

Ans. tasksche.exe

the suspicious parent process PID connected to the decryptor

Ans. 1940

what malware is present on the system

Ans. WannaCry

This is an old ransomeware.

DLL is loaded by the decryptor used for socket creation

  1. Socket creation using the dll file Ws2_32.dll.
  2. Network communication using the dll file WININET.DLL.
  3. Registry queries using the dll file ADVAPI32.DLL.
  4. Encryption using the dll file SECURE32.DLL.
  5. Browser interaction using the dll file URLMON.DLL.

Ans. Ws2_32.dll

mutex can be found that is a known indicator of the malware

We learned about moudles we will use that here

┌──(root💀kali)-[/home/sanlivey/Downloads/Practical Investigation Memory Files]
└─# vol -f 'Investigation-2.raw' windows.handles | grep 1940 | grep -i "Mutex"
1940resstasksche.exe 0x821883e8B scan0x40 finMutant 0x120001 ShimCacheMutex
1940 tasksche.exe 0x8224f180 0x54 Mutant 0x1f0001 MsWinZonesCacheCounterMutexA
1940 tasksche.exe 0x822e3b08 0x58 Mutant 0x1f0001 MsWinZonesCacheCounterMutexA0

Writers:-

Akshay Raj | Sudoer

Designers:-
Abhinav Shandilya | Sudoer
Omar Ansari | Sticky Bits

--

--

HackTheBox SRMIST

HackTheBox SRMIST focuses on training the next-gen of cyber-warriors transforming the cyber space in SRMIST and beyond. https://www.htbsrmist.tech