Memory CTF with Volatility Part 3

By Guy Nguyen-Phuoc on December 2, 2021

Introduction

Memory analysis or Memory forensics is the process of analyzing volatile data from computer memory dumps. With the advent of “fileless” malware, it is becoming increasingly more difficult to conduct digital forensics analysis. Memory analysis not only helps solve this situation but also provides unique insights in the runtime of the system’s activity: open network connections, recently executed commands, and the ability to see any decrypted malicious file. In this article we will go over a memory analysis tool called Volatility and begin an initial analysis of the Cridex malware provided by the Volatility Foundation. This is part 3 of the CTF memory series.

Part one & part two

Memory CTF with Volatility Part 1
Memory CTF with Volatility Part 2

Prevention

After our analysis of the trojan, we want to develop a way to prevent this from happening again, and to do that we want to find Indicators of Compromise (IOC). IOCs will help describe the Cridex trojan, the more IOCs the easier it is to identify the trojan. 

First we will look into the path quired by the malware from part 2’s string dump, “POST /zb/v_01_a/in” with the command, “strings 1640.dmp | grep -Fi “/zb/v_01_a/in”. Show in the image below.

strings output on memory dump

 
We then limit the search for “/zb/v_01_a/in” with the grep command, flag “F” is so every line is a Fixed string pattern, separated by newlines, and flag “i” is to ignore case. 

And with that we found another suspicious IP address, “188.40.0.138” that communicates over the 8080 port. We can now use a passive DNS service named Mnemonic to check the IP address.

list of domain names

 
From here we would cross reference all the results to see if they are linked to our trojan. Each incident would then be added to our list of IOCs that we would give to the Security Operation Center (SOC) team to handle. 

Deletion

If possible, you would run an antimalware scan of your choice to detect if the trojan is on other machines.

We can check the registry keys to see if the malware/trojan has an Autorun key. These keys are stored in the following path: 

“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce, RunOnceEx”

“We can do this with the hivelist plugin of the volatility framework. Run the command, “volatility -f cridex.vmem –profile=WinXPSP2x86 hivelist”. Shown below.

volatility output on hivelist

 
The hivelist plugin allows us to print the list of registry hives. We can then use the printkey plugin to see the content of the registry key, its subkey and values. The flag -K allows us to specify the path of the registry key. Enter the following command, “volatility -f cridex.vmem –profile=WinXPSP2x86 printkey -K “Software\Microsoft\Windows\CurrentVersion\Run”. Shown below.

volatility output of printkey
volatility output of registery hive

 
One hive in particular, “\Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT”, has been changed. The executable is of note, we can check to see if our malware contains this name, “KB00207877.exe”.

Run the command, “strings 1640.dmp | grep -Fi “KB00207877.exe”. Shown below.

strings output on memory dump

 
From here we can safely say that the malware changed the startup registry key to include this exe file. We can delete this file to begin the cleanup process.

References

See part 1 and part 2 for further references.

[1] Argus Managed Defence, “PassiveDNS,” Sept. 2021. https://passivedns.mnemonic.no/

[2] Microsoft, ”Registry Hives,” Sept. 2021.  https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives

Related Posts