Memory CTF with Volatility Part 3
By Guy Nguyen-Phuoc on December 2, 2021
Memory analysis or Memory forensics is the process of analyzing volatile data from computer memory dumps. With the advent of “fileless” malware, it is becoming increasingly more difficult to conduct digital forensics analysis. Memory analysis not only helps solve this situation but also provides unique insights in the runtime of the system’s activity: open network connections, recently executed commands, and the ability to see any decrypted malicious file. In this article we will go over a memory analysis tool called Volatility and begin an initial analysis of the Cridex malware provided by the Volatility Foundation. This is part 3 of the CTF memory series.
Part one & part two
After our analysis of the trojan, we want to develop a way to prevent this from happening again, and to do that we want to find Indicators of Compromise (IOC). IOCs will help describe the Cridex trojan, the more IOCs the easier it is to identify the trojan.
First we will look into the path quired by the malware from part 2’s string dump, “POST /zb/v_01_a/in” with the command, “strings 1640.dmp | grep -Fi “/zb/v_01_a/in”. Show in the image below.
We then limit the search for “/zb/v_01_a/in” with the grep command, flag “F” is so every line is a Fixed string pattern, separated by newlines, and flag “i” is to ignore case.
And with that we found another suspicious IP address, “220.127.116.11” that communicates over the 8080 port. We can now use a passive DNS service named Mnemonic to check the IP address.
From here we would cross reference all the results to see if they are linked to our trojan. Each incident would then be added to our list of IOCs that we would give to the Security Operation Center (SOC) team to handle.
If possible, you would run an antimalware scan of your choice to detect if the trojan is on other machines.
We can check the registry keys to see if the malware/trojan has an Autorun key. These keys are stored in the following path:
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce, RunOnceEx”
“We can do this with the hivelist plugin of the volatility framework. Run the command, “volatility -f cridex.vmem –profile=WinXPSP2x86 hivelist”. Shown below.
The hivelist plugin allows us to print the list of registry hives. We can then use the printkey plugin to see the content of the registry key, its subkey and values. The flag -K allows us to specify the path of the registry key. Enter the following command, “volatility -f cridex.vmem –profile=WinXPSP2x86 printkey -K “Software\Microsoft\Windows\CurrentVersion\Run”. Shown below.
One hive in particular, “\Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT”, has been changed. The executable is of note, we can check to see if our malware contains this name, “KB00207877.exe”.
Run the command, “strings 1640.dmp | grep -Fi “KB00207877.exe”. Shown below.
From here we can safely say that the malware changed the startup registry key to include this exe file. We can delete this file to begin the cleanup process.
See part 1 and part 2 for further references.
 Argus Managed Defence, “PassiveDNS,” Sept. 2021. https://passivedns.mnemonic.no/
 Microsoft, ”Registry Hives,” Sept. 2021. https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives