Sunday, June 15, 2014

Beginning Memory Forensics - Volatility

In the previous post, the memory image of a Windows 2003SP2 machine was dumped. Now that we have the memory image, let's use volatility to analyze its contents.

First, let look at the memory image to see what OS volatility thinks it may be. Do remember, I already stated this is a Windows2003SP2 but let's see what volatilty says.

To identify the image, we use following volatility command.
./vol.py -f SECURITYNIK-SRV-20140613-015002.raw imageinfo

As can be seen above, the imageinfo plugin gave us some suggested profiles. From the additional information, we can see we also have the time the image was aquired. We will also use the KDBG address information as we continue to analyze our image.

Let's move on to the connections plugin to see what network connections may have been established at the time this memory image was acquired.

To find the network connections we use:
./vol.py -f SECURITYNIK-SRV-20140613-015002.raw connections


There seems to have been a connection from the localhost on port 1033 to host 192.168.0.15 on port 4444. We also see this connection reports it was using PID 4712.

Let's look at the process tree to see what we can find using command:
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw pstree

Name                                                  Pid   PPid   Thds   Hnds Time
 0x812923e8:rundll32.exe                             4712   4700      2     35 2014-06-13 01:49:51 UTC+0000
. 0x81292b70:cmd.exe                                 4728   4712      1     30 2014-06-13 01:49:51 UTC+0000


It seems process 4712 also had a child process with PID 4728 (cmd.exe). From this perspective, I would say someone at IP 192.168.0.15 had access to the  command prompt. We also see that process 4712 parent is reported as PID 4700.

Let's see what we can learn about PID 4700
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw pslist --pid=4700


Hmmmmmm!! This is strange, PID 4700 does not seem to exist.

Let's move on. What privileges was PID 4712 (rundll32.exe) and PID 4728 (cmd.exe) running with? Let's find out.


From the above, it seems these 2 processes were also running with Local System and Administrator privileges.

Since, were unable to find anything relating to PID 4700, let's see what DLLs may be in use by PID 4712 (rundll32.exe)
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw dlllist -p 4712



... and now for PID 4728 (cmd.exe)
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw dlllist -p 4728



Let's go back to process rundll32.dll (PID 4712) and see if there may be any malware in there.

vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw malfind -p 4712 --dump-dir /tmp

The above command created the file process.0x812923e8.0x90000.dmp in the /tmp directory

Let's post this file up to virustotal and see what we get.



Looks like the file was detected as containing malware by 2 out of the 54 AV engines.

As the above shows, we can use tools like volatility to analyze the contents of memory to draw conclusions.

Reference and Additional Readings:
https://code.google.com/p/volatility/wiki/CommandReference
http://moyix.blogspot.ca/2008/04/finding-kernel-global-variables-in.html
https://www.virustotal.com/

No comments:

Post a Comment