Volatility Walkthrough

[Task 1] Intro

1) Install Volatility onto your workstation of choice or use the provided virtual machine. On Debian-based systems such as Kali this can be done via `apt-get install volatility`

This command did not work on Ubuntu 20.04 LTS (Debian-based), and apt-get is deprecated. The package for current Debian-based systems is:

sudo snap install volatility-phocean 

Answer: No answer needed.

 

[Task 2] Obtaining Memory Samples

#1 What memory format is the most common?

FTK Imagerhttps://accessdata.com/product-download/ftk-imager-version-4-2-0
Redlinehttps://www.fireeye.com/services/freeware/redline.html *Requires registration but Redline has a very nice GUI
DumpIt.exe
win32dd.exe / win64dd.exe – *Has fantastic psexec support, great for IT departments if your EDR solution doesn’t support this

These tools will typically output a .raw file which contains an image of the system memory. The .raw format is one of the most common memory file types you will see in the wild.

Answer: .raw

 

#2 The Window’s system we’re looking to perform memory forensics on was turned off by mistake. What file contains a compressed memory image?

… Offline machines, however, can have their memory pulled relatively easily as long as their drives aren’t encrypted.
For Windows systems, this can be done via pulling the following file:

        %SystemDrive%/hiberfil.sys

hiberfil.sys, better known as the Windows hibernation file contains a compressed memory image from the previous boot.
Microsoft Windows systems use this in order to provide faster boot-up times.
We can use this file in our case for some memory forensics!

Answer: hiberfil.sys

 

#3 How about if we wanted to perform memory forensics on a VMware-based virtual machine?

Here’s a quick sampling of the memory capture process/file containing a memory image for different virtual machine hypervisors:

VMware – .vmem file
Hyper-V – .bin file
Parallels – .mem file
VirtualBox – .sav file *This is only a partial memory file. You’ll need to dump memory like a normal bare-metal system for this hypervisor

Answer: .vmem

 
 

[Task 3] Examining Our Patient

#1 First, let’s figure out what profile we need to use. Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. Let’s see our options now with the command `volatility -f MEMORY_FILE.raw imageinfo`

    $ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem imageinfo
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    INFO    <span class="token punctuation">:</span> volatility<span class="token punctuation">.</span>debug    <span class="token punctuation">:</span> Determining profile based on KDBG search<span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>
            Suggested <span class="token function">Profile</span><span class="token punctuation">(</span>s<span class="token punctuation">)</span> <span class="token punctuation">:</span> WinXPSP2x86<span class="token punctuation">,</span> WinXPSP3x86 <span class="token punctuation">(</span>Instantiated with WinXPSP2x86<span class="token punctuation">)</span>
                        AS Layer1 <span class="token punctuation">:</span> IA32PagedMemoryPae <span class="token punctuation">(</span>Kernel AS<span class="token punctuation">)</span>
                        AS Layer2 <span class="token punctuation">:</span> FileAddressSpace <span class="token punctuation">(</span><span class="token operator">/</span>home<span class="token operator">/</span>hellmoon<span class="token operator">/</span>Documents<span class="token operator">/</span>TryhackmeNotes<span class="token operator">/</span>volatilityRoom<span class="token operator">/</span>cridex<span class="token punctuation">.</span>vmem<span class="token punctuation">)</span>
                        PAE type <span class="token punctuation">:</span> PAE
                            DTB <span class="token punctuation">:</span> <span class="token number">0</span>x2fe000L
                            KDBG <span class="token punctuation">:</span> <span class="token number">0</span>x80545ae0L
            Number of Processors <span class="token punctuation">:</span> <span class="token number">1</span>
        Image Type <span class="token punctuation">(</span>Service Pack<span class="token punctuation">)</span> <span class="token punctuation">:</span> <span class="token number">3</span>
                    KPCR <span class="token keyword">for</span> CPU <span class="token number">0</span> <span class="token punctuation">:</span> <span class="token number">0</span>xffdff000L
                KUSER_SHARED_DATA <span class="token punctuation">:</span> <span class="token number">0</span>xffdf0000L
            Image date and time <span class="token punctuation">:</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">45</span><span class="token punctuation">:</span><span class="token number">08</span> UTC<span class="token operator">+</span><span class="token number">0000</span>
        Image local date and time <span class="token punctuation">:</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">21</span> <span class="token number">22</span><span class="token punctuation">:</span><span class="token number">45</span><span class="token punctuation">:</span><span class="token number">08</span> <span class="token operator">-</span><span class="token number">0400</span> 

Answer: No answer needed.

 

#2 Running the imageinfo command in Volatility will provide us with a number of profiles we can test with, however, only one will be correct. We can test these profiles using the pslist command, validating our profile selection by the sheer number of returned results. Do this now with the command `volatility -f MEMORY_FILE.raw –profile=PROFILE pslist`. What profile is correct for this memory image?

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 pslist
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    <span class="token function">Offset</span><span class="token punctuation">(</span>V<span class="token punctuation">)</span>  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                         
    <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span>
    <span class="token number">0x823c89c8</span> System                    <span class="token number">4</span>      <span class="token number">0</span>     <span class="token number">53</span>      <span class="token number">240</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span>      <span class="token number">0</span>                              
    <span class="token number">0x822f1020</span> smss<span class="token punctuation">.</span>exe                <span class="token number">368</span>      <span class="token number">4</span>      <span class="token number">3</span>       <span class="token number">19</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">31</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe               <span class="token number">584</span>    <span class="token number">368</span>      <span class="token number">9</span>      <span class="token number">326</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">32</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x82298700</span> winlogon<span class="token punctuation">.</span>exe            <span class="token number">608</span>    <span class="token number">368</span>     <span class="token number">23</span>      <span class="token number">519</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">32</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x81e2ab28</span> services<span class="token punctuation">.</span>exe            <span class="token number">652</span>    <span class="token number">608</span>     <span class="token number">16</span>      <span class="token number">243</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">32</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x81e2a3b8</span> lsass<span class="token punctuation">.</span>exe               <span class="token number">664</span>    <span class="token number">608</span>     <span class="token number">24</span>      <span class="token number">330</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">32</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x82311360</span> svchost<span class="token punctuation">.</span>exe             <span class="token number">824</span>    <span class="token number">652</span>     <span class="token number">20</span>      <span class="token number">194</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">33</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x81e29ab8</span> svchost<span class="token punctuation">.</span>exe             <span class="token number">908</span>    <span class="token number">652</span>      <span class="token number">9</span>      <span class="token number">226</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">33</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x823001d0</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1004</span>    <span class="token number">652</span>     <span class="token number">64</span>     <span class="token number">1118</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">33</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x821dfda0</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1056</span>    <span class="token number">652</span>      <span class="token number">5</span>       <span class="token number">60</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">33</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x82295650</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1220</span>    <span class="token number">652</span>     <span class="token number">15</span>      <span class="token number">197</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">35</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x821dea70</span> explorer<span class="token punctuation">.</span>exe           <span class="token number">1484</span>   <span class="token number">1464</span>     <span class="token number">17</span>      <span class="token number">415</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">36</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x81eb17b8</span> spoolsv<span class="token punctuation">.</span>exe            <span class="token number">1512</span>    <span class="token number">652</span>     <span class="token number">14</span>      <span class="token number">113</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">36</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x81e7bda0</span> reader_sl<span class="token punctuation">.</span>exe          <span class="token number">1640</span>   <span class="token number">1484</span>      <span class="token number">5</span>       <span class="token number">39</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">42</span><span class="token punctuation">:</span><span class="token number">36</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x820e8da0</span> alg<span class="token punctuation">.</span>exe                 <span class="token number">788</span>    <span class="token number">652</span>      <span class="token number">7</span>      <span class="token number">104</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">43</span><span class="token punctuation">:</span><span class="token number">01</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x821fcda0</span> wuauclt<span class="token punctuation">.</span>exe            <span class="token number">1136</span>   <span class="token number">1004</span>      <span class="token number">8</span>      <span class="token number">173</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">43</span><span class="token punctuation">:</span><span class="token number">46</span> UTC<span class="token operator">+</span><span class="token number">0000</span> 
    <span class="token number">0x8205bda0</span> wuauclt<span class="token punctuation">.</span>exe            <span class="token number">1588</span>   <span class="token number">1004</span>      <span class="token number">5</span>      <span class="token number">132</span>      <span class="token number">0</span>      <span class="token number">0</span> <span class="token number">2012</span><span class="token operator">-</span><span class="token number">07</span><span class="token operator">-</span><span class="token number">22</span> <span class="token number">02</span><span class="token punctuation">:</span><span class="token number">44</span><span class="token punctuation">:</span><span class="token number">01</span> UTC<span class="token operator">+</span><span class="token number">0000</span>  

The imageinfo command suggested two profiles: Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

The plist command for both profiles results in identical output, but the suggestion says “Instantiated with WinXPSP2x86.

Answer: WinXPSP2x86

 

#3 Take a look through the processes within our image. What is the process ID for the smss.exe process? If results are scrolling off-screen, try piping your output into less

Answer: From the above process list, smss.exe has PID = 368.

 

#4 In addition to viewing active processes, we can also view active network connections at the time of image creation! Let’s do this now with the command `volatility -f MEMORY_FILE.raw –profile=PROFILE netscan`. Unfortunately, something not great is going to happen here due to the sheer age of the target operating system as the command netscan doesn’t support it.

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 netscan
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    ERROR   <span class="token punctuation">:</span> volatility<span class="token punctuation">.</span>debug    <span class="token punctuation">:</span> This command does not support the profile WinXPSP2x86 

  Answer: No answer needed.

Loading...

 

#5 It’s fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view intentionally hidden processes via the command `psxview`. What process has only one ‘False’ listed?

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 psxview
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    <span class="token function">Offset</span><span class="token punctuation">(</span>P<span class="token punctuation">)</span>  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
    <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span>
    <span class="token number">0x02498700</span> winlogon<span class="token punctuation">.</span>exe            <span class="token number">608</span> True   True   True     True   True  True    True     
    <span class="token number">0x02511360</span> svchost<span class="token punctuation">.</span>exe             <span class="token number">824</span> True   True   True     True   True  True    True     
    <span class="token number">0x022e8da0</span> alg<span class="token punctuation">.</span>exe                 <span class="token number">788</span> True   True   True     True   True  True    True     
    <span class="token number">0x020b17b8</span> spoolsv<span class="token punctuation">.</span>exe            <span class="token number">1512</span> True   True   True     True   True  True    True     
    <span class="token number">0x0202ab28</span> services<span class="token punctuation">.</span>exe            <span class="token number">652</span> True   True   True     True   True  True    True     
    <span class="token number">0x02495650</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1220</span> True   True   True     True   True  True    True     
    <span class="token number">0x0207bda0</span> reader_sl<span class="token punctuation">.</span>exe          <span class="token number">1640</span> True   True   True     True   True  True    True     
    <span class="token number">0x025001d0</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1004</span> True   True   True     True   True  True    True     
    <span class="token number">0x02029ab8</span> svchost<span class="token punctuation">.</span>exe             <span class="token number">908</span> True   True   True     True   True  True    True     
    <span class="token number">0x023fcda0</span> wuauclt<span class="token punctuation">.</span>exe            <span class="token number">1136</span> True   True   True     True   True  True    True     
    <span class="token number">0x0225bda0</span> wuauclt<span class="token punctuation">.</span>exe            <span class="token number">1588</span> True   True   True     True   True  True    True     
    <span class="token number">0x0202a3b8</span> lsass<span class="token punctuation">.</span>exe               <span class="token number">664</span> True   True   True     True   True  True    True     
    <span class="token number">0x023dea70</span> explorer<span class="token punctuation">.</span>exe           <span class="token number">1484</span> True   True   True     True   True  True    True     
    <span class="token number">0x023dfda0</span> svchost<span class="token punctuation">.</span>exe            <span class="token number">1056</span> True   True   True     True   True  True    True     
    <span class="token number">0x024f1020</span> smss<span class="token punctuation">.</span>exe                <span class="token number">368</span> True   True   True     True   False False   False    
    <span class="token number">0x025c89c8</span> System                    <span class="token number">4</span> True   True   True     True   False False   False    
    <span class="token number">0x024a0598</span> csrss<span class="token punctuation">.</span>exe               <span class="token number">584</span> True   True   True     True   False True    True     

Answer: csrss.exe

 

#6 In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command ‘ldrmodules’. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output. Which process has all three columns listed as ‘False’ (other than System)?

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 ldrmodules <span class="token operator">|</span> grep <span class="token operator">-</span>i <span class="token boolean">false</span>
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    Pid      Process              Base       InLoad InInit InMem MappedPath
    <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span>
        <span class="token number">4</span> System                 <span class="token number">0x7c900000</span> False  False  False \WINDOWS\system32\ntdll<span class="token punctuation">.</span>dll
        <span class="token number">368</span> smss<span class="token punctuation">.</span>exe             <span class="token number">0x48580000</span> True   False  True  \WINDOWS\system32\smss<span class="token punctuation">.</span>exe
        <span class="token number">584</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x00460000</span> False  False  False \WINDOWS\Fonts\vgasys<span class="token punctuation">.</span>fon
        <span class="token number">584</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x4a680000</span> True   False  True  \WINDOWS\system32\csrss<span class="token punctuation">.</span>exe
        <span class="token number">608</span> winlogon<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\winlogon<span class="token punctuation">.</span>exe
        <span class="token number">652</span> services<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\services<span class="token punctuation">.</span>exe
        <span class="token number">664</span> lsass<span class="token punctuation">.</span>exe            <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\lsass<span class="token punctuation">.</span>exe
        <span class="token number">824</span> svchost<span class="token punctuation">.</span>exe          <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\svchost<span class="token punctuation">.</span>exe
        <span class="token number">908</span> svchost<span class="token punctuation">.</span>exe          <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\svchost<span class="token punctuation">.</span>exe
        <span class="token number">1004</span> svchost<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\svchost<span class="token punctuation">.</span>exe
        <span class="token number">1056</span> svchost<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\svchost<span class="token punctuation">.</span>exe
        <span class="token number">1220</span> svchost<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\svchost<span class="token punctuation">.</span>exe
        <span class="token number">1484</span> explorer<span class="token punctuation">.</span>exe        <span class="token number">0x01000000</span> True   False  True  \WINDOWS\explorer<span class="token punctuation">.</span>exe
        <span class="token number">1512</span> spoolsv<span class="token punctuation">.</span>exe         <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\spoolsv<span class="token punctuation">.</span>exe
        <span class="token number">1640</span> reader_sl<span class="token punctuation">.</span>exe       <span class="token number">0x00400000</span> True   False  True  \Program Files\Adobe\Reader <span class="token number">9.0</span>\Reader\reader_sl<span class="token punctuation">.</span>exe
        <span class="token number">788</span> alg<span class="token punctuation">.</span>exe              <span class="token number">0x01000000</span> True   False  True  \WINDOWS\system32\alg<span class="token punctuation">.</span>exe
        <span class="token number">1136</span> wuauclt<span class="token punctuation">.</span>exe         <span class="token number">0x00400000</span> True   False  True  \WINDOWS\system32\wuauclt<span class="token punctuation">.</span>exe
        <span class="token number">1588</span> wuauclt<span class="token punctuation">.</span>exe         <span class="token number">0x00400000</span> True   False  True  \WINDOWS\system32\wuauclt<span class="token punctuation">.</span>exe 

Answer: csrss.exe

 

#7 Processes aren’t the only area we’re concerned with when we’re examining a machine. Using the ‘apihooks’ command we can view unexpected patches in the standard system DLLs. If we see an instance where Hooking module: <unknown> that’s really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.

Answer: No answer needed.

 

#8 Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command `malfind`. Using the full command `volatility -f MEMORY_FILE.raw –profile=PROFILE malfind -D <Destination Directory>` we can not only find this code, but also dump it to our specified directory. Let’s do this now! We’ll use this dump later for more analysis. How many files does this generate?

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 malfind <span class="token operator">-</span>D <span class="token punctuation">.</span><span class="token operator">/</span>
    <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">[</span>Output too long to include here<span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span>
$ ls <span class="token operator">-</span>al
    total <span class="token number">525736</span>
    drwxrwxr<span class="token operator">-</span>x <span class="token number">2</span> hexmen hexmen      <span class="token number">4096</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> <span class="token punctuation">.</span>
    drwxrwxr<span class="token operator">-</span>x <span class="token number">8</span> hexmen hexmen      <span class="token number">4096</span> May <span class="token number">15</span> <span class="token number">10</span><span class="token punctuation">:</span><span class="token number">01</span> <span class="token punctuation">.</span><span class="token punctuation">.</span>
    <span class="token operator">-</span>rw<span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span> <span class="token number">1</span> hexmen hexmen <span class="token number">536870912</span> Aug  <span class="token number">1</span>  <span class="token number">2012</span> cridex<span class="token punctuation">.</span>vmem
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen    <span class="token number">135168</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x81e7bda0</span><span class="token number">.0</span>x3d0000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen    <span class="token number">135168</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x821dea70</span><span class="token number">.0</span>x1460000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x13410000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x4c540000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x4dc40000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x4ee0000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x554c0000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x5de10000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x6a230000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>x73f40000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen     <span class="token number">16384</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x82298700</span><span class="token number">.0</span>xf9e0000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen   <span class="token number">1048576</span> May <span class="token number">15</span> <span class="token number">12</span><span class="token punctuation">:</span><span class="token number">10</span> process<span class="token punctuation">.</span><span class="token number">0x822a0598</span><span class="token number">.0</span>x7f6f0000<span class="token punctuation">.</span>dmp
    <span class="token operator">-</span>rw<span class="token operator">-</span>rw<span class="token operator">-</span>r<span class="token operator">--</span> <span class="token number">1</span> hexmen hexmen      <span class="token number">3724</span> May <span class="token number">15</span> <span class="token number">10</span><span class="token punctuation">:</span><span class="token number">25</span> volatilityNotes<span class="token punctuation">.</span>txt 

Answer: 12 files are created.

 

#9 Last but certainly not least we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics. Let’s list all of the DLLs in memory now with the command `dlllist`

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 dlllist
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    <span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span>
    System pid<span class="token punctuation">:</span>      <span class="token number">4</span>
    Unable to read PEB <span class="token keyword">for</span> task<span class="token punctuation">.</span>
    <span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span>
    smss<span class="token punctuation">.</span>exe pid<span class="token punctuation">:</span>    <span class="token number">368</span>
    Command line <span class="token punctuation">:</span> \SystemRoot\System32\smss<span class="token punctuation">.</span>exe
    
    
    Base             Size  LoadCount LoadTime                       Path
    <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span>
    <span class="token number">0x48580000</span>     <span class="token number">0xf000</span>     <span class="token number">0xffff</span>                                \SystemRoot\System32\smss<span class="token punctuation">.</span>exe
    <span class="token number">0x7c900000</span>    <span class="token number">0xaf000</span>     <span class="token number">0xffff</span>                                C<span class="token punctuation">:</span>\WINDOWS\system32\ntdll<span class="token punctuation">.</span>dll
    <span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span><span class="token operator">*</span>
    csrss<span class="token punctuation">.</span>exe pid<span class="token punctuation">:</span>    <span class="token number">584</span>
    Command line <span class="token punctuation">:</span> C<span class="token punctuation">:</span>\WINDOWS\system32\csrss<span class="token punctuation">.</span>exe ObjectDirectory<span class="token operator">=</span>\Windows SharedSection<span class="token operator">=</span><span class="token number">1024</span><span class="token punctuation">,</span><span class="token number">3072</span><span class="token punctuation">,</span><span class="token number">512</span> Windows<span class="token operator">=</span>On 
        SubSystemType<span class="token operator">=</span>Windows ServerDll<span class="token operator">=</span>basesrv<span class="token punctuation">,</span><span class="token number">1</span> ServerDll<span class="token operator">=</span>winsrv<span class="token punctuation">:</span>UserServerDllInitialization<span class="token punctuation">,</span>
            <span class="token number">3</span> ServerDll<span class="token operator">=</span>winsrv<span class="token punctuation">:</span>ConServerDllInitialization<span class="token punctuation">,</span><span class="token number">2</span> ProfileControl<span class="token operator">=</span>Off MaxRequestThreads<span class="token operator">=</span><span class="token number">16</span>
    Service Pack <span class="token number">3</span>
    <span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">[</span>More output <span class="token keyword">for</span> each process not shown here<span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span> 

Answer: No answer needed.

 

#10 Now that we’ve seen all of the DLLs running in memory, let’s go a step further and pull them out! Do this now with the command `volatility -f MEMORY_FILE.raw –profile=PROFILE –pid=PID dlldump -D <Destination Directory>` where the PID is the process ID of the infected process we identified earlier (questions five and six). How many DLLs does this end up pulling?

$ volatility <span class="token operator">-</span>f cridex<span class="token punctuation">.</span>vmem <span class="token operator">--</span>profile<span class="token operator">=</span>WinXPSP2x86 <span class="token operator">--</span>pid<span class="token operator">=</span><span class="token number">584</span> dlldump <span class="token operator">-</span>D <span class="token punctuation">.</span><span class="token operator">/</span>dlldump
    Volatility Foundation Volatility Framework <span class="token number">2.6</span><span class="token number">.1</span>
    <span class="token function">Process</span><span class="token punctuation">(</span>V<span class="token punctuation">)</span> Name                 Module Base Module Name          Result
    <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">-</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span>
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x04a680000</span> csrss<span class="token punctuation">.</span>exe            OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">4</span>a680000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x07c900000</span> ntdll<span class="token punctuation">.</span>dll            OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">7</span>c900000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x075b40000</span> CSRSRV<span class="token punctuation">.</span>dll           OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">75</span>b40000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x077f10000</span> GDI32<span class="token punctuation">.</span>dll            OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">77</span>f10000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x07e720000</span> sxs<span class="token punctuation">.</span>dll              OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">7e720000</span><span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x077e70000</span> RPCRT4<span class="token punctuation">.</span>dll           OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">77e70000</span><span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x077dd0000</span> ADVAPI32<span class="token punctuation">.</span>dll         OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">77</span>dd0000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x077fe0000</span> Secur32<span class="token punctuation">.</span>dll          OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">77</span>fe0000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x075b50000</span> basesrv<span class="token punctuation">.</span>dll          OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">75</span>b50000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x07c800000</span> KERNEL32<span class="token punctuation">.</span>dll         OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">7</span>c800000<span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x07e410000</span> USER32<span class="token punctuation">.</span>dll           OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">7e410000</span><span class="token punctuation">.</span>dll
    <span class="token number">0x822a0598</span> csrss<span class="token punctuation">.</span>exe            <span class="token number">0x075b60000</span> winsrv<span class="token punctuation">.</span>dll           OK<span class="token punctuation">:</span> module<span class="token punctuation">.</span><span class="token number">584.24</span>a0598<span class="token punctuation">.</span><span class="token number">75</span>b60000<span class="token punctuation">.</span>dll 

Answer: There are 12 .dlls that are pulled from memory.

 

[Task 4] Post Actions

#1 Upload the extracted files to VirusTotal for examination.

Answer: No answer needed.

 

#2 Upload the extracted files to Hybrid Analysis for examination – Note, this will also upload to VirusTotal but for the sake of demonstration we have done this separately.

Answer: No answer needed.

 

#3 What malware has our sample been infected with? You can find this in the results of VirusTotal and Hybrid Anaylsis.

Tasks 3 and 4 are worded such that the user would assume to upload the .dll files extracted from csrss.exe.  After talking to a THM mod, we came to the conclusion the room doesn’t make it clear which process to extract the .dll files to upload.  

The process in question is smss.exe.  This process is only mentioned once in the entire room, but it is the first user-level process started up by the kernel, so malware tend to try and attach to it; especially as it’s responsible for user sessions and system/environment variables like $PATH.  

But once I extracted the .dlls from this process (Follow T3Q10) and uploaded the files to hybrid-analysis, I still couldn’t get the correct answer.  Neither Hyrid-Analysis or Virustotal returned any relevant results.  

What worked for me was to upload the .dmp files from T3Q8.  I instantly got results from both Hybrid-Analysis and Virustotal.  

The scans can be found in the links below:

https://hybrid-analysis.com/file-collection/5ebefdc9ef012d294567a3a8

https://www.virustotal.com/gui/file/e00a1143fea8568f5bcbe2793c6b87032ba57f2fdd122266ea799658169d36b2/detection

Answer: Cridex

source: Blue Primer

Loading...

Adblock Detected!

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by whitelisting our website.

%d bloggers like this: