Malware analysis using Memory Forensics (Zeus Botnet)

MEMORY FORENSICS

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is
investigation of advanced computer attacks which are stealthy enough to avoid leaving data on
the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

Why Memory Forensics

• Processes and threads
• Malware (including rootkit technologies)
• Network sockets, URLs, IP addresses,events and IOC (Indicator of compromise)
• Open files,network share
• User generated content
• Passwords, caches, clipboards
• Encryption keys,Application
• Hardware and software configuration

• Windows registry keys and event logs

Memory Analysis Advantages

Best place to identify malicious software activity
Study running system configuration
Identify inconsistencies (contradictions) in system
Bypass packers, binary obfuscators, rootkits (including kernel mode) and other hiding tools.
Analyze and track recent activity on the system
Identify all recent activity
Profile user or attacker activities
Collect evidence that cannot be found anywhere else
Memory-only malware
Chat threads
Internet activities

Virtual Machine Memory Acquisition

VMware (Fusion/Workstation/Server/Player) : .vmem file = raw memory image

Microsoft Hyper-V : .bin file = raw memory image

Parallels : mem file = raw memory image

VirtualBox : .sav file = partial memory image

TOOLS TO CAPTURE RAM

• LIVE System (RAM Acquisition)

win32dd.exe / win64dd.exe

Belkasoft Ram Capturer

OSforensics

• DEAD System

Hibernation File

Contains a compressed RAM Image

%SystemDrive%/hiberfil.sys

MALWARE MEMORY FORENSICS USING VOLATITLITY

Zeus / Zbot Overview

• Persistent malware designed to steal credentials
• Many variants. A popular one does the following:
• Copies itself to %system32%\sdra64.exe
• Injects code into winlogon.exe or explorer.exe
• Further injects code into every process but csrss & smss
• Auto-start path: HKLM\Software\Microsoft\WindowsNT\winlogon\userinit
• Creates local.ds & user.ds in %sytem32%\lowsec\
• Retrieves files from command and control server
• Mutant: _AVIRA_

• Hooks over 50 system APIs

IMAGE INFO
To identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.

CONNSCAN

To find artifacts from previous connections that have since been terminated, in addition to the active ones.

PSLIST

To list the processes of a system and it shows the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started and exited.

Here svchost.exe is the process which is making connections with 193.104.47.75 instead of an Internet Browser

MALFIND

To Find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions

HASHING THE DUMP

md5sum process.0x80ff88d8.0xb70000.dmp process.0x80ff88d8.0xcb0000.dmp
59f1993ae96c0108f0fa224609f51a2f process.0x80ff88d8.0xb70000.dmp
da295c2ce7c8741c2f16ff8d0f76efd3 process.0x80ff88d8.0xcb0000.dmp

PRINTKEY

To display the subkeys, values, data, and data types contained within a specified registry key, use the printkey command. By default, printkey will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

You can see "sdra64.exe" will run when the computer starts.

USERASSIST

This provides alot of information about the user activity

MUTANTSCAN

To scan physical memory for KMUTANT objects with pool tag scanning, use the mutantscan command. By default, it displays all objects, but you can pass -s or --silent to only show named mutexes. The CID column contains the process ID and thread ID of the mutex owner if one exists.