Memory Analysis Investigation Solution
This was another Lab I did using the Blue Team Level 1 platform. This lab required me to use a couple of different skills to analyze different activities that were going on.
The first thing I did is turn the shell into a Bash shell by simply typing ‘bash’. This allowed me to use functionality such as [Tab] autocomplete, using the up arrow to go to previous commands, and more.
The Instructions tab of the lab told me that: ‘vol.py is located in the root file system directory (/volatility/) - you should open a terminal in this location and call vol.py directly, providing the path to the memory dumps (/home/ubuntu/Desktop/Volatility Exercise/)’
Question 1 - memdump1.mem - Image identification 1 - In order to start a memory analysis with Volatility, the identification of the type of memory image is a mandatory step. Identify the suggested profile that you should use with that image (use the first one suggested by Volatility)
I used the command python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump1.mem image info
.
Question 2 - memdump1.mem - Image identification 2 - How many processors are identified by Volatility?
I saw in the highlighted section that the host system had 1 processor.
Question 3 - memdump1.mem - Image identification 3 - Identify the address value of the KDBG (short for KDDEBUGGERDATA64) structure that will be used by plugins, such as pslist and modules
Looking at the line above the highlighted section in the screenshot from Question 2, I saw the KDBG address value.
Question 4 - Generic Question - Process list 1 - What is the plugin command used within Volatility to list the processes of a system?
‘pslist' plugin.
Question 5 - Generic Question - Process list 2 - What is the plugin command used within Volatility to view the process listing in tree form?
‘pstree’ plugin.
Question 6 - memdump1.mem - Process list 3 - How many processes with the name "svchost.exe" are running in that system?
To achieve this, I used the ‘pslist' plugin to list all processes that were running on the system at the time of the memory capture. Im only interested in svchost.exe processes, I piped the Volatility output into grep and searched for lines containing svchost.exe, printing only these to the terminal. I used the command: python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”
I counted the number of svchost.exe occurrences and got my answer. Alternatively, I could pipe the grep output to wordcount using the lines flag (-l) to count the number of occurrences that grep has identified: python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l
Question 7 - memdump1.mem - Process list 4 - One of the svchost processes is malicious. What is the PID of the strange svchost.exe process?
I used the ‘pstree’ plugin to show parent-child relationships between processes. I saw that the first svchost.exe process creates a cmd.exe child process, where the ping command is used, because the ping.exe process being used. This is definitely unusual activity!
Question 8 - memdump1.mem - Process list 5 - What is the command line of the process with PID 2352?
Using the ‘dlllist' plugin and pointing Volatility at the specific pid using the ‘-p’ flag, I extracted the command-line arguments this process was using. python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump1.mem --profile=Win7SP1x64 dlllist -p 2352
Question 9 - memdump2.mem - Network connections - This memory dump corresponds to a machine we suspect has been persistently infected by some type of malware. We need to identify the harmful IP related to the malware.
For this question, I used the ‘netscan’ plugin and looked for the presence of unusual Foreign Addresses (public IPs), especially those that are being connected to unexpected processes. python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 netscan
Looking at the bottom line of the output I saw the process WINWORD.EXE (Microsoft Word) was communicating to the Foreign IP 65[.]111[.]166[.]58 on port 80 (HTTP). Based on knowledge of phishing attacks, this is very likely to be a malicious Word document macro that is downloading malicious software from the mentioned IP address over HTTP.
Question 10 - memdump2.mem - Process dump - Dump the process with PID 2940 and calculate the MD5 hash. Submit the first 5 characters
Using the ‘procdump’ plugin and providing the PID using -p, I extracted the file. Then I used ‘md5sum’ to get the MD5 hash value. python
vol.py
-f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940
Once again I recommend the blue team level certification to anyone looking to gain skills in Cyber Security!