Hunting malware through memory analysis
A word of warning… Lots of screenshots in this post.
Update 10/05/2015: I’ve updated the article with more information about some of the commands used in order to help out people who aren’t familiar with Volatility.
When hunting a piece of malware it can be very interesting to have a poke through the memory of an infected system. By obtaining a snapshot of the memory (RAM) of a running, infected system you can discover a whole host of interesting information.
There are a few ways to obtain a memory dump. I already had one generated by Cuckoo of the VirtualBox VM when I ran the automated analysis of this particular malware, but you may also be able to generate a memory dump of a running physical machine.
Once you have a memory image, the Volatility Framework is very, very useful to analyse the memory of the machine.
So from monitoring the network and gaining a packet capture from the test machine, we know that it was trying to contact a domain. Although the domain is no longer valid by the time I got to analyse this malware, we still might be able to learn something.
YARA is a much, much more powerful than what I use it for in this article, but the yarascan module in Volatility is great to perform pattern matching – even if it’s a simple string – so we can use
yarascan to perform a search for the URL and see if it turns up in memory somewhere:
Here we can see that the URL exists once in
svchost.exe and numerous times in
To get an idea of what was happening on the system we can pull out a list of processes that where running at the time. There are several commands to list processes – pslist / pstree, psscan and psxview (Which can help you to locate hidden processes).
All do slightly different things, so check your Volatility documentation for further explanation.
In this instance I have used the
Nothing immediately suspicious there though – apart from cmd.exe, which has exited and there isn’t much we can see about what it was doing.
We can search for network connections in the memory image. This is possible with plugins builtin to Volatility. You can use one of these commands, depending on your memory image:
Windows 7 / Vista / Server 2008:
Further information may be found under the Networking section of Volatility’s command reference.
Unfortunately due to the malware domain no longer being valid we don’t see much of interest.
However scanning for open network sockets reveals that
explorer.exe has opened up some listening sockets at around the same time the malware was executed:
Volatility has a great plugin called malfind, which will search for injected code in user memory based on characteristics such as VAD tag and page permissions.
explorer.exe and see if anything shows up:
Interesting. Looks like we may have some PE code (note the
MZ magic number of a PE header) which has been injected into
Using malfind we can extract and dump that PE file to disk for further analysis. Throwing the extract at VirusTotal suggests that we have a sample of the Rovnix Banking Trojan.
Anyway, now that we have a copy of the unpacked / injected malware we may be able to find out some more interesting info about the nature of the malware. Extracting the strings can be a good way to do this.
You can use the
strings command in linux to find printable strings within a binary file.
First thing I notice in the extracted strings is there are references to several virtualisation technologies – This is generally used by malware to employ evasion techniques and execute differently (or not execute at all) if they detect that they are being studied inside a VM:
Within the malware is plenty of references to Internet-related activities, including references to popular web browsers.
During analysis of this particular piece of malware you will probably notice a batch script is created during execution. We can actually see the contents of the batch file in the extracted executable here:
At this stage we’re just looking at the extracted executable. We may be able to discover more by dumping and examining all the VAD (Virtual Address Descriptor) code segments of the infected process.
The vaddump plugin in Volatility can do this.
Again looking through the strings, looks like we may have a list of the possible C2 domains (You can see
dialerrorbodyorig.org in there as well):
We can also see in here a prepared HTTP request – perhaps this is what we would see in our network traffic if the domain was valid?
To test this theory, I created an entry on the local DNS server to respond to that address with an IP Address to simulate a valid response. Sure enough, a GET request is made to the specified IP address.
Note that the parameters may be different, as this is another execution of the malware and chances are some of the parameters and filenames are randomised.
Quite often malware will gain persistence by installing itself as a startup item. Usually these entries are easy to spot by eye as they use randomised file names.
We can extract the memory locations of the registry hives then use those to open the start keys and see if there is anything there.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run key reveals that we have an entry containing the malware:
Running filescan shows that it was recently open, though looks like there are no open file handles which may mean the file has already been closed:
In this case the malware may execute, unpack itself and inject into explorer.exe then terminate.
One last thing, according to searches of Rovnix it contains key logging capabilities, we can use Volatility to search for indicators of keyloggers on the system by searching for message hooks which probably shouldn’t be there.
messagehooks plugin to scan for hooks that shouldn’t be there.
explorer.exe may be intercepting all keyboard messages:
That’s all for now, though there is much more that can be achieved through memory analysis. At least having extracted the unpacked DLL from memory allows us to further analyse and disassemble the DLL.
As usual, feel free to contact me with any feedback.