Malware on an infected computer may be able to hide in a file system but it cannot hide in memory because, at some point, it has to run. This is why memory analysis of a potentially infected system is paramount in determining its behavior on the infected system. Because it cannot hide from the trained investigator. Memory or Random Access Memory (RAM) contains information not found in the file system.
In this article, we will dive into analyzing the memory of an infected Windows 7 SP1 system using a tool named Volatility. It is one of the world’s most popular memory forensics tool. Our objective is to discover processes used by the Alina malware. Alina belongs to the family of RAM scraper malware. It is designed to steal sensitive information by “scraping” memory for Credit Card numbers, Social Insurance Numbers and other sensitive information. The memory of a system used to be one of the most overlooked components years back when a dead box analysis was sufficient for digital forensics. Nowadays, an investigation is not complete without analyzing the memory.
This article assumes you know how to acquire a memory image from a Windows 7 system and have a Volatility running on the system you are conducting the investigation from. I prefer to conduct my memory analysis on the SANS Incident Response Toolkit (SIFT). It comes with Volatility preinstalled along with a host of other forensic-related tools. Click here for more information on SIFT.
Now let’s get to analyzing ….
Volatility has a plugin named pslist which lists all the running processes during the time of the acquisition. It uses the EPROCESS structure which contains metadata about each process.
1. We use the pslist plugin to look for any unusual processes. I recommend looking for processes with unusual names, without a parent process, the time the process started, and any process with an unusual name.
2. There is a process named java.exe which is of interest. Its parent process is not listed and the process appears to have started at boot time. We will focus our investigation on this process.
Tip: Because a process does not have the parent process listed does not necessarily mean it is a malicious process. But it is definitely worth investigating.
Tip: Another criterion to use is a process which contains the same startup time as normal Windows startup processes. Again, it may not be malicious but it should be looked into.
3. The dlllist plugin lists what DLLs are being used a particular process. We will use it to further explore the java.exe process.
There is a suspicious entry. Java.exe is running out of the AppData folder. Now this is not a complete indication that this is malware but this is suspicious. Java.exe, when installed by default is located in C:\Program Files.
4. Malware often uses registry keys to maintaining persistence. Alina is no different. Volatility has a plugin named printkey which examines registry keys. We need to list which keys to look at. The following are a good place to start:
We see that the java.exe process is set to run on startup. This process becomes even more suspicious.
5. It is a good idea to download the DLLs for further examination. It will provide an investigator details on what the software is doing. This can be done through reverse engineering or uploading the DLL to an online malware analysis tool like VirusTotal. Volility has a plugin named dlldump.
./vol.py -f /path/to/memory.img –profile=Win7SP1x64 dlldump -p <pid number> –dump-dir /tmp
We can upload this file to online malware analysis tools like VirusTotal to determine if there is already information on this malicious file.
6. Next, we will look for any suspicious network connections by using the netscan plugin. It displays the local and remote connection and port. It also displays the process which is initiating the connection. This is a very useful plugin to determine if a piece of malware is making an outbound connection and to what destination.
Searching through malicious IP threat intelligence websites show that the remote IP is known to have Windows exploits and is of a high risk. This target IP is being connected from the Java.exe process we detected earlier. This is highly unusual.
Our analysis has uncovered a number of unusual artifacts.
- The java.exe process running under a users APPDATA directory
- The java.exe process is configured to run on startup
- The java.exe process is initiating communication with a well known malicious IP address.
We can cross reference this information with Alina malware analysis reports from reputable organizations such as TrustWave. We can see the artifacts matches up with the characteristics of the Alina RAM scraper malware. They have a report which does a deep analysis of the Alina RAM scraper. Our memory analysis matches up with Trustwave’s report on the process name Alina uses, the location it installs the process, and IP addresses it uses to exfiltrate data to.
I hope you can see how important memory is when conducting a digital forensics investigation. There is a wealth of information in memory. Volatility is a mature memory analysis tool which provides an investigator the necessary tools needed to analyze processes, network connections, registry keys and a number of other areas in memory. We only scratched the surface on Volatility’s capabilities. Stay tuned for more articles on conducting memory analysis using Volatility.
I hope you enjoyed the article. Do you have any experience with conducting memory analysis using Volatility? if so, please leave a comment and share your experiences. I would love to read it.