Malware Analysis Series Part 3: Memory Malware Analysis

June 25, 2020

Introduction

Malware attacks are a nightmare for every modern organization. We all for sure heard about Advanced persistent Threats (APT) but there is another stealthier attack vector that appeared lately called Advanced Volatile Threats (AVT) which uses Fileless Malware to attack the targets.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.

In the previous parts (Part 1 and Part 2), we already explored how to perform static and dynamic analysis. In this final part, we are going to learn how to perform memory malware analysis.

This article will discuss the following points:

  • Memory analysis
  • What is a memory?
  • Memory Management
  • Memory analysis steps
  • Memory Acquisition
  • Memory Analysis with Volatility

Memory analysis

Memory analysis is widely used in digital investigation and malware analysis. It refers to the act of analyzing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artifacts including:

  • Process list and the associated threads
  • Networking information and interfaces (TCP/UDP)
  • Kernel modules including the hidden ones
  • Bash and commands history
  • System Calls
  • Kernel hooks and so on

This phase is very important because it is always a good idea to have a clearer understanding of the malware capabilities.

Before diving into the analysis techniques, let’s explore some important terminologies.

What is a memory?
When you study computer architecture, you will find that memory is a vital component in computing. Usually, as a high view, computers are composed by these main components:

  • Central Processing Unit (CPU)
  • Memory
  • Input/output Controllers

Memory is used to store information. The storage operation can be permanent or temporary. In memory analysis, generally we are dealing with Random Access Memories (RAMs). By definition:

“Random-access memory is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code. A random-access memory device allows data items to be read or written in almost the same amount of time irrespective of the physical location of data inside the memory.”

Memory Management

The memory is divided into 4,096-byte memory chunks named pages, to facilitate internal handling. The 12 least significant bits are the offset; the rest is the page number. On the recent x86 architecture, For example, the Linux kernel divides the virtual space, usually 4 GB into 3 GB dedicated to UserLand, and 1 GB for kernel land. This operation is named segmentation. The kernel uses a page table for the correspondence between physical and virtual addresses. To manage the different regions of memory, it uses a virtual memory area (VMA)

The stack is a special memory space. In programming, it is an abstract data type used to collect elements using two operations: push and pop. This section grows automatically, but when it becomes closer to another memory section, it will cause a problem and confusion to the system. That is why attackers are using this technique to confuse the system with other memory areas.

The heap is used for dynamic memory allocation. It resides in the RAM like the stack, but it is slower. The kernel heap is using the following three types of allocators:

  • SLAB: This is a cache-friendly allocator.
  • A simple list of blocks (SLOB): This is an allocator used in small systems. It uses a first-fit algorithm.
  • SLUB: It is the default Linux allocator.

Memory analysis steps  

To perform memory analysis, usually we go through 2 major steps:

  1. Memory Acquisition
  2. Memory Analysis

Memory Acquisition  

Memory acquisition is the operation of carefully dumping all content of RAM and storing it into a storage device. You can use many powerful tools in order to achieve that such as:

  • FTK Imager (for Windows)
  • The Linux Memory Extractor

For example if you want to extract a memory dump with FTK imager. Go to “File” -> Capture Memory:

In many cases, let’s suppose that you only need some dumps for educational purposes and you don’t have time to dump memory and so on. You can download many memory dumps from here:

Memory Analysis with Volatility

After acquiring a memory dump, it is time to analyze it. To do so you can use a powerful memory analysis tool called “Volatility Framework”. According to the volatility

Foundation:

“The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.”

The framework supports different operating systems including: Windows, Linux, and MacOS.

For example to install it on your Ubuntu 18.04 machine, you need to simply clone it from its official Github repository:

git clone https://github.com/volatilityfoundation/volatility.git

Enter the project folder:

cd volatility

And install it:

sudo python setup.py install

Congratulations! You installed Volatility successfully:

Now let’s explore some Volatility command by analyzing a memory dump from an infected host by Cridex malware.

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

Download the memory dump using wget utility:

wget http://files.sempersecurus.org/dumps/cridex_memdump.zip

Unzip the zip file:

Unzip cridex_memdump.zip

First, let’s get information about the dump by typing:

python vol.py -f cridex.vmem imageinfo

It seems like the targeted OS was Windows XP

List a high overview of running processes:

python vol.py -f cridex.vmem pslist

List  the hidden or terminated processes

python vol.py -f cridex.vmem psscan

Display the processes as Parent and child tree:

python vol.py -f cridex.vmem pstree

Show DLLs:

python vol.py -f cridex.vmem dlllist

Show command line arguments:


pythonvol.py -f cridex.vmem cmdline


Display SIDs:

python vol.py -f cridex.vmem getsids

Extract IE cache history

python vol.py -f cridex.vmem ie history

Get networking information

python vol.py -f cridex.vmem connscan

Show loaded Kernel modules

python vol.py -f cridex.vmem modules

To explore more Volatility command, i highly recommend you to check this cheat sheet: VolatilityCheatsheet

Summary

In this final part, we learned some memory analysis fundamentals and how to perform it using the Volatility framework.

References and Credit

Authored by

Chiheb Chebbi