Malware attacks are a nightmare for every modern organization. We all for sure heard about Advanced persistent Threats (APT) but there is another stealthier attack vector that appeared lately called Advanced Volatile Threats (AVT) which uses Fileless Malware to attack the targets.
Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.
This article will discuss the following points:
Memory analysis is widely used in digital investigation and malware analysis. It refers to the act of analyzing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artifacts including:
This phase is very important because it is always a good idea to have a clearer understanding of the malware capabilities.
Before diving into the analysis techniques, let’s explore some important terminologies.
What is a memory?
When you study computer architecture, you will find that memory is a vital component in computing. Usually, as a high view, computers are composed by these main components:
Memory is used to store information. The storage operation can be permanent or temporary. In memory analysis, generally we are dealing with Random Access Memories (RAMs). By definition:
“Random-access memory is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code. A random-access memory device allows data items to be read or written in almost the same amount of time irrespective of the physical location of data inside the memory.”
The memory is divided into 4,096-byte memory chunks named pages, to facilitate internal handling. The 12 least significant bits are the offset; the rest is the page number. On the recent x86 architecture, For example, the Linux kernel divides the virtual space, usually 4 GB into 3 GB dedicated to UserLand, and 1 GB for kernel land. This operation is named segmentation. The kernel uses a page table for the correspondence between physical and virtual addresses. To manage the different regions of memory, it uses a virtual memory area (VMA)
The stack is a special memory space. In programming, it is an abstract data type used to collect elements using two operations: push and pop. This section grows automatically, but when it becomes closer to another memory section, it will cause a problem and confusion to the system. That is why attackers are using this technique to confuse the system with other memory areas.
The heap is used for dynamic memory allocation. It resides in the RAM like the stack, but it is slower. The kernel heap is using the following three types of allocators:
Memory analysis steps
To perform memory analysis, usually we go through 2 major steps:
Memory acquisition is the operation of carefully dumping all content of RAM and storing it into a storage device. You can use many powerful tools in order to achieve that such as:
For example if you want to extract a memory dump with FTK imager. Go to “File” -> Capture Memory:
In many cases, let’s suppose that you only need some dumps for educational purposes and you don’t have time to dump memory and so on. You can download many memory dumps from here:
Memory Analysis with Volatility
After acquiring a memory dump, it is time to analyze it. To do so you can use a powerful memory analysis tool called “Volatility Framework”. According to the volatility
“The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.”
The framework supports different operating systems including: Windows, Linux, and MacOS.
For example to install it on your Ubuntu 18.04 machine, you need to simply clone it from its official Github repository:
git clone https://github.com/volatilityfoundation/volatility.git
Enter the project folder:
And install it:
sudo python setup.py install
Congratulations! You installed Volatility successfully:
Now let’s explore some Volatility command by analyzing a memory dump from an infected host by Cridex malware.
Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.
Download the memory dump using wget utility:
Unzip the zip file:
First, let’s get information about the dump by typing:
python vol.py -f cridex.vmem imageinfo
It seems like the targeted OS was Windows XP
List a high overview of running processes:
python vol.py -f cridex.vmem pslist
List the hidden or terminated processes
python vol.py -f cridex.vmem psscan
Display the processes as Parent and child tree:
python vol.py -f cridex.vmem pstree
python vol.py -f cridex.vmem dlllist
Show command line arguments:
pythonvol.py -f cridex.vmem cmdline
python vol.py -f cridex.vmem getsids
Extract IE cache history
python vol.py -f cridex.vmem ie history
Get networking information
python vol.py -f cridex.vmem connscan
Show loaded Kernel modules
python vol.py -f cridex.vmem modules
To explore more Volatility command, i highly recommend you to check this cheat sheet: VolatilityCheatsheet
In this final part, we learned some memory analysis fundamentals and how to perform it using the Volatility framework.
References and Credit