PV204 Security technologies In-Memory Malware Analysis •Václav Lorenc •Principal Security Engineer, Here Technologies 2 | PV204 In-Memory Malware Analysis https://xkcd.com/1328/ What’s the real cause of all the security issues on laptops and desktops? This one  Agenda •Motivation! –No x86 assembly required –No malware (de)obfuscation magic •How does an OS look “inside”? –Processes and other data structures –How the memory is organized •Common tools used for analysis •Searching for system “oddities” –What are the important system indicators? •Real samples discussed and analyzed! (Labs) 3 | PV204 In-Memory Malware Analysis Why memory analysis? •It’s fun! •Acquiring evidence for legal investigations –It used to be different in the past •Technical simplification of reverse engineering –No binary obfuscation present – the code has to run •Incident response activities –Easy way how to learn more about the attackers –Malicious binary may only be present in memory –Fast: RAM is (usually) smaller than full hard-drive images 4 | PV204 In-Memory Malware Analysis 5 | PV204 In-Memory Malware Analysis https://xkcd.com/1353/ Or you could consider Spectre, which (in 2021) still has some related techniques and attacks and hasn’t been fully mitigated yet. 6 | PV204 In-Memory Malware Analysis Can anybody guess what’s this stuff for? It’s actually used for transportation of desktops/servers from their original location to a forensic lab somewhere else, without any power interruption. So that it can preserve the RAM content. Challenges in Reverse Engineering (RE) •Assembly language (for multiple platforms) –Along with undocumented instructions (or behavior) •Anti-debugging tricks –Exceptions, interrupts, PE manipulations, time checking, ... •Anti-VM tricks –Uncommon behavior of known instructions –Registry detections, HW detections •Code obfuscation/packing –The most challenging to overcome, mostly 7 | PV204 In-Memory Malware Analysis 8 C:\Users\E525127\Documents\School\Prednasky\English PE Walkthrough.png PE File Format MEMORY ANALYSIS •‘cause reverse engineering ninjas are busy 9 | PV204 In-Memory Malware Analysis Ninja Security (@Ninja_Security_) | Twitter x86/x64 Memory organization •Physical memory –RAM; what we really have installed •Virtual memory –Separation of logical process memory from the physical –Logical address space > physical (e.g., swap) –Address space shared by several processes, yet separated •Paging vs. Segmentation –Possible memory organization approaches 10 | PV204 In-Memory Malware Analysis 11 | PV204 In-Memory Malware Analysis 12 | PV204 In-Memory Malware Analysis Windows 32 bit address spaces Win32 Address Space 13 | PV204 In-Memory Malware Analysis Linux 32 bit address spaces Linux Address Space 14 | PV204 In-Memory Malware Analysis https://minnie.tuhs.org/CompArch/Lectures/week06.html In other worlds, various processes are sharing the physical memory. 15 | PV204 In-Memory Malware Analysis https://xkcd.com/138/ Operating System Data Structures •How the OS knows about processes, files, …? –A lot of ‘metadata’ for important data –Based on C/C++ data structures (see MSDN documentation) •(Double-)linked list –Another common data structure (not only in OS) –Method for implementing lists in computer memory •Direct Kernel Object Manipulation (DKOM) –Used for manipulating the structures to hide malicious stuff – 16 | PV204 In-Memory Malware Analysis Double Linked Lists 17 | PV204 In-Memory Malware Analysis http://www.catch22.net/img/editor1712.gif DKOM – Direct Kernel Object Manipulation •Dozens of various (double-)linked lists in Windows –Maintained by kernel –Processes, threads, opened files, memory allocations, … •DKOM is used by rootkits –Hiding from the sight of the user •Rootkit paradox –Rootkits need to run on the system –… and need to remain hidden at the same time •Memory analysis can help to discover DKOM –Anti-analysis techniques are known as well 18 | PV204 In-Memory Malware Analysis http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf http://cfile3.uf.tistory.com/image/1216E3284C2755D7038CB7 Windows Process Structures 19 | PV204 In-Memory Malware Analysis Interesting OS Structures •Suspicious Memory Pages •Processes •Threads •Sockets (Connections) •Handles (Files) •Recently executed binaries • •Modules/Libraries •Mutexes •LSA (Local Security Authority) •Registry •… •Files •Caches 20 | PV204 In-Memory Malware Analysis Memory Pages •Various ‘flags’ –Read/write/executable pages –Helping OS to organize memory efficiently •Executable + Writable pages –Why is it bad? •Process Injection Technique(s) –Allocating a memory that can be modified (unpacked, decoded, decrypted) and executed. –Used by legitimate processes too (Windows OLE) 21 | PV204 In-Memory Malware Analysis DLL/Process Injection 22 | PV204 In-Memory Malware Analysis http://1.bp.blogspot.com/-NQx0mo7wOnw/UOr00ZmbtXI/AAAAAAAABag/oGjHH1YlttM/s1600/DLL%2BInjection-Fun ctions.png So that Internet Explorer behaves like a malicious process… 23 | PV204 In-Memory Malware Analysis https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-commo n-and-trending-process Small business cyber security: An essential guide AND NOW SOMETHING COMPLETELY… •PRACTICAL 24 | PV204 In-Memory Malware Analysis 25 | PV204 In-Memory Malware Analysis https://xkcd.com/1197/ The joke is from 2013, but it’s still pretty good and accurate, I am afraid. There’s no extra meaning of this joke right here, it’s just to give you a short break and relax a bit. Free Stock Photo 13814 Integrated memory chip on board | freeimageslive MEMORY ACQUISITION •Phase #1 26 | PV204 In-Memory Malware Analysis Memory (re)sources •Live RAM –The most common source for analysis –Easier to obtain from virtualized hosts •Paging file/Swap –Used by operating systems to allocate more memory then available RAM •Hibernation file •Memory crash dumps –Limited analysis options • 27 | PV204 In-Memory Malware Analysis 28 | PV204 In-Memory Malware Analysis VM? Memory Dump Snapshot Clone Running? Hibernation File Page File (Swap) Crash Dumps Got root? Dumping locally Remote access? Cost / Benefits Tool Footprint FireWire PCI Probes Yes Yes Yes No No No Memory Acquisition •Virtual Machines –VMWare, VirtualBox, … –VirtualBox –dbg –startvm “MalwareVM” (and .pgmphystofile command or vboxmanage debugvm) •Directly from the system! (if we have permissions to do that) –windd, fastdump, dumpit, memorize, winpmem –Or we can hibernate the system (hiberfil.sys) •Remotely –Encase Enterprise, Mandiant Intelligent Response, Access Data FTK •Common issues –Unsupported OS (Linux, MacOS; 32bit/64bit) –Swap (portions of memory on drive) –Malware not running inside a virtual machine 29 | PV204 In-Memory Malware Analysis Memory Acquisition (2) •Local memory acquisition notes –Unless you have plenty of money, try to get root/admin access to the host –Better to acquire to external storage (USB, network) –The lower tool’s memory footprint, the better –If you run malware in VM, better have less RAM •Faster analysis •.. And configure no swap for the system too •However: malware can check for the available memory – 30 | PV204 In-Memory Malware Analysis Memory Acquisition (3) •Remote memory acquisition –Very useful for fast Incident Response –Requires enterprise licenses for the commercial tools –Acquisition is done over network –Agents already in memory, no extra memory demands –Modern EDR/XDR solutions support this too •Open-source alternative? –GRR (Google Rapid Response) •Still in development, primarily Incident Response tool •Allows remote memory acquisition 31 | PV204 In-Memory Malware Analysis Recovering deleted NTFS Files with Velociraptor | by Mike Cohen | Velociraptor IR MEMORY ANALYSIS •Phase #2 32 | PV204 In-Memory Malware Analysis Memory Analysis Tools •FireEye Redline –Free, available for Windows •HBGary/GoSecure Responder Pro –Community Edition used to be available •Volatility Framework –Open source, no GUI 33 | PV204 In-Memory Malware Analysis FireEye Redline •Free tool for Incident Response –Not open-source, though –.NET executable (runs only under Windows) –Support OS X and Linux artifacts too •Nice and simple user interface –Very nice analysis workflow –Perfect for searching for string information –Rates the level of suspiciousness over processes •Sad things –Memory analysis not reliable, process rating as well 34 | PV204 In-Memory Malware Analysis Support for OS X and Linux memory artifacts was added in 2020, so it’s rather new. Redline: Start Redline: Timeline Redline: Time Wrinkles HBGary Responder (Pro/CE) •Professional Tool –Very expensive –Yet not very well maintained in the last few years •Windows only –.NET written, supports only Windows images •‘Killer’ features –Digital DNA •automatic rating of suspicious processes –Visual ‘Canvas’ debugger •Supports the analysis of (unpacked) binaries •Replaced with CounterTack Responder Pro • 38 | PV204 In-Memory Malware Analysis HBGary Responder Pro -- DDNA •Examples of the ‘reasoning’ behind DDNA –Does the process communicate over TCP/IP? –Does it manipulate with registry? –Did the analysis reveal any known bad stuff (strings, IPs, mutexes?) –Does the process access any other process in the system? –Does it access some system-critical process? –Did the analysis find any evidence of obfuscation? • 39 | PV204 In-Memory Malware Analysis Obsolete and unavailable at for a long time, but it had interesting features – and there’s a professional alternative already: https://www.gosecure.net/responder-pro https://cdn2.hubspot.net/hubfs/150964/CounterTack_DDNA_SCMagazine_030117-1.pdf?t=1495723489966&__hs tc=&__hssc=&hsCtaTracking=18aabc2a-88fc-46f2-9de8-4de89e22de86%7Cb02adedf-d309-4687-870d-eee1b16754 55 C:\Users\E525127\Documents\SOC\Trainings\responder-ddna.png Responder Pro: DDNA C:\Users\E525127\Documents\SOC\Trainings\responder-ddna.png Responder Pro: DDNA C:\Users\E525127\Documents\SOC\Trainings\responder-canvas.png Responder Pro: Canvas Volatility Framework •Open-source tool –GPL licensed •Written in Python –Available for variety of platforms (Linux, Windows, Mac OS) –Can be automated; many contributed plugins •Supports analysis of memory dumps from various OSs –Windows, Linux, MacOS, Android –Both 32-bit and 64-bit versions •Command-line driven •Two (experimental) web GUIs • Google Rekall •Another open source tool •Supported by Google –Included as a part of GRR (Google Rapid Response) agent •Originally based on the code of Volatility –Shared commands –Different architectural concepts •Proof-of-concept GUI –Better workflows •Discontinued since 2020 44 | PV204 In-Memory Malware Analysis Additional Important Tools •Strings –Both *nix and Windows –Extracts strings information from the file –Can be used in cooperation with Volatility/Rekall –Beware of text encoding! (ascii, utf-8, …) •Foremost –Forensic tool –Can extract various data files from an image (or process) •Images, executables, documents, … 45 | PV204 In-Memory Malware Analysis Forensic analysis of RAM? •Are there any benefits? •Collecting forensic evidence –Executable images –PDF/Doc documents •Possible origin of the infection? –Images –URLs •Getting approximate timeline –Works better on servers (always online, higher uptime, way more RAM) 46 | PV204 In-Memory Malware Analysis What to search for in Operating System? •Command & Control (C2) communication •Hidden processes •Process/DLL injection evidence •Non-standard/infamous binaries/mutexes •Open sockets and files •Registry records •Command-line history •Encryption keys! 47 | PV204 In-Memory Malware Analysis Known Bad Mutexes •Conficker: .*-7 and .*-99 •Sality.AA: Op1mutx9 •Flystud.??: Hacker.com.cn_MUTEX •NetSky: 'D'r'o'p'p'e'd'S'k'y'N'e't' •Sality.W: u_joker_v3.06 •Poison Ivy: )!VoqA.I4 (and 10 thousand others) •Koobface: 35fsdfsdfgfd5339 • 48 | PV204 In-Memory Malware Analysis http://hexacorn.com/examples/2014-12-24_santas_bag_of_mutants.txt Known Good Processes/Locations Process Name Expected Path lsass.exe \windows\system32 services.exe \windows\system32 csrss.exe \windows\system32 explorer.exe \windows spoolsv.exe \windows\system32 smss.exe \windows\system32 svchost.exe \windows\system32 iexplore.exe \program files \program files (x86) winlogon.exe \windows\system32 49 | PV204 In-Memory Malware Analysis Operational Security (OpSec) •Basics of OpSec –“Think before you act” mentality –Limited information sharing •Specifics of memory analysis –You can often upload acquired executables to VirusTotal •MD5/SHA1 of the dump is different from the executable •This doesn’t apply for documents/HTML pages! –However, incomplete binaries still can infect your system! •Running in VM or other OS is recommended 50 | PV204 In-Memory Malware Analysis Recommended Analysis Process •Use Internet! (Google, VirusTotal, …) •Make notes! –What OS is being analyzed? (imageinfo) –Network connections? (+ whois records, …) –Processes (hidden, odd, non-standard; timestamps, …) –Mutexes (+ files open) –Dump processes when needed (OpSec!) –Strings (URIs, C-like strings %s %d, domains, …) •Summarize your findings in final report 51 | PV204 In-Memory Malware Analysis More information •Web pages of this course –https://dior.ics.muni.cz/~valor/pv204 •Additional resources –Public memory images for analysis –Reverse Engineering for Beginners (amazing PDF doc) –REMnux: All you need to start with RE –ContagioDump blog (for additional malware samples) –Malware Traffic Analysis (both traffic & samples) 52 | PV204 In-Memory Malware Analysis Questions about coordination of benefits? CDA Practice Support has answers - CDA ANSWERS & QUESTIONS •Thank you for your attention. 53 | PV204 In-Memory Malware Analysis LAB 54 | PV204 In-Memory Malware Analysis D:\Documents\Obrázky\services_icon_full_bw5.jpg Lab Requirements •Oracle VM VirtualBox –And enough space on your hard drive (12 GB at least) •Volatility Framework –Version 2 (version 3 is available in the VM too) •Unix tools –strings, foremost •Your favorite text editor for notes •Voluntary: –Javascript/PDF analysis tools 55 | PV204 In-Memory Malware Analysis Recommended Analysis Process •Use Internet! (Google, VirusTotal, …) •Make notes! –What OS is being analyzed? –Network connections? (+ whois records, …) –Processes (hidden, odd, non-standard; timestamps, …) –Mutexes (+ files open) –Strings (URIs, C-like strings %s %d, domains, …) –… •Summarize your findings in final report 56 | PV204 In-Memory Malware Analysis Volatility2 Framework – cheat sheet •psxview (search for hidden processes) •apihooks •driverscan •ssdt / driverirp / idt •connections / connscan (WinXP, active network connections) •netscan (Win7, opened network sockets and connections) •pslist / psscan (process listing from WinAPI vs. EPROCESS blocks) •malfind / ldrmodules (code injection + dump / DLL detection) •hivelist (registry lookup and parsing) / hashdump •handles / dlllist / filescan (filelist / DLL files / FILE_OBJECT handles) •cmdscan / consoles (cmd.exe history / console buffer) •shimcache (application compatibility info) •memdump / procmemdump / procexedump 57 | PV204 In-Memory Malware Analysis Analysis: xp-infected.vmem •Recommended tools –Volatility, Rekall (or Redline) •Objectives: –Get familiar with memory of your first infected system 58 | PV204 In-Memory Malware Analysis Analysis: win7_x64.vmem •Recommended tools –Volatility, Rekall (or Redline) •Objectives: –Get familiar with memory of Win7 x64 system –Can you see any differences from the previous sample? 59 | PV204 In-Memory Malware Analysis Analysis: zeus.vmem •Recommended tools –Volatility, Rekall •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what infections this 60 | PV204 In-Memory Malware Analysis Analysis: zeus2x4.vmem •Recommended tools –Volatility, Rekall •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what infections this –Can you dump the virus configuration? 61 | PV204 In-Memory Malware Analysis Analysis: bob.vmem •Recommended tools –Volatility, Rekall, Foremost, Strings •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what caused the infection? –Can you dump the initial source vector? –What known vulnerability (CVE) has been exploited? 62 | PV204 In-Memory Malware Analysis More information •Web pages of this course –https://dior.ics.muni.cz/~valor/pv204 •Additional resources –Public memory images for analysis –Reverse Engineering for Beginners (amazing PDF doc) –REMnux: All you need to start with RE –ContagioDump blog (for additional malware samples) –Malware Traffic Analysis (both traffic & samples) 63 | PV204 In-Memory Malware Analysis Answers & Questions •Thank you for your attention. 64 | PV204 In-Memory Malware Analysis