Your SIEM system generated multiple alerts in less than a minute, indicating potential C2 communication from Simon Stark's workstation.
Despite Simon not noticing anything unusual, the IT team had him share screenshots of his task manager to check for any unusual processes.
No suspicious processes were found, yet alerts about C2 communications persisted. The SOC manager then directed the immediate containment of the workstation and a memory dump for analysis.
As a memory forensics expert, you are tasked with assisting the SOC team at Forela to investigate and resolve this urgent incident.
Identifying the Malicious Process
Initial Analysis Using Imageinfo
first thing let's find the profile using imageinfo plugin to start our invistigation
The output suggests the following profile:
With this profile, we can proceed to analyze the memory dump using volatility2.
Process Listing
listing the processes and checking if there is any malicious process
but all the processes seem ligitamate since all of them are normal windows processes
Network Connection Analysis
Investigating the TCP connections with the netscan plugin may reveal suspicious activities:
An unusual connection is discovered on port 8888, indicating a possible malicious connection. but we don't have infos about the process id (PID) that launches this connection (reverse tcp connection to an attacker listening on port 8888)
For more precise information about network activities, we use the netstat plugin from Volatility 3:
Further analysis of the network connections revealed a suspicious activity associated with a process:
Process Name: svchost.exe
Process ID (PID): 6812
Connection: The connection was established on TCP port 8888, which is not commonly used by standard Windows services.
Given that svchost.exe is a legitimate Windows process that hosts services, the presence of a svchost.exe process is not suspicious on its own. However, the unusual network activity associated with PID 6812 raises concerns that this instance of svchost.exe may have been compromised or is masquerading as a legitimate process to hide the Command and Control (C2) communication.
We will need to investigate process 6812 further to determine if it's indeed the source of the malicious traffic and take appropriate action to mitigate the threat.
Identifying the ChildProcess spawned by the Malicious Process svchost.exe
To investigate the child processes spawned by the potentially compromised svchost.exe process, we will use the pstree plugin, which visualizes parent-child relationships between processes:
The child process analysis using pstree indicates that the svchost.exe process with PID 6812 spawned a cmd.exe process with PID 4364.
Hunting for malicious file sample
Further Investigation of the Malicious "svchost.exe" Process
we know that the malicious process is svchost.exe so let's search for the parent process that spawned this malicious process using pstree again and grepping the by the parent PID 7436 (PPID is next to PID)
The fact that svchost.exe was started by explorer.exe is particularly alarming as explorer.exe is the Windows program responsible for the desktop and file management. It typically does not spawn svchost.exe processes. This indicates that the user might have accidentally executed malicious code leading to the spawning of a fake or compromised svchost.exe.
CMD History
let's search in the cmd history to see if the fake svchost.exe is executed there, let's use the cmdline plugin
we can notice that all the svchost.exe processes are spawned from system32 directory but the last which has the process id 6812 is executed from the simon's user downloads directory
so let's dump the svchost.exe file located at the downloads directory to do that we will dump all the files related to the malicious process id 6818 i am using volatility 3 for this
we got a lot of but the last one is the one we want file.0x9e8b91ec0140.0x9e8b957f24c0.ImageSectionObject.svchost.exe.img
let's calculate the md5 hash using md5sum
Identify C2 IP address and ports
By using the windows.netstat.NetStat plugin in Volatility 3, we can view all active connections and their corresponding IP addresses and ports. This allows us to identify any suspicious connections that the malware could be using to communicate with an external C2 server.
the results shows an active connection to an external IP address 13.127.155.166 on port 8888
we can also identify the C2 ip and port by searching for the sample in virustotal using the md5 hash obtained in the previous question
in the behavior section
Timeline Analysis of Malicious Process Activity
this information can be obtained By using the windows.netstat.NetStat plugin in Volatility 3
the results shows an active connection to an external IP address 13.127.155.166 on port 8888 at 2023-08-10 11:30:03
memory offset of the malicious process
using any process listing plugin we can find the offset of processes
the offset is the part changing in the address so the offset of the malicious process svchost.exe with PID 6812 is 0x9e8b87762080
First Submission to VirusTotal
first we have to search for the sample in virustotal using the md5 hash and then go to details tab
scrolling down we will find the first submission date
and we have completed all the questions.
hope you found this walkthrough easy to understand and follow
remnux@remnux:~/malware$ vol.py -f 20230810.mem imageinfo > imageinfo.txt
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
remnux@remnux:~/malware$ cat imageinfo.txt
Suggested Profile(s) : Win10x64_19041
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/malware/20230810.mem)
PAE type : No PAE
DTB : 0x1ad000L
KDBG : 0xf80179000b20L
Number of Processors : 8
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80175b3a000L
KPCR for CPU 1 : 0xffffc78138867000L
KPCR for CPU 2 : 0xffffc7813892a000L
KPCR for CPU 3 : 0xffffc781389ad000L
KPCR for CPU 4 : 0xffffc78138aa3000L
KPCR for CPU 5 : 0xffffc78138b26000L
KPCR for CPU 6 : 0xffffc78138be9000L
KPCR for CPU 7 : 0xffffc78138cec000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2023-08-10 11:32:00 UTC+0000
Image local date and time : 2023-08-10 16:32:00 +0500
