Category: Endpoint Forensics
Tactics: Execution | Persistence | PrivilegeEscalation | Defense Evasion Command and Control | Exfiltration
Level : Easy
Instructions:
- Ensure that there are no blockers, such as Adblock extensions, that might prevent the lab from opening in a new tab or affect lab’s functionality.
- All the lab-related files and tools are on the desktop in ‘Start here’ directory.
Scenario:
An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware align with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.
Tools:
- Volatility 3
Q1-In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?
- Firstly i used Windows.pslist.PsList plugin to list all processes :
~/Desktop/Start here/Tools/volatility3$ ./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.pslist.PsList
- And since he asked about parent process , i used pstree plugin to get all parent child processes relations :
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.pstree.PsTree
- The
lssass.exe(PID 2748) process is likely malicious because it impersonates a legitimate security process (lsass.exe), has an unusual start time, and is associated with the suspicious parent processrundll32.exe. Attackers commonly use such techniques to hide their activities, such as credential dumping.
THE Answer : lssass.exeQ2-Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?
First Method
- Use FileScan plugin and grep with process name :
1- ./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.filescan.FileScan > filescan.txt
2- cat filesacn.txt | grep -i "lssass.exe"
Second Method
- use cmdline plugin ( there is cmd.exe process found when i listed all processes) :
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem cmdline
THE Answer : C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exeQ3-Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?
- Easy one just use NetScan plugin :
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.netscan.NetScan
THE Answer : 41.75.84.12Q4-Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?
- I tried FileScan plugin and others but give me nothing so i tried to dump malicious Process :
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.memmap.Memmap --pid 2748 --dump
- so after dumping the process i used strings command to extract HTTP GET Requests :
strings pid.2748.dmp | grep -A 5 -i "^get /"
THE Answer : 2Q5-Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?
First Method :
- From Q4 we known that the attacker downloaded another 2 malicious files named :
1- cred64.dll
2- clip64.dll- so i used FileScan plugin and grep with one of them :
cat filescan.txt |grep -i clip64.dll
Second Method :
- just use cmdline plugin :
THE Answer : c:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dllQ6-Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?
From Q5 and screen above :
THE ANswer : RUNDLL32.EXEQ7-Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?
From Q2 :
- i used FileScan plugin and grep with malicious process :
1- ./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.filescan.FileScan > filescan.txt
2- cat filesacn.txt | grep -i "lssass.exe"
THE Answer : c:\Windows\System32\Tasks\lssass.exeTHE END
BY Ahmed Nasser
