Memory Forensics using Volatility3

bl7ck0ut
5 min readAug 24, 2023

--

Hello, in this blog we’ll be performing memory forensics on a memory dump that was derived from an infected system. This system was infected by RedLine malware.

Today we’ll be focusing on using Volatility. Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. Volatility is the world’s most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Find more at — https://github.com/volatilityfoundation/volatility3

let's us begin analyzing the memory dump then…

So when you’re using volatility it’s very important to get a general idea of the memory dump you’re inspecting. This general data contains information like x32/x64 determination, major and minor OS versions, kdbg information & basic image information.

You can run below command — (NOTE- This for volatility3 for volatility version 2 refer — https://github.com/volatilityfoundation/volatility/wiki)

vol3 -f MemoryDump.mem windows.info
here “MemoryDump.mem”is our memory image.
And, “windows.info” is the plugin to run for getting the basic information
The following is the result:

windows.info

Q1. Find the suspicious process.
-
We run the below command to get a list of process. We get multiple processes that were running at the time the memory dump was taken.

vol3 -f MemoryDump.mem windows.pslist
windows.pslist — Lists all the processes running.

windows.pslist

Out of all the processes I can find 2 processes at the bottom that look suspicious to me.

suspicious processes

from the above we can see that the process “oneetx.exe” spawned rundll32.exe.

Why is this suspicious though?

Well, as we know Rundll32.exe is a Microsoft-signed binary used to load dynamic link libraries (DLLs) in Windows. There are various reasons one of them being rundll32.exe can used to load malicious DLLs during runtime. Another being the following — if we use ‘malfind’ plugin in Volatility3 which finds for a malicious process we can that oneetx.exe has PAGE_EXECUTE_READWRITE.

Some shellcode injection techniques allocate PAGE_EXECUTE_READWRITE memory block, fill it with shellcode and create a thread pointing to that shellcode.

It is possible for legit applications to exert this kind of behavior.

PAGE_EXECUTE_READWRITE

Q2. There’s a VPN connection present in the memory dump. Find the application responsible for the VPN connection.
-
We again take a look at the listed processes and suddenly we something that says ‘socks’.

tun2socks.exe

We find a process named tun2socks.exe which has a parent process named “Outline.exe”. The same will be confirmed in the upcoming step when we look for network connections.

Q3. Find the C2 communication or the C2 IP Address.
-
As we have already identified the malicious application so let’s first take a look at any connections initiated by that particular application.

vol3 -f MemoryDump.mem windows.netscan | grep ‘oneetx.exe’

Here, the ‘windows.netscan’ plugin will list out all the connections.

We see a connection that is currently CLOSED but it was initiated from the suspicious application ‘oneetx’.
If we take the IP from the connection came through and check it’s reputation in VT we see RED FLAGS!!!!

Checked the IP in VirusTotal.

Q4. Can we find the name of the malware family?
-
I already stated in the beginning that it’s Redline malware but you can find it by the searching the IOC IP in places like malwarebazaar, abuse.ch & tria.ge.

Q5. Find the exact malicious URL which was visited by the user?
-
We can dump the process ‘oneetx.exe’ and then we can run strings on it to get such info if it’s there. For dumping we run the below command.
vol.py -f “MemoryDump.mem” -o “/path/to/save” windows.memmap ‑‑dump ‑‑pid <PID>
PID is the process ID of the malicious process.
We now run strings on the process dump file and grep using the IP we found. Here, we can the exact URL the user visited.

strings on the process dump file

Q6. Find the path where the malicious oneetx.exe was dropped when the user visited this URL.
-
We again run strings on the same dump file while grepping for the filename ‘oneetx.exe’.

Here, we can see the path that the payload was dropped into.

The aim of this blog was to provide a foundational guide for using Volatility. I hope I was able to deliver that. Investigating cyber threats and analyzing them in order to unfold the story of breach has always been fascinating to me.

Furthermore, if you want to practice on such challenges you can find these on platforms like CyberDefenders, TryHackMe & LetsDefend.io etc.

So, until next time, adios!

--

--

bl7ck0ut
bl7ck0ut

Written by bl7ck0ut

Incident Responder, Threat Analysis

No responses yet