Super Easy Memory Forensics

Super Easy Memory Forensics
- You Can "Mount" Memory Images
and Analyze them with Explorer and Notepad -
Internet Initiative Japan Inc.
Hiroshi Suzuki and Hisao Nashiwa

About this Document
• This document is a part of a commercial training course, named “A
Comprehensive Guide to Digital Forensics & Malware Analysis for
Practical Incident Response”, held at Black Hat USA.
• https://www.blackhat.com/us-22/training/schedule/index.html#a-
comprehensive-guide-to-digital-forensics--malware-analysis-for-practical-
incident-response-25540
• This course is not for just a memory forensics analysis course. You can
learn comprehensive DFIR and malware analysis techniques.
Copyright Internet Initiative Japan Inc. 2

Introduction

Who Are We?
• Hiroshi Suzuki and Hisao Nashiwa are from “Internet
Initiative Japan Inc.” that is called “IIJ” for short.
• IIJ is a Japanese ISP (We are the first commercial ISP in
Japan).
• We belong to the CSIRT team (IIJ-SECT) of our company.
• We are malware analysts and forensic investigators.
• We have been past Black Hat Briefing speakers (USA,
Europe and Asia) and Trainers (USA).
4
Copyright Internet Initiative Japan Inc.

Typical Incident Response Flow
5
Interview with a Victim Memory Acquisition with
Triaged Acquisition
Disk Forensics, Malware Analysis
Live Response / Live Forensics
Memory Forensics with
Fast Forensics
Disk Acquisition

Memory Forensics 101 (1)
• What is Memory Forensics?
• It is a method to analyze memory images of infected computers.
• Why Memory Forensics?
• It is important for analysts to investigate rapidly, to find information such as
which process communicated with malicious hosts, and what kind of programs
were executed on the infected computers.
• The size of memory image is smaller than the disk. Therefore, it takes less time
to acquire and analyze images. We can quickly start to investigate it while
acquiring disk images.

Memory Forensics 101 (2)
• What is the difference between memory forensics and live response?
• Initial investigation of memory forensics is similar to live response.
• In addition, we can access code and data without running OSes. Therefore, we
are unlikely to be affected by rootkits and anti-analysis techniques.
• What is the difference between this analysis and disk forensics?
• Since malware decrypts or de-obfuscates its data and its configuration while
running on memory, unlike packed files on a disk, we may be able to access the
plain data. This is one of the advantages over disk forensics.

Memory Forensics Tools (1)
• Memory Image Acquisition Tools
• WinPmem
• DumpIt
• LeechCore (w/ LeechAgent for remote acquisition)
• Triaged Acquisition (Fast Forensic) Tool
• KAPE
• CDIR Collector
• Memory Image Analysis Tools
• MemProcFS
• Volatility Framework
• Rekall (no longer maintained)
• Redline (almost abandoned)
• WinDbg
• SwishDbgExt (third-party WinDbg plugin)
• We will mainly use MemProcFS and Volatility Framework version 3 in this course.

MemProcFS (1)
• It is one of the open-source memory
forensics tools.
• https://github.com/ufrisk/MemProcFS
• You can “mount” a memory image
like a disk image.
• You can check each process memory
space as a file, even each segment on a
process memory as a file.
• It can handle page files as well.
• It can handle memory compression
feature on Windows.
• This is much faster than Volatility
Framework because it is mainly
written in C/C++.

MemProcFS (2)
• It can convert a memory image
into Windows crash dump file
format virtually.
• It can also create a timeline of
$MFT, registry hives, process
creation dates and so on.
• It has a plugin architecture as
well.

Strategies of Memory Forensics

Strategies
• There are three main strategies of memory forensics.
• Checking process tree
• Investigating TCP/IP communications
• Finding RWX sections
• We will learn them quickly while performing several exercises
before starting CTF-style game. But let me introduce the concept
here.

Checking Process Tree (1)
• Why the process tree is important?
• We can often find anomalies in the process tree
if malware is executed. For example:
• A process you do not normally see on it appears
• E.g. strange path, non-existent binary by default…
• A process that is not where it should be
• In other words, it is a legitimate process but not under a
legitimate sub tree chain.
• E.g. Orphan process, svchost.exe not under
services.exe, IE process not under explorer.exe…
• If you are interested in the process tree, check
the URLs below.
• https://www.sans.org/posters/hunt-evil/
• https://nasbench.medium.com/windows-system-
processes-an-overview-for-blue-teams-
42fa7a617920 Copyright Internet Initiative Japan Inc. 14

• When a program is executed, which parent process will add the process as a child?
Action / Persistence Parent Process Note
Double-click it from explorer Explorer.exe
Choosing it from start-menu Explorer.exe
Startup folder Explorer.exe
Run key (HKU/HKLM) Explorer.exe
Service Services.exe * * If it is an executable file, not a DLL
and not a driver.
Task Scheduler Svchost.exe -k netsvcs
WMI wmiprvse.exe The grand parent process is “svchost
-k DcomLaunch”.

• Like the previous slide, only several processes typically spawn
child processes when a program is executed by a user manually
or by the OS from an auto-start location. You have to pay
attention to them.

• In addition to the child processes of the specific processes we
learned previously, you will also need to pay attention to
orphan processes, which means processes without any
parent processes except for the essential processes such as
SYSTEM, csrss.exe and wininit.exe.
• But why are orphan processes important?

Checking Process Tree – Orphan Processes (1)
• Why?
1. When a user double-clicks an executable file for example, the process is
created as a child process of explorer.exe.
2. If the created process (Malware A) uses a remote code injection technique
such as Process Hollowing or Reflective PE Injection, the malware creates a
child process (Process B) and injects malicious code into the process.
Explorer
Malware A
Process B (e.g. IE, svchost
…) with malicious code
1. Executed by user
2. Create a Process and
Inject Malicious Code
18

3. The process (Malware A) exits immediately after injecting code into the
remote process (Process B).
Explorer
Malware A
…) with malicious code 19
3. Exit
this process

• Therefore, the link between Explorer and Process B is broken and the
process that malicious code has been injected becomes an orphan.
Explorer
Orphan Process
…) with malicious code 20

Checking Process Tree – Summary
• We recommend checking the process tree to find suspicious
processes in this order.
1. Orphan processes (for PE injection)
2. Child processes of Explorer (for start-up, Run key…)
3. Child processes of svchost.exe (svchost.exe -k netsvcs) (for task
scheduler)
4. Child processes of wmiprvse.exe (for WMI)
5. Child processes of services.exe (for services)

Investigating TCP/IP communications
• You are often able to find evidence by investigating the TCP/IP
communication status. For example:
• Some sorts of malware, especially RATs, connect to external servers
frequently.
• If malware has a remote shell, a reverse proxy, or a P2P
communication capability, it listens on some ports.

Other Anomalies
• If code is injected into an existent process, there is no change
on the process tree. However, you can still find some
anomalies even if you are under the situation by checking
particular data such as:
• Memory permission (Especially RWX/RX memory regions that do
not belong to any modules. E.g. private RWX/RX and mapped
memory RWX/RX)
• External communications (We have already checked)
• Handles (By checking files, registries and mutant values)
• Call stacks of threads

Finding RWX memory sections
• Why is it important to check the “RWX” rights in memory?
• “RWX” means the memory section is Readable/Writable/Executable.
• Legitimate processes (especially Microsoft binaries) do not typically have
any “RWX” memory sections. This is because attackers could use “RWX”
sections for exploiting, such as arbitrary code execution.
• Microsoft tries to eradicate those sections from normal processes, especially from MS
Office such as Word and Excel, Internet Explorer and so on. Therefore, if you found
this in a legitimate process, a “remote code injection” might have occurred.
• There are some exceptions. For example:
• We sometimes see legitimate “explorer.exe”, “SearchHost.exe”, “smartscreen.exe”, Outlook,
Teams and OneDrive have some “RWX” sections.
• We have also seen some kinds of anti-virus software inject such a section into all processes.
26

Practice Exercise

Practice Exercise: Case 1
• We will learn memory forensics strategies
through the investigation of the memory
image in case 1.
• The memory images included in the VM
were acquired from Windows clients
infected with malware.
• Case 1: Windows 11 21H2
• Case 4a: Windows 10 1903
• Case 4b: Windows 10 1903

Practice Exercise
Preparation (1)
• Mount the target memory image with MemProcFS.
• Launch a command prompt.
• Navigate to the MemProcFS folder.
• Mount the memory image and swap files for "case1" with the following
commands.
cd C:toolsMemProcFS
.MemProcFS.exe -device C:Artifactscase1physmem.raw -pagefile0
C:Artifactscase1pagefile.sys -pagefile1 C:Artifactscase1swapfile.sys -forensic 2
Enter this in a single line.

Practice Exercise
Preparation (2)
• Then, you can investigate the memory image by exploring drive M.

Note for using MemProcFs and Volatility
Framework 3
• By the way, for MemProcFs, if you want to mount a memory image on
a different drive letter, you can add “-mount” option with a drive letter
to the command arguments.
• For example, “-mount s” will mount the image on drive “S:”.
• One more notice: If you want to analyze different versions of Windows
OSes with MemProcFs or Volatility Framework 3, you will need an
Internet connection. It is because they rely on Microsoft Symbol server
to identify its OS version and several important structure members of
the target image.
• We have already prepared the symbols of the OS at this time.

Practice Exercise
Process Tree
• Process tree is found in the following text files.
• M:sysprocproc.txt
• M:sysprocproc-v.txt

Practice Exercise
Process Tree - orphan processes
• A process that starts with a “-” is an orphan process.
Open “proc.txt”.
You can get running processes information on the system.
You can check parent-child relationships by counting “-”
and even orphan processes since it is in the form of a
process tree.
Here, let’s focus on the explorer subtree first.

Practice Exercise
Child processes of Explorer (1)
• Processes launched:
• by a user double-clicking
• from the Start menu by a user
• from a startup-item or a run key registry entry
• will be added to the explorer sub-tree.

Practice Exercise
• You can see the path of the program corresponding to a process, and
command-line by checking "proc-v.txt".
• Let’s check the processes under the sub-tree.
Full path of the program (with a drive letter)
(It is not always displayed)
command-line of the process
(It is not always displayed) Start time End time (if it is already terminated)
(this process is still running
because it is “***”.)
Full path of the program (with a device name)
Mandatory level
(High is the elevated privilege by UAC.)

Practice Exercise
• cdir-collector.exe and its child processes (conhost.exe,
winpmem_mini_x64_rc2.exe)
• cdir-collector is the acquisition tool that we used to acquire the memory image
and swap files. It calls winpmem to dump a memory image. Thus, these are
not suspicious in this case.
• OneDrive.exe
• SecurityHealthSystray.exe
• These two programs are pre-installed in modern Windows clients. Let’s ignore
them first. It is a priority matter. However…,

Is OneDrive Always Safe?
A spiderpig sample performs a DLL side loading attack by putting a
malicious DLL into the OneDrive folder of the current user to make
OneDrive load it. This is a rare case but you might need to look into
it even if a process was a legitimate program.
See the detailed report if you are interested in.
https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf

Practice Exercise
• vmtoolsd.exe
• It is a component of VMware. Virtual machines running on VMware typically
have two vmtoolsd processes. One is running as a service with the SYSTEM
privilege, and the other is running as a user process under the explorer sub-
tree. We used VMware to create the memory image, so you can ignore this.
• browser-up.exe
• Is it a common process? Maybe it is malware, or just a legitimate third-party
application. Anyway, let's keep it in mind.

Practice Exercise
• By checking proc-v.txt for browser-up.exe, you can confirm the location of
the program. It is placed under the startup folder.
• The process was executed by localadmin. We can see that it was not
elevated to the privilege because the mandatory level was medium.
• We found a suspicious process, named browser-up.exe. However, let’s
continue checking the process tree.
• Next, let’s check the processes under services.exe, which are launched as
services.

Practice Exercise
Other Important Subtrees (1)
• Child processes of services.exe
• “services.exe” has almost forty child
processes.
• At a glance, these child processes look
Windows components including
svchost.exe, which is a service host
executable for internal Windows
services, or VMware related drivers
because of their paths and their names.
Of course, they could be forged ones.
But it is difficult to distinguish malicious
ones by only checking the information
here and they are legitimate in most
cases. Thus, look for other suspicious
processes first.

Practice Exercise
Other Important Subtrees (2)
• Child processes of svchost.exe (svchost.exe -k
netsvcs)
• You can find that PID 372 has this command line by
checking proc-v.txt, and there are three child
processes of it.
• sihost.exe, taskhostw.exe and MicrosoftEdgeUpdate.exe
• They also look legitimate Windows components
placed in the normal paths so put them aside now.
• Child processes of wmiprvse.exe
• There are no child processes of wmiprvse.exe in the
process tree.

Practice Exercise
Orphan Processes
• A process that starts with a single "-" is an orphan process.
• System
• csrss.exe (x2)
• wininit.exe
• winlogon.exe
• msedgewebview2
• The top four are always orphan while a Windows system is running. The bottom
one, msedgewebview2 is a process of Microsoft Edge WebView2 component that
is used to embed a web component into native applications such as Widgets,
Teams and Outlook.
• We confirmed that msedgewebview2 processes that are used for widget applications
sometimes become orphan on Windows 11 clients.
• Although some kinds of malicious code could have been injected into the msedgewebview2
process, we cannot confirm it since the process has already exited. So, put this aside and move
on to the next.
• As a result, we found that there are no unnatural orphan processes.

Practice Exercise
Checking Process Tree with Volatility 3 (1)
• By the way, with Volatility Framework 3, you can check the process
tree by executing the following commands.
cd C:Toolsvolatility3
py -3 vol.py -f C:Artifactscase1physmem.raw windows.pstree.PsTree

Practice Exercise
Checking Process Tree with Volatility 3 (2)
• Volatility's PsTree does not show command lines and user names of
processes unlike MemProcFS, so you will need to check them with the
following commands as well.
py -3 vol.py -f C:Artifactscase1physmem.raw windows.cmdline.CmdLine
py -3 vol.py -f C:Artifactscase1physmem.raw windows.getsids.GetSIDs

py -3 vol.py -f C:Artifactscase1physmem.raw windows.cmdline.CmdLine
Unfortunately, we could not get the result.
We think the cause of the problem is that Volatility does not
support memory compression yet.
https://github.com/volatilityfoundation/volatility3/issues/136

py -3 vol.py -f C:Artifactscase1physmem.raw windows.getsids.GetSIDs
Browser-up.exe was executed by localadmin.
The user is a local administrator account because it
belongs to Administrators group.
However, the process has only medium level. So this
process was not elevated by UAC.

By the way, you can see the same list on
MemProcFS by navigating to the token folder of
a process like this.

• We found only one uncommon process as a
child of Explorer.
• The program is placed under the startup folder.
• Of course, it can be a legitimate program having
persistence. We will check this more detail later.
Practice Exercise
Checking Process Tree – Result

Practice Exercise
Netstat
• Network status is listed in the following text files. We always use
netstat-v.txt because netstat.txt is a subset of it.
• M:sysnetnetstat.txt
• M:sysnetnetstat-v.txt

Note that, this may not show all connections.
There may be some connections that are
missing due to timing of acquisition because
closed connections are already removed from
the connection table, although MemProcFS
can carve the objects as much as it can.
The output format is similar to netstat and ss
commands.

Practice Exercise
Netstat - connections
• There are six connections to external hosts originated from the
suspicious process, browser-up.exe.
• Brouse-up.exe seems to be an internet application. If it was malware,
the destination hosts would be one of the most significant IoCs.
• Googling or searching some other reputation services such as VirusTotal with
the destination IP addresses may give you a clue.

Practice Exercise
• aa
By searching the IP addresses on VirusTotal
and checking the RELATIONS tab, you can
confirm that the IP addresses are related to
malware.

Practice Exercise
• aa
We can also find that some of the malware listed in the previous slide
connect to the both IP addresses that we found.
Therefore, these two IP addresses must be malicious.
If this were a real case, we would regard browser-up.exe process as
malware. We would also check if any other hosts in your network
accessed them immediately.
Even if we did not find any evidences, we could still regard these
communications are suspicious because they are not related to any
common services.
There are not so many destinations that normal programs except for
web browsers in enterprise networks connect to. And most of the
destinations are related to Microsoft or updater of famous applications.

Practice Exercise
Netstat - listening ports and applications
• Next, let’s check listening ports. There are several common well-known ports (135, 139,
445), CDPSvc(5040) and MS-RPC(49152-65535) on legitimate programs. There seems to be
nothing suspicious.
• https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-
network-port-requirements

Windows Listens on Port 5040 by Default
• Recent Windows clients listen on TCP port 5040 for CDPSvc (Connected Devices
Platform Service) by default. So, we can regard it as a benign service. You can
check this by Process Explorer or Process Hacker.
• According to this article, it has started in Windows 10 20H2.
• https://www.chadduffey.com/2020/11/20H2.html

Practice Exercise
Checking Netstat with Volatility 3 (1)
• With Volatility 3, you can check netstat by executing the following
command line.
py -3 vol.py -f C:Artifactscase1physmem.raw windows.netstat.NetStat

Practice Exercise
Checking Netstat with Volatility 3 (2)
• In addition, Volatility 3's netscan plugin can show carved TCP/IP objects.
py -3 vol.py -f C:Artifactscase1physmem.raw windows.netscan.NetScan
NetScan plugin uses carving method for
searching TCP/IP objects. It can find closed
or timeout ones while NetStat plugin cannot.
Therefore, we recommend using both.

• However, in this case, Volatility's NetScan plugin misses closed connections
to external hosts, while NetStat plugin finds a closed connection to an
external host.
• In general, NetScan finds more results than NetStat, but in this case it did not for
some reasons.
• Although we also used the Volatility's option "--single-swap-locations" that could
parse pagefiles, it resulted in the same as the one without the option. We think
Volatility still does not parse pagefiles at least for Windows OSes.
• MemProcFS finds five more closed connections to external hosts. We think the cause
of the difference between them is that Volatility does not support memory
compression yet, in addition to the reason above.
• https://github.com/volatilityfoundation/volatility3/issues/136

• We found the suspicious connections by the browser-up.exe process
to external hosts.
• VirusTotal shows that the IP addresses are related to some malware
samples. Thus, these also must be malicious communications by the
malware.
Practice Exercise
Netstat - Result

• MemProcFS's findevil detects RWX
sections in a process and several other
factors.
• Findevil is kicked after launching
MemProcFS with the forensic option or
accessing this folder. Thus, you might have
to wait for a few minutes before checking
the results.
Practice Exercise
RWX memory sections (1)

https://github.com/ufrisk/MemProcFS/wiki/FS_FindEvil
There are several types of findevil module results described
on its wiki or readme.txt on the findevil folder. We think
PE_INJECT, PEB_MASQ, PRIVATE_RWX, PRIVATE_RX,
NOIMAGE_RWX, NOIMAGE_RX and PROC_* are important.

• aaa
Practice Exercise
In this case, several sections of browser-up.exe are
labeled as PRIVATE_RWX. It means that the process
contains RWX sections in its own memory space.
In addition, several other processes are listed,
although they are legitimate. Let’s check what the
RWX sections on browser-up.exe have.

• To check the data of these RWX segments below, let’s go to the
vmemd folder under browser-up.exe (PID:5944).
• And you can open the following file with a hex viewer.
Practice Exercise
The folder for memory
segments of PID 5944
This file includes all the data
listed above

• Note that a segment shown in findevil.txt and a memory region in a vmemd folder
is not one-to-one. A memory region in a vmemd folder consists of some segments
in one, so we need to find memory regions that contain the target segment.
• For example, those four segments above are included in the memory region on
the .vvmem file below.
The memory region range is
0x7f7000 to 0x7fcefff.
Therefore, those segments
above belong to this region.

• By opening the file with a hex editor, in this case, we used FileInsight,
which has already been installed on the VM, you can confirm that the
area looks containing a PE image. When PE injection was used, you
would see this kind of data in a private memory segment like this.
Practice Exercise

• You will also find there are RWX and RX sections in a few processes in this image.
However, it is sometimes difficult to determine the purpose of the executable
code. Strictly speaking, we would need to check the segments one by one.
• However, check the suspicious processes first and put aside processes such as web
browsers, “SearchHost.exe”, “smartscreen.exe”, Outlook, Teams and OneDrive
ones because we sometimes see them on legitimate PCs for some reasons. For
example, they might be legitemately injected by anti-virus software, or might be
legitemate JIT compiled code.
Practice Exercise

• Let's examine browser-up.exe in detail more.
• If you want to apply strings command or Yara to an entire process at
once, you can use "minidump.dmp".
• This is a similar dump file to a result when using Sysinternals ProcDump. The
format is Microsoft Crash Dump. You can analyze it with WinDbg or a product
version of IDA Pro. However, here, we will apply strings command.
Practice Exercise
Important Data in the Suspicious Process (1)

• Run the following command line to extract readable strings from the
minidump.dmp with a command prompt and Sysinternals strings,
which can extract both ASCII and UNICODE strings at once.
• The output contains over 500,000 of lines so it is very difficult to check
them line by line.
• Therefore, use a few REGEX patterns to detect C2 servers and User-
Agent strings, which can be effective IoCs.
strings -accepteula M:namebrowser-up.exe-5944minidumpminidump.dmp >
C:UserstaroDesktopbrowser-up-strings.txt
Practice Exercise
Use cmd.exe. DO NOT use Powershell or WindowsTerminal.exe.

• For example, we uaually apply the following patterns to suspicious process
strings to find C2 servers.
• ^s*[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+(.(?!exe|dll|pdb|inf|sys)([a-zA-Z0-9_-]+))+s*$
• ^s*([a-zA-Z0-9_-]+.)+(?!exe|dll|pdb|inf|sys)([a-zA-Z][a-zA-Z]+)s*$
• ^s*CONNECTs+[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+(.[a-zA-Z0-9_-]+)+
• ^s*CONNECTs+([a-zA-Z0-9_-]+.)+[a-zA-Z][a-zA-Z]+
• ^s*(GET|POST)?s*https?://
• MSIE
• Mozilla
• The first four patterns are for FQDNs and IP addresses. The fifth one is for URLs.
The bottom two patterns are for User-Agent strings. Malware often contains
these kinds of strings.
Practice Exercise

GUI REGEX Filter Tool
• Glogg
• Glogg is a GUI-based
grep tool.
• The top pane displays
original text data. The
bottom pane shows the
results matched with a
REGEX pattern input to
the text box in the
middle.
Original text data
Result
REGEX form
https://glogg.bonnefon.org/

• By applying the patterns for URLs and User-Agent strings, you can see
the following results.
Practice Exercise
We have already found lower two
IP addresses in the connection
table. However, top one is new!
This is the hard-coded user agent
of the malware.

• Actually, “browser-up.exe” has so many domain names other than the
C2 servers.
• What are these? Are they suspicious or malicious?
• No. Actually, there is a mechanism called “SSL/TLS False Start”, which is
a mechanism to enhance the speed of SSL/TLS connections. Web
browsers and even WinInet has the mechanism.
• https://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html
• SSL/TLS False Start Blacklist is the list of domains to which the
mechanism is not applied.
• If a HTTPS request occurs with the web browsers, or WinInet APIs, the
list, which is hard-coded in their binaries, will be loaded into their
process memory space.
• You can see the list at a certain point in time at the URL below.
SSL/TLS False Start Blacklist
https://chromium.googlesource.com/chromium/src/net/+/f372faaffd528f
0be7392b2eef85261661190d57/base/ssl_false_start_blacklist.txt

• Next, let’s learn how to extract suspicious PE images from a memory region. It is
because additional malware is sometimes stored in the middle of a memory
region. So far, we found the RWX segments below with findevil.
Practice Exercise
Extract Embedded PE Images From the Suspicious RWX Area (1)
The folder for memory
segments of PID 5944
This file includes all the data
listed above

Practice Exercise
• You can extract PE images embedded in a memory region with Didier Stevens'
script, named pecheck.py.
• https://blog.didierstevens.com/2020/03/27/carving-pe-files-with-pecheck-py/
• First, list up the PE images included in the region with the following command
lines.
• The script shows that an additional 64-bit DLL image is placed after the image that
we have already found.
cd C:Tools
py -2 pecheck.py -l P M:namebrowser-up.exe-5944vmemd0x0000000007f70000.vvmem

• Then, you can extract the PE images with the following command
lines.
Practice Exercise
py -2 pecheck.py -l 1 -g s -D M:namebrowser-up.exe-
5944vmemd0x0000000007f70000.vvmem > C:UserstaroDesktoppe-32-exe.bin
py -2 pecheck.py -l 2 -g s -D M:namebrowser-up.exe-
5944vmemd0x0000000007f70000.vvmem > C:UserstaroDesktoppe-64-dll.bin

• The extracted PE files can be analyzed with your favorite disassembler
like this.
Practice Exercise

Practice Exercise
Finding RWX Memory Areas with Volatility 3
• Volatility 3 also has a similar plugin to find RWX memory region in a
process. However, it does not find the region in browser-up.exe in this
case.
py -3 vol.py -f C:Artifactscase1physmem.raw windows.malfind.Malfind --pid 5944

• You can extract a specified memory region with Volatility 3 by running
the following command.
• The dumped file is saved in the current directory.
• However, in this case, the dumped image does not have data. It might
be because the memory region paged-out or was compressed.
Practice Exercise
Extract Process Memory with Volatility 3
py -3 vol.py -f C:Artifactscase1physmem.raw windows.vadinfo.VadInfo --pid 5944 --address
0x7f70000 --dump

Practice Exercise
RWX memory sections – Result (1)
• The browser-up.exe process has suspicious RWX segments.
• Two PE images are embedded in the memory region, which includes the segments above.
• This is an evidence of PE injection.

Practice Exercise
• We have also found three URLs and a hard-coded User-Agent strings in
the strings of brouser-up.exe. Those are effective IoCs.

Practice Exercise
• We could extract the PE images found in the RWX memory region with
pecheck.py. We are ready to analyze the images.

Scripting Language Investigation with Strings
in a Process
• If you want to analyze a process of scripting language, search
welknown functions’ name or language syntax as keywords in it.
• For example, PowerShell uses the “Invoke-” prefix such as “Invoke-Command”
“Invoke-Expression” and “Invoke-WebRequest” for some functions.
• A function starts with “Function FUNCTION_NAME“ as the function definition
syntax.
• It is because, you could recover decoded script contents or evidence of
command execution with parameters even if scripts or logs were
already removed from the disk.
• In several cases, we have recovered perl and powershell scripts, which
attackers had already deleted on the file system, from their process memory
spaces.

• Exploring MFT and registry entries
• Analyzing persistence artifacts (Registries, Services, Tasks…)
Checking these is very useful for finding infection date and
attackers’ activities more.
After the analysis above, you can check several artifacts more. MFT
and registries are most important artifacts if you have a pivot point
such as a timestamp or a path.

Explorer MFT and Other Items in Timeline Format
• MFT is a table for managing metadata of NTFS. It is stored in
each NTFS volume. MFT is mapped on memory as well so that
you can check file-folder related information such as their size,
creation and modification time by parsing MFT entries.
• You can also know the first and the last execution time of
programs by checking the creation and modification time of
prefetch files.
• MemProcFS can generate several kinds of timeline including the
information above with the forensic option.

Prefetch Files (1)
• Prefetch is a Windows function for diagnosing user
behaviors and creating a list of necessary library files
to improve application execution performances.
• Prefetch files are created in “Prefetch” folder under
“Windows”.
• Prefetch is not always enabled in some cases. For example,
it is disabled on Windows Server hosts by default. It is also
disabled when a host is running as a virtual machine in
some cases.
• Prefetch files are created when the program was
executed for the first time.
• The .pf files will be updated after each program execution.
• They may be deleted automatically in some cases.
• E.g. When the number of Prefetch files reached the maximum.

Prefetch Files (2)
• Each Prefetch file stores 8 execution histories for Windows 8 and newer.
• 1 execution history is stored on older Windows.
• Since Prefetch files are updated every time the program is being executed,
file system timestamps of the .pf files may be considered as a program
execution history record.
• Creation timestamp as the first execution time.
• Modification timestamp as the last execution time.
• However, note that a Prefetch file is created or modified at the earlier one of: 10
seconds after the program was executed, or the program was terminated. Therefore,
there might be a maximum of 10 seconds of difference between the file timestamps
and the actual execution time.
• Non-existence of Prefetch files does not tell that the program has never
been executed. For example, there are cases where .pf files are not
generated when the program was executed with SYSTEM privileges.

• MemProcFS can generate timelines of MFT and other important events.
• Here, let's check the timeline for all events.
Practice Exercise
Exploring MFT Events in Timeline Format (1)

• あああ
• Note that the latest event appears at the top and the
oldest one is at the bottom.
• The timeline has almost 300,000 lines, so it is impossible to
view the whole timeline line by line.
• When examining a timeline, search it for pivot points,
which are important information we already know such as
infection time and paths to malicious files, and then check
the lines around the pivot points.
• Let’s apply this to the timeline.

Practice Exercise
• First, search the timeline for the suspicious process name that we
found as a pivot point.

Practice Exercise
• Then, you will find the process creation time first.
• Of course, it is the same date as the one that we found in proc-v.txt
because the line is generated from the process information.

• Next, you will find the prefetch file modification entry of browser-up.exe. It
should be recorded at about 10 seconds later than the process creation
event. However, it was recorded 22 seconds earlier than the process
creation. It is very weird.
• At this moment, there were several other prefetch modification events recorded earlier
than their process creation events such as smartscreen.exe and audiodg.exe. Although
we are not sure why they occurred, Windows booting process might affect the
behavior.
• Anyway, you can find many modification entries of prefetch files that were
recorded at the same time as browser-up.exe’s one. Although, these could be
related to the behavior of browser-up.exe, in this case, we can presume that
these modification events indicate that the Windows OS booted up. It is
because, as we already know, browser-up.exe is in the startup folder.

• Next one is the prefetch file creation entry of browser-up.exe.
• It is the first execution time of the program. And you can see another
prefetch creation entry was recorded at the same time. It is for
"BRAVEBROWSERSETUP-VER979.EXE". It might be related to browser-
up.exe and it looks also related to a brave browser installer because of
the name.
Practice Exercise

• Next ones are the file read, creation and modification events of browser-
up.exe.
• Since the modification time is slightly earlier than the creation time, the
program file might have been copied in the same hard disk partition.
• When a file in an NTFS volume is copied, its creation and its access timestamps are
updated while its modification timestamp is kept.
• https://www.kazamiya.net/en/NTFS_Timestamps
• These timestamps could indicate around the actual infection time.

• In addition, you can find the file creation and the modification event of the
BraveUpdateSetup.exe.
• The executable file might be related to browser-up.exe because it was
created at the same time and we also found the similar name around the
first execution time of browser-up.exe.

• Volatility's MFTScan plugin can extract MFT records from a memory
image. However, this plugin usually outputs relatively fewer results
than MemProcFS.
• We think the cause of the difference between them is that Volatility does not
handle pagefiles properly and does not support memory compression yet.
Practice Exercise
Investigating MFT with Volatility 3
set PYTHONIOENCODING=utf-8
py -3 vol.py -f C:Artifactscase1physmem.raw windows.mftscan.MFTScan >
C:userstarodesktopcase1-mftscan.txt
Enter this in
a single line.

• Volatility 3 can also generate a timeline from several plugins such as
MFTScan, PSScan, PSList, NetScan, NetStat, DllList and so on.
• However, we could not find browser-up.exe related events other than the
process creation in the result due to the same reason as the previous slide.
Practice Exercise
Exploring Timeline with Volatility 3
set PYTHONIOENCODING=utf-8
py -3 vol.py -f C:Artifactscase1physmem.raw timeliner.Timeliner >
C:userstarodesktopcase1-timeliner.txt
Enter this in
a single line.

• Let’s summarize the results finally.
• We found the creation time of browser-up.exe, and the first and the
last execution time of it.
• "BraveUpdateSetup.exe" and "BRAVEBROWSERSETUP-VER979.EXE"
could be related to browser-up.exe because of their creation
timestamps, their names and their execution timing.
• Actually, this was a fake Brave browser installer and it resulted in the
malware infection.
• https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf
Practice Exercise
Exploring MFT Events – Result

• We found the following important information about the malware with
MemProcFS.
Practice Exercise
Conclusion
Item Value
Process name browser-up.exe
Path of the program C:UserslocaladminAppDataRoamingMicrosoftWindowsStart
MenuProgramsStartupbrowser-up.exe
Persistence mechanism Startup folder
(Possible) Infection date 2022-05-06 07:44:06 UTC
C2 server 104.168.213.95, 45.117.102.243, 45.77.227.248
User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/88.0.4324.146 Safari/537.36
Programs that might be related BRAVEBROWSERSETUP-VER979.EXE, BraveUpdateSetup.exe

• Actually, there are two types of malware on memory.
• One is selfmake. And another one is spiderpig.
• Selfmake is a loader of spiderpig.
• This is browser-up.exe.
• It accesses 45.77.227.248 to download spiderpig with https protocol.
• The spiderpig sample accesses the IP addresses below.
• 104.168.213.95, 45.117.102.243
• It is only on memory. You would lose the information if you did not perform memory forensics!
• Check the report we formerly mentioned if you are interested in.
Practice Exercise
Conclusion (2)

Tips (1)
• You can use Explorer’s search feature to find a path or a content under
a certain path. This is very useful for finding a persistence under a
registry hive.

Tips (2)
• Note that, after entering a keyword and starting the search, make sure you check
“File contents” option on “Search options”. Otherwise, you will miss the result if
you want to search for a keyword included in value data of a registry.

Tips (3)
• If you want to use complex search conditions, check “Using Advanced
Query Syntax Programmatically” out.
• https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-
advancedquerysyntax

Tips (4)
• You can also map a drive mounted by MemProcFS on WSL like the
commands below and search for a keyword with grep command.
• The commands will map the drive M to “/mnt/m” on WSL. And search
files for “KEYWORD_TO_BE_SEARCHED” under the
“/mnt/m/path/to/something” folder.
mkdir -p /mnt/m
sudo mount -t drvfs "M:" /mnt/m
grep -i KEYWORD_TO_BE_SEARCHED -r /mnt/m/path/to/something -s

Tips (5)
• If a file on MFT is small enough, the file content can be recovered.

Commentary of CTF-Style Game

Finding Evil on Case 2

Process Tree (1)
• Open “proc” folder under
“sys” folder and open
“proc.txt”.
• You can get running
processes information on
the system.

Process Tree (2)
• When you check the process tree, you
will find onedrivecli.exe on the
explorer subtree.
• At a glance, it looks a legitimate
process because of the name.
However, it is not a common process
name.
• The legitimate OneDrive process is
“OneDrive.exe”. Is it a CLI version of
OneDrive? It is weird.
• It spawns a command prompt as well.
• Therefore, you should check this
carefully.

If you check “proc-v.txt”, you will find the suspicious
process is in “Windows” folder even though it seems a part
of OneDrive. The legitimate OneDrive is in “OneDrive”
folder. It is actually different from the path associated with
OneDrive files. It is a little bit weird.

How to Check TCP/IP
Communications (1)
Next, check TCP/IP communications. Open
netstat-v.txt.

The suspicious process had three connections.
If you search the google for this IP address, you will find
the report below. It was used for gh0sttimes’ C2 Server.
Therefore, this process must be malware.
https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html

If you search for “onedrivecli” under HKUlocaladmin,
you will find the persistence of it in run key. The reason
why we decided to check under the registry is that the
malicious process was run with the user’s access rights.

If you search for malicious domain names with the
REGEX pattern above, you will easily find it on the
strings of the malicious process.
strings M:nameonedrivecli.ex-6108minidumpminidump.dmp >
%USERPROFILE%Desktoponedrivecli.ex-6108-string.txt

If you search for executables with “.exe”, you will find a part of
the result of the dir command as above. And you will also find
the full path to the files as below. Although they are already
deleted, you can still find the evidence on the strings.

If you search timeline_all.txt or timeline_ntfs.txt for
“onedrivecli”, you will easily find the file creation time.
The date would be close to the infection date if you
were in a real case.

If you search timeline_all.txt for “sdelete”, you will
easily find two evidences of sdelete64.exe’s execution.
One is the prefetch file. Another one is the registry key.
A Sysinternals utility creates its own key when it is
executed for the first time.

Finding Evil on Case 3

Process Tree (1)
• Open “proc” folder under
“sys” folder and open
“proc.txt”.
• A process that starts with a
single “-” is an orphan
process.
• Since “System” is always an
orphan, ignore them first.

Process Tree (2)
• When you check the process tree, you will find an orphan svchost.exe.
• PID: 2884
• It should be spawned by services.exe, if it were a legitimate one.
Therefore, the orphan svchost process is suspicious.

FindEvil
• After the forensic option is completed, you will see the
content of findevil.txt. If you open it, … (Next slide)

FindEvil
You will find that httpsX64_d.dll module was injected into the svchost
process. Actually, it is not on MFT. The attacker must have been
injected the malicious PE image by decoding it only on memory.
In addition, the process has several RWX segments.

How to Check TCP/IP
Communications (1)
You will find TCP/IP communications in
“sysnet” folder.
At this time, let’s open netstat-v.txt.

Scenario 3 Labs (2)
You will find that the malicious svchost process had connected to a unknown external
host, 8.208.14.5. Therefore, this should be a malicious IP address.
You can also confirm that the other IP addresses listed as destinations of TCP/IP
connections are used for Microsoft's services. So they should be legitimate.

Examine Strings in the Malicious svchost
Process
• You can extract both ASCII and Unicode strings from the process
memory space with the following command line.
• Then, you can find a suspicious URL by applying one of the filters we
mentioned before. This should be the malicious URL.
strings M:namesvchost.exe-2884minidumpminidump.dmp > %USERPROFILE%Desktopsvchost-2884.txt

Finding Embedded PE images
• You can find two embedded PE images by parsing the vvmem files of
the memory regions that are labeled as Private RWX by findevil.
cd C:Tools
py -2 pecheck.py -l P M:namesvchost.exe-2884vmemd0x0000000180000000.vvmem
cd C:Tools
py -2 pecheck.py -l P M:namesvchost.exe-2884vmemd0x000002b6c6660000.vvmem

Finding Files Related to the Malicious Svchost
Process (1)
• The svchost process, which httpsX64_d.dll
was injected into, must be spawned by
another malicious process. And the
malicious process should have started right
before the svchost process started.
• Finding the prefetch file of the malicious
svchost process may provide a clue.
• However, there are so many prefetch files
for svchost.exe on the system because it is
a program to host Windows services and it
has multiple instances.
• How should we do to identify it?

Process (2)
• When you check proc-v.txt, you will find the malicious svchost process was
launched without any arguments.
• It is not common usage of svchost.exe. It should be used with a few
arguments, at least a service name, such as "-k netsvcs -p" and "-k
LocalServiceNetworkRestricted -p" because it is a service host for Windows
services.
• Therefore, we could distinguish the malicious one from legitimate ones.

Process (3)
• In order to create the prefetch file of svchost without arguments,
execute the command on your VM as below.
• Now you got the file name! It is “SVCHOST.EXE-2823DB96.pf”.

Finding Files Related to the
Malicious Svchost Process (4)
• Note that you will need to input the full path of it and the string needs
to be case-sensitive to recreate. And do not use a PowerShell console
or a Windows Terminal since they will create a different hash value.
• You will also need to execute it on the Windows OS that has the same
partition layout as the victim’s one because of the hash algorithm of
Prefetch.
• And you will also need to use Windows 7 or later to recreate it.
• If you are interested in the hash algorithm, check the URL below.
• https://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-
hash-lookup-table-xpvistaw7w2k3w2k8/

Process (5)
• Next, search timeline_all.txt for the name of the prefetch file,
"SVCHOST.EXE-2823DB96.pf“ to look into the activities around that
time.

Process (6)
• The first result is the file modification entry of the prefetch file.
However, you will see many prefetch files were modified at the same
time. It seems they were recorded while the Windows OS boots up.
So, it is difficult to find a clue unfortunately. But you can still find the
parent process of the malicious svchost might have a persistence
mechanism because it survived rebooting.

Process (6)
• The next one is the file creation entry of the prefetch file. It should be
around the first execution time of the malicious svchost process.
• Near the file creation, you can also find that VBOXDTRACE.EXE, which looks
a VirtualBox-related program, was also executed for the first time because
of the prefetch file creation. The timestamp was 10 seconds before the
malicious svchost’s prefetch file creation time.
• Since the malicious svchost.exe kept running on the system after this
moment, the prefetch file should have been created 10 seconds after its
actual execution time. Therefore, it is possible that vboxdtrace.exe and the
malicious svchost were executed almost at the same time.

???
VBoxDTrace.exe
svchost with a malicious
PE (httpsX64_d.dll)
135
Kept running
Started at 2022-05-29 11:19:1707?
Started at 2022-05-29 11:19:07
Assumption:

???
VBoxDTrace.exe
svchost with a malicious
PE (httpsX64_d.dll)
136
Exited right
after injecting
a PE image
Kept running
Created svchost and injected a PE
Started at 2022-05-29 11:19:1707?
Started at 2022-05-29 11:19:07
Assumption:
If vboxdtrace.exe used reflective PE injection technique, it could happen. It is because
vboxdtrace.exe should have exited right after injecting a malicious PE image into the
svchost process. Then the vboxdtrace.exe's prefetch file must have been created at
the same time of the execution time.
On the other hand, as we mentioned, the svchost process kept running and the
prefetch file should have been created 10 seconds after the execution.

Process (6)
• The first one is the file modification entry for the prefetch file.
However, a lot of prefetch files were modified at the same time. It
seems to be Windows booting, so it is difficult to find a clue
unfortunately.
• You will also find several files under the VirtualBox folder, which might
also be related to VBoxDTrace.exe because of the file and the folder
name, around the prefetch files recorded.
• Let’s check the details more.

Process (11)
• Actually, you can find that VBoxDTrace.exe is also placed in the same
folder as the files that we mentioned in the previous slide.
A .exe file, a .dll file and a unknown binary file are a typical layout of the DLL
side loading attack. Actually, VBoxTrace.exe is a legitimate file, but VBoxRT.dll
is a malicious dll. It is loaded by VBoxTrace.exe. It decrypts a payload in
wpn.svr and injects into svchost created by itself. So you can presume the
attacker also might have used the technique as well for an Autoruns evasion.

Process (12)
• If you were responding to the real incident, you should get the files
and perform dynamic malware analysis to confirm the behavior such
as a svchost process creation, injecting a PE image into svchost, and
accessing to the malicious server.
• In this case, VBoxDTrace.exe and the files in the same folder are
related to the malicious svchost process.

Process (6)
• The first one is the file modification entry for the prefetch file.
However, a lot of prefetch files were modified at the same time. It
seems to be Windows booting, so it is difficult to find a clue
unfortunately.
• In addition, you can also find a service entry named "WpnServec“ on the
HKLMSYSTEM registry hive was modified at the same time as the first execution
time of VBOXDTRACE.EXE.
• “WpnServec” service might have been created at the moment.
• Note that registry modification event will be occurred when a service is created since registry
hives only have modification time for each key.
• Therefore, you should check the services next.

Process (14)
• Services.txt shows service entries in the registry.
• Let's search it for the service name that we found in the previous slide.

Process (15)
• Then, you can find the persistence entry of the malware.

Memory Forensics
with Swap Files

Memory Forensics
with Swap Files (1)
• As we mentioned earlier, MemProcFS has an amazing feature.
• It can load swap files! You can load them like this.
• This would be very useful if reflective PE injection techniques were
used.
• The PE header of a loaded PE image with the technique will be paged out
because it will never be referred after the PE is loaded.
.MemProcFS.exe -device PhysicalMemory -pagefile0 pagefile.sys -pagefile1 swapfile.sys
Pagefile.sys is used for native apps and the OS.
Swapfile.sys is used for UWP apps.

The left example figure shows us a
result without swap files. The right
figure shows us a result with the
files. Although I used the same
memory image for both, we can find
that many DLLs are injected into
lsass process on the right while we
cannot see any injected DLLs on the
left.

Memory Forensics with Swap Files (3)
• To acquire swap files, use KAPE, TSK and other acquisition tools that
can acquire locked files.
• Note that esentutl cannot get them because they are out of scope of the VSS.
• And I also pull-requested to the developer of the CDIR Collector to
acquire them with it.
• However, they have not taken the request yet. We need to wait for a while…
• I released the compiled binary in my github account below, although the
executable file does not have code-sign.
• https://github.com/herosi/CDIR/

Wrap up
- Memory Forensics

What We Lesson Learned in Memory Forensics (1)
• There are several important strategies for an initial investigation of memory
forensics.
• We found that MemProcFS can show us:
• Process tree
• TCP/IP communications
• Registry hives
• $MFT
• Suspicious modules and memory regions
• …

What We Lesson Learned in Memory Forensics (2)
• We found that MemProcFS can handle:
• Contents of memory images as files and folders by mounting them
• Swap files
• CompressedMemory
• We found that a memory image with swap files could solve a problem
when a reflective PE injection is used.
• And other page-out related problems with that, of course.

Strategies of Memory Fast Forensics
Checking Auto Start Entries with Several Important OS Artifacts
• We would perform persistence analysis with the top priority if we
were investigating disk images. However, we cannot use tools such as
Autoruns for memory. Although there are registry hives on memory,
we can access only some parts of them due to paged out, mapped
files or acquisition timing.
• Therefore, we should get several important OS artifacts such as
registry hives and WMI related files on a disk at the same time when
acquiring a memory image. And check them with dedicated tools for
them such as Registry Explorer. That is why we recommend using a
triaged acquisition tool such as KAPE and CDIR-Collector at the same
time when acquiring a memory image for the first step.
• We also recommend acquiring swap files as well because of the first
paragraph above.

Thank you
@herosi_t, @unk0unk0
Special Thanks to Ulf Frisk (@UlfFrisk)

Super Easy Memory Forensics

More Related Content

What's hot

Similar to Super Easy Memory Forensics

More from IIJ

Super Easy Memory Forensics