\Windows\system32\emd.exe Figure 11.20: Displaying captured RAM dump ‘As you can see in the preceding screenshot, our image was successfully formed; thus, we can now verify our located path to determine if our memory image was made or not. Lab 3: Memory forensics An open-source memory forensics tool for malware investigation and incident response is called volatility. For analyzing RAM in 32-bit and 64-bit systems, it is among the greatest open-source software tools. Linux, Windows, Mac, and Android analysis are all supported. It may be used with Windows, Linux, and Mac operating systems and is based on Python. It can analyze various dump types, including raw dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and more. Aaron Walters, a software engineer and a businessman, developed volatility based on his academic work in memory forensics. Objective: To perform memory forensics using volatility on Linux.1. Download the volatility package (as displayed in figure 11.21) from hittps://www.volatilityfoundation.org/releases Releases ‘lay oases ae eres oa io oe esac to OS ea, apes mals cole, a Sispex Zeb Relesesrepeser 2 eset tony cues rages. be Grp the communt art ‘rene rpabites asa wile Wak reass may Sen fe ada bevee, we sono perom rg sing ox estan soe eing tase Volatility 25 (Windows 10/ Server 2016) Figure 11.21: Volatility framework 2. Download Malware—Cridex as Sample Memory (as shown in figure 11.22) from https://github.com/volatilityfoundation/volatility/wiki/Memory- Memory Samples This alt of publicly availble memory sam plesfor testing purposes evaiption 9s Art OL Memory Foxes mages ‘Assorted Widows Linas and Mc MacOS% 108.3368 Mac Mountain tion 1083364 Jicers oveaicchalenge Winows XP x86 and Windows 2003 SPO 386 (4 imaged) Ses ene er ae gcmcsecinuibiens ike tod Lge ly Sic Th Malyane- Crider Windows XP 286 Malware Shylock Windows xP P3386 Malare- R202 (pe infexte) Windows xP P2306 Figure 11.22: Memory samples 3. Open the terminal window (as shown in figure 11.23) and check for the various options and supported plug-in commands available in volatilityCommand: volatility -h. prey sae ‘Svolatatity -h Wvotattlity Foundation Volatility Framework 2,6 SS ate nem een tL Cee eke ee net ee earns ett tty ee area re ee) Rooke ment ROR aT So) Prints cut the Audit PoLicies tros MRLINSECLRITY\Polt dump the big page pools Per! oa ene tremor Cpr ram ee Rac tee consoles Extract comand history by scannina for CONSOLE INFORMATION pera Cerrar a acre) et rats ried ee oe er Part Rae ee NO ed ry ee ae Figure 11.23: Volatility Help page 4. Explore some plug-ins (shown in figure 11,23) available in volatility by using the commands mentioned previously using Cridex.vmem as memory sample with screen shorts are given as follows: 5. imageinfo: It is to identify the supported “profiles” (shown in figure 11.24) for the dumped memory image. Command: volatility -f cridex.vmem Imageinforr eer ‘volatility -f Peart ieee] mn rn eeet rr er pereetre CNN ce me emt eet ina) peat ee oe oor a neo) ees oae a riper stores say anata cote ter eee ee eye ey ec Gigeeica eee Ceres ered neta et ey Mca eer 4 eee eerie’ ere era ee ae nar Mya) Peat ret Rewer eres ett err) Peres, esse supe romero. ota sans Br Figure 11.24: Getting the image information 5. pslist: This plug-in of the volatility tool shows the processes (displayed in figure 11.25) and gets a list of the running process in the memory dump. Command: volatility -f cridex.vmem --profile=winxPsP2x86 pslist rrr Perri eremenid eo A meas Pees Soitrmretes Hoare 8 2-07, eran) Figure 11.25: Getting the list of running processes . psscan: This plug-in of the volatility tool (shown in figure 11.26) can find processes that were previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit. Command: volatility -f cridex.vmem --profile=winxPsP2xs6psscan Figure 11.26: Running the process scan . pstree: This plug-in of the volatility tool shows processes (as presented in figure 11.27) with their PID and PPID’s. The purpose is to display the processes in a tree (parent/child) format. This will show the linking of the process with the parent process. Command: volatility -f cridex.vmem --profile=winxPSP2x86 pstreean aera) Peretti eerrremtaiertecrteertccs Did enorme Ey Card Do eae meer pth ee ‘Oc822/1020: sass. exe eee borers Brees Conte eeascnee Coe Ee Parr wearer Po reg Perrechepnerontsey Lomsseorrryrnroneanen Feseoren anne tare Contreras pecrrerenr sen Peete rriccrsr re oergeen Paar ety Cannan, PAR at} Doreen emis) Correa EP ergo Mate) Pon Sete eee Figure 11.27: Generating the process tree 9. procdump: This plug-in (shown in figure 11.28) of the volatility tool is used to dump a process’s executable. Command: volatility -f cridex.vmem --profile=WinxPSP2x86 procdump -p 908 --dump -dir=/home/parrot/Documents/file /home/parrot/Documents/executable 908. exe ee ner eee ene ete oc ee mee ote aoe (oetemcesc ee em en) one Sopot eee Cae ey Perr eran ears ects Figure 11.28: Generating the procdump Cr By rent iseeeneca et nad ean ees ee Re see le eed Ri sme ety ame Fs Figure 11.29: Executable file created 10. memdump: This plug-in (shown in figure 11.30) of the volatility tool is11. used to extract all memory resident pages in a process (see memmap for details) into an individual file. Command: volatility -f cridex.vmem --profile=winxPsP2x86 memdump -p 908 --dump -dir=/home/parrot/Documents/file /home/parrot/Document s/968 .dmp Figure 11.30: Executable memory dump Kernel debugger (KDBG) block address and the right system profile may be positively identified using the plug-in known as kdbgscan. It only searches for KDBG header signatures connected to the volatility profiles. This mainly helps to clear up any misunderstandings that can arise if the Pslist plug-in fails to display any processes in the process list. If a KDBG with an incorrect PsActiveProcessHead pointer is discovered earlier in a sample, this can take place. Command: volatility -f cridex.vmem --profile=winxPsP2x86 kdbgscaney rs Pernt reer ieee cor ere perry prc) ned pcre ee eee Peete) Perera tp eemreny pore ee a 1 Oe a Fe dee paeeeaet cet aera Pertrear pet) pera oe a) 1 Cr el foe ound Figure 11.31: Executable KDBG scan Kernel Processor Control Region (KPCR) structures may be found with the plug-in kpcrscan. The kernel uses a KPCR as a data structure to hold processor-specific information. Kpcrscan looks for possible KPCR values and dumps them. On a multi-core system, each CPU has its own KPCR. The CPU, which is a single-core processor, is shown in figure 1132. Command: volatility -f cridex.vmem --profile=winxPsP2x86 kperscanen cet? Figure 11.32: Executing KPCR scan Lab 4: Malware analysis The term “Malicious Software” is referred to by the single-word term “Malware.” The word “malware” refers to a broad range of dangerous software created by online criminals. Cyberattacks are now affecting an increasing number of internet users, and enterprises of every size are increasingly a target. The malicious software allows for backdoor entrance into computers, allowing for the theft of many types of data, including private information. Understanding how a piece of malware works and its potential consequences is the process of malware analysis. It is important to understand that malware can have a wide range of activities and that malware code can vary greatly. These could manifest as Trojan horses, worms, malware, and viruses. Each sort of malware collects data about the infected machine without the user’s knowledge or consent. Aim: To perform malware analysis of Pony malware in windows. Pony virus, often referred to by the names Pony Stealer, Pony Loader, FarelT, and other variations, is a password-stealing program that has the ability to decrypt or unlock credentials for over 110 different apps, including VPN, FTP, e-mail, instant messaging, Web browsers, and many more. Pony Stealer is incredibly harmful, and once it takes over a computer, it turns it into a botnet that it may exploit to spread to other computers.