Malware analysis

Memory analysis using redline

Memory Analysis has become very useful for malware hunting and investigation purposes. Redline is a tool which is used to analyze the memory samples collected from the live host system or a remote system.

Objective

In this lab, we will cover all the steps to perform memory analysis using Redline for malware/malicious programs. In this lab, we will use various memory samples of malware infected systems.

Memory samples to use in Lab:

Labs_raw.img
Lab.mans
Lab_Handles.mans
Lab_Hooks.mans
Lab_Hooks_raw.img

Also, the lab will consist of an IOC that can be used directly in section "Using IOC to automate the process in Redline".

Note: .mans files are already loaded files of various memory samples. We will be using them directly within Redline to discover various malicious artifacts. This will also save a lot of time that raw memory images take to load.

Preparing redline for memory analysis

In this section we will look out both raw image and saved .mans file can be loaded in Redline for analysis.

Loading a raw image in redline

Install Redline
Launch Redline from Windows Start button. Following Redline interface will open
For raw memory image, we will see how to load an image 'conficker.img.'
Select "From a Saved Memory File".

In the below dialog Box, browse to the location where the raw image is saved on your local machine.

Click Next
In the next screen click on "Edit your script".

Select the checkbox for strings.

Click Ok.
Specify the name of the analysis section 'Infosec_Institute_Lab_Analysis'- and location where the analysis session results will be stored.

Click Ok.
Redline will then prepare the session for analysis. Confirm the creation of folder name as the session name specified in step 10. Loading of raw memory image will look like this.

At this point, the raw memory dump is loaded in the Redline for further Analysis. On successful loading following, the screen will appear. Confirm that on left-hand side Processes, Driver Modules, etc. can be seen.

Opening a saved mans file

Redline save the analysis of any file in mans format. Below steps outline what steps should be followed to open an mans file in Redline

In this section, we will be using Lab.mans file.

.mans file can be open in Redline either from Redline Home page or Redline Launch Page. In this section, we will load the .mans file from Home Page. However if .mans file needs to be loaded from Launch Page perform this step.

From Launch Page click on "Open Previous Analysis" and locate the .mans file to be loaded into the system.

Click here to download the files associated with this article: https://drive.google.com/folderview?id=0B4V9rO4-QhMDMFBkRDhEU0xJX00&usp=sharing

From Redline Home Page, click on Redline Icon on Top left corner like below and click on "Open a Saved Analysis".

Browse to Saved mans file location and Click on Open.

This process will be much faster and below screen will appear after opening saved analysis much like that of the raw image.

Artifacts available in Redline for analysis

For this section, we will keep using Lab.mans file loaded in previous section "Opening a saved mans file".
After loading Redline gives a view of what all artifacts can be analyzed from a memory sample.

Major Ones are:
- Processes
  - Handles
  - Memory Sections
  - Strings
  - Ports

Hierarchical Processes
Hooks

Now we will start analyzing each of artifacts in Redline

Analyzing process in redline

Click on Processes. It will show all the process that were in memory when the memory was acquired.

Redline has built-in signatures in which it will classify the process to be malicious and redline it. In above screenshot, we can see that two processes are redlined by Redline.
Redline also gives a Malware Risk Index (MRI) score to each process. Higher the score, more malicious of its chances will be. We can see that both redlined process have MRI score of 97 and 94. Highly suspicious.
Click on "Redlined Processes" to see only redline processes.
Double Click on Redlined Process 'svchost.exe'. It will open details about the process.

Click on MRI tab at the bottom. MRI report shows up.

It will also tell us why it has awarded that MRI scores to this process. In this it says:

There are about 47 percent negative factors associated with this process.

Analyzing network connection using Redline

Normally when malware is injected into a system, it contacts its C&C server to revive payload, to infect other systems in the same network, etc. Analyzing the network connection can be beneficial during memory analysis.

We will continue analyzing the Lab_Handles.mans file.
Expand Processes and Click on Ports.

We can see all the connection available in Redline while the memory was captured.

We can see that Process 'System,' PID 4 is making a connection to 94.247.2.107 over port 80. It is very common for malware to hide their connection in plain sight. Why does it choose port 80? Because it is usually opened within organizations and least analyzed.

A Google search for IP 94.247.2.107 confirms that the IP 94.247.2.107 is listed with TDSS worm.

Analyzing strings using Redline

Since we have selected the strings earlier while loading the image, we can search for strings in the memory file.

We will continue analyzing the Lab_Handles.mans file.
Expand Processes and click on Strings.
Search for 'http://'. It will show all the strings scattered around memory where http:// is there. Below we can see that process 1928 Explorer.EXE connects to 192.168.30.129 with user foo and traverses to malware directory. This looks suspicious.

Analyzing handles in Redline

In this section, we will analyze the handles using Lab_Handles.mans file. Follow steps outlined in "Opening a saved mans file" section above to load Lab_Handles.mans file.
Expand Process and Click on Handles.

Below screen will show all the handles present in memory while it is acquired.

Now there are a lot of objects associated with an object like File Handles, Directory handles, Registry Handles, Mutants, etc. In the next step, we will see Mutant Handles.
Click on Mutant handles and it will show all the mutants present in memory.

We see the mutant named _!MSFTHISTORY!_ which is a known mutant for TDSS malware.

Analyzing memory sections using Redline

In Redline, we can analyze the memory sections to look out for injected code.

In this section, we will continue analyzing Lab_Handles.mans file.
Expand Processes and Click on Memory Sections

We will see all the memory section available in memory.
Click on "injected Memory Sections".

Below we can see that PID 1980 is injected.

Processes parent–child relationship

In Redline, we can see the processes parent-child relationship. This is beneficial while analyzing the process to see which process was spawned from whom and also it gives an indication about when a system boots.

Click on Hierarchical processes on the Left-Hand side.

As we can see below is has shown us how the parent –child relationship among processes.

Analyzing hooks using Redline

Malware usually hooks kernel artifacts like service descriptor table (SSDT), IDT, IRP to take broader control over the system. In this section, we will see how Redline can be used to analyze these sections.

In this section, we will use LAB_Hooks.mans file. Follow steps outlined in "Opening a saved mans file" section above to load LAB_Hooks.mans file.
Click on Hooks.

Below screen shows all Hooks for this memory image.

We can filter it with a specific type of Hook like SSDT, IDT, IRP hook.
Click on SSDT Hooks.

Note that though Redline gives the Trust Status "Undetermined," it is highly suspicious to have a driver called burito24b1-1710.sys in a system.

A Google searches on burito24b1-1710.sys reveals that it has already been submitted to malwr.com

Using 3^rd party tools greatly enhances the memory analysis.

Click on IRP hooks to see what system drivers have been hooked.

Here we can see that burito24b1-1710.sys has hooked tcpip.sys.

Using IOC to automate the process in Redline

Automating the process with Indicator of Compromise (IOC) using Redline is a very great feature. IOC's are usually shared among the security community so collecting them and running them against an acquired memory will give us HITS if it matches.

As we saw above for LAB_Hooks, driver burito24b1-1710.sys was not recognized malicious under SSDT by Redline but since we know it is malicious, let's make an IOC and run that IOC against the Lab_Hooks.mans file.

We will be using Mandiant IOC builder to create an IOC.

Create Directory 'IOC' where the IOC's will be stored
Open Mandiant IOC builder and select the folder created in step 1
Click New > Indicator

Give description for this IOC like below

Click on Item > HookItem>Hook Hooking Module

Enter the details of the driver as is seen in LAB_Hooks.mans file.
Click ADD
Click Item>Hook>Hook Hooked Module
Below is the final signature for this IOC

Click Save to save this IOC to the folder created in Step 1 of this section.
Open Redline >Open Saved Memory
Browse to the location of raw memory Image and IOC created above
Select the IOC listed to see the description as well.

Click Next
Follow steps 7-11 as listed in section "Loading a raw image in Redline."(Name the folder to save analysis "Infosec_Institute_Lab_Hooks").
Once loaded the IOC report will keep running in the background.
Upon completion, browse to the folder 'Infosec_Institute_Lab_Hooks'.
Open Infosec_Institute_Lab_Hooks' > IOCs>IOCReport>Hits>*.html
As we can see below that based on our indicator, Redline has the following hits which is exactly what we have seen in SSDT; IRP hooks earlier.