In conducting digital forensic, we have to start with what we know.
Since we are tasked with investigating an endpoint that reports to a known malicious external server, we know that there might be a process responsible for this action.
To perform this task, we need to enumerate all the running processes inside our captured volatile memory.
– –
First, we will use Volatility pstree plugin to enumerate the parent-child relationship of all running processes.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> pstree
In Linux: python vol.py -f <mem.dmp> –profile=<OS> pstree
In this case, we see red flag.
Red Flag 1: Process ID 1676,1700 with incorrect name scvhost.exe and wuaumqr.exe
– –
Next, we try to run Volatility pslist plugin with svchost.exe to see if there is PID: 1676.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> pslist | findstr -i “svchost”
In Linux: python vol.py -f <mem.dmp> –profile=<OS> pslist | grep -i “svchost”
In this case, we see another red flag.
Red Flag 2: Enumerating svchost.exe no 1676 since it is spelled s”C”vhost.exe instead of s”V”chost.exe
#tip: This technique is called Pyscholinguistic technique. Malware authors used this for stealth technique and to avoid detection where they replace either a letter of a legitimate process or swapping it.
– –
Then, we try to run Volatility cmdline plugin with both PIDs 1676 and 1700 to view where was this executable located inside the disk.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> cmdline -p <PID>
In Linux: python vol.py -f <mem.dmp> –profile=<OS> cmdline -p <PID>
In this case, we see wuaumqr.exe:1700 is residing at C:\Windows\System32
– –
After running these series of plugins and commands we can see the red flags of the processes.
Now, we can start on our investigation with this information.
Done by our analysis, we can now answer the questions:
“What is name of malicious processes?” scvhost.exe:1676 && wuaumqr.exe:1700
“What technique does this malware use for stealth operation?” A: Psycholinguistic Technique
We are now ready for Step 2: Carving .EXE files.