Memory Analysis using Volatility - malfind
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
malfind – a volatility plugin that is used find hidden and injected code. What malfind does is it finds a suspicious VAD memory region that has PAGE_EXECUTE_READWRITE memory protection in a process.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
We can use the Volatility malfind to find suspicious memory region that have PAGE_EXECUTE_READWRITE protection.
In this sample, we can see that on process id 1796 there is a MZ 4d5a residing in @0x6550000 memory region.
This can lead us to the conclusion that this memory region is injected with malicious executable because it matches the memory protection PAGE_EXECUTE_READWRITE.
Now, you can then dump this memory region using vaddump for quick and further analysis.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> malfind -p <PID> -D <dest>
#note: An executable inside the memory region with 0x40 memory protection means injected not normally loaded.
In this sample, we also use malfind to detect possible code injection inside the process memory.
As we can see that it detects (1)PAGE_EXECUTE_READWRITE permission with its (2)assembly code representation.
at (3) we dumped the result from malfind to disk for further analysis.
at (4) we use strings extraction tool to find out what are the string it contains. This gives us that this memory region contains API function and other interested strings.
Now, at (5) we can submit this dumped memory region to VirusTotal for quick scanning and this gives us the result that this memory region is injected with a malware that identifed as XtremeRAT backdoor.