Ramnit writeup using volatility3 - cyberdefenders
Instructions: Uncompress the lab (pass: cyberdefenders.org)
Scenario: Our intrusion detection system has alerted us to suspicious behavior on a workstation, pointing to a likely malware intrusion. A memory dump of this system has been taken for analysis. Your task is to analyze this dump, trace the malware’s actions, and report key findings. This analysis is critical in understanding the breach and preventing further compromise.
Tools: Volatility 3
Question 1/7 - We need to identify the process responsible for this suspicious behavior. What is the name of the suspicious process?
After launching an initial reconnaissance using the windows.netstat plugin in Volatility, three processes stand out based on their network behavior
- svshost.exe
- WWAHost.exe
- ChromeSetup.exe
While both svshost.exe and WWAHost.exe are in CLOSE_WAIT or ESTABLISHED states, ChromeSetup.exe attempts to establish a connection with an external IP address on an unusual port. And by using windows.pstree we see that process is also a grandchild process. Given this behavior, it is flagged as suspicious.
Answer - ChromeSetup.exe
Question 2/7 - To eradicate the malware, what is the exact file path of the process executable?
Now that we’ve identified the suspicious process, we need to find the exact file path of the executable. To find the path we can use windows.cmdline plugin with grep to get the path of executable.
Answer - C:\Users\alex\Downloads\ChromeSetup.exe
Question 3/7 - Identifying network connections is crucial for understanding the malware's communication strategy. What is the IP address it attempted to connect to?
From our earlier analysis with windows.netstat, we identified the external IP address that ChromeSetup.exe is attempting to communicate with.
Answer - 58.64.204.181
Question 4/7 - To pinpoint the geographical origin of the attack, which city is associated with the IP address the malware communicated with?
Now we have the ip address and we have to find the address . We can use whois lookup to find the address , use the command whois 58.64.204.181 in the result we can see the address :
Answer - Hong Kong
Question 5/7 - Hashes provide a unique identifier for files, aiding in detecting similar threats across machines. What is the SHA1 hash of the malware's executable?
Now we have to find the sha1sum of the ChromeSetup.exe file. To do so , first we have to dump the file. Use the plugin windows.dumpfiles to dupm the file in a directory. I have created a out directory in which dump files get stored. to dumo the file we have to know the pid(proces id) of the file. From question 1 we know the pid which is 4628. The final command to dump the file would be:
python3 /home/kali/tools/volatility3/vol.py -o ./out -f memory.dmp windows.dumpfiles --pid 4628When I get the exe dumped. I terminated the dumping program
Now we have to get the sha1sum , for that use the command sha1sum FILE_NAME to get the hash.
Answer - 280c9d36039f9432433893dee6126d72b9112ad2
Question 6/7 - Understanding the malware's development timeline can offer insights into its deployment. What is the compilation UTC timestamp of the malware?
Now we have the extract the timeline of that malware in UTC. We can use the exiftool to extract the timeline. But it can be in different timezone , convert it back to UTC 0.
Answer - 2019-12-01 08:36:04
Question 7/7 - Identifying domains involved with this malware helps in blocking future malicious communications and identifying current possible communications with that domain in our network. Can you provide the domain related to the malware?
To find the domain, we can use VirusTotal. Either upload the dumped malware file or search for its SHA1 hash. VirusTotal will provide detailed information about the malware, including the domains it communicates with.
We can see the related domain.
Answer - dnsnb8.net