Digital forensics

Forensic investigation with Redline

Revers3r
April 14, 2016 by
Revers3r

This lab covers how to conduct a Memory investigation of malware using Redline from FireEye.

In our lab we will analyze the Biscuit malware which is mostly used in APT's. You can find out more online by a simple google search.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

1. Infecting the machine

I am assuming that you have an isolated machine. In my case, Windows XP is running with restricted access to the Internet, probably running in Virtualbox. So first, infect the malware by clicking it. After some time, it will vanish. By this time, it has done something to the machine.

Before starting with Redline, we will first perform a static analysis of the malware. We will then create an Image of the machine for memory investigation After noting some important points, I will move to the Redline

Primary analysis with String Utility:

So from the above picture we have concluded that the artifacts are taking the process information and doing some registry entries; there's also some internet activity. We can conclude that it is probably sending information.

With further analysis we can see more interesting information about the artifact. See the image below.

Host,connect,Hotmail.com,index.asp,Mozilla/4.0,cmd.exe

So basically it is connecting to the host using connect API. Also, it has a specific UserAgent Mozilla/4.0 which indicates that it is checking the browser to determine whether it is Mozilla or not. If it is, it will do malicious things. It is also uploading the file, checking the system information, checking memory usage, taking system info. You can check the below images for more. We will confirm above more in Redline as well as with IDA Pro.

Now we will execute the malware, take the image and feed to the Redline for the further investigation.

2. Investigation using Redline collector

After Installing Redline, open it and go the collector option as below:

This option will create a folder which can be used for audit purpose of a victim machine in which malware(artifact) is running. This will create RunRedlineAudit.bat, which will collect necessary information that can be audited by redline. We just to create a folder on the machine where Redline is running using collector option where it will create the bat file. We have to take that batch file either by USB or shared network folder to the victim machine.

Choose a folder where you want to save the settings; after that it will create all required files in the computer for auditing. As we see, a folder named Mandiant has been created on my machine where all the necessary files are located, including the batch file. So this batch file should be run on the victim machine. Check the below image for more details:

After everything above, we will run the malware and audit the system to see what happened.

Now we will run the malware and audit the system forensically. Put the folder inside the victim machine. Run the malware and audit the program using the bat file by Redline.

It will take some time by opening a cmd where the audit program starts:

Now I will copy the session file (which was just audited by batch file in the Victim machine) to the investigation machine and we will start analyzing it.

We will have a folder called Analysis1 where it creates a mandiant file (.mans extension), but we have to open with Mandiant Redline for analysis.

We will see the below image as mine:

After that, we will start our full investigation as we said earlier:

But as a forensic investigator, we should go deep. For that, we have to infect the system, take the image and investigate.

Creating image of the infected machine and analyzing using Redline memory option

After infecting the machine, we will take the image of the infected machine using Memoryze tool from FireEye. We just have to run the memorize and it will create the image file for analysis. I have memorized it in my machine as shown below:

Run the memorydd.bat file which will start creating the image of the system. This file is nothing but a list of batch programs which will run the memorize application as shown below:

After 10 to 15 minutes, it will create the image.

3. Investigation using Redline memory analyzer option

As you see, there is an option where we can analyze using the memory image of an infected system for deep analysis of the memory.

After taking the image, we will analyze using Redline for further investigation. First, we will place the image into Redline: choose IOC. For IOC, you first have to download it. I have downloaded it from FireEye as one of the biggest APT1. I will share the IOC:

Go to the Memory image where you have put IOC. I am using Mandiant's APT! as IOC. Select Full Response Analysis to start.

The first thing that drew my attention was in the Processes filter where the svchost.exe was redlined with a malware risk index (MRI) score 93. The MRI score allows me to prioritize the investigation. The higher the score, the more likely this process is involved in a potential compromise.

If I am going to that svchost .exe by clicking IOC report button, it will show the pie chart with factors of reason:

Now I am acquiring the process address space to conduct a deeper analysis, which will acquire an address from the image so that we can again investigate it.

We get lots of semaphore attention. This is important as shown below - the point of investigation:

4. Verifying with IOC

In this step, we will create the IOC and compare the IOC downloaded by us. There is a button called "Create IOC" which will do this for us. We have to go there and compare the malware family.

The data was evaluated and executed in the background. It took around 30 minutes to finish. When the analysis was done, I could browse the IOC report. In the report, I could see details about the IOC, such as the definition and author. Hits associated with each file correspond to an IOC. Detailed information about each hit and the number of indicators that generated hits.

5. Verifying with volatility framework

Now we will go with deep analysis implementing Volatility Framework. Using the malfind option we can see which processes are injected for hooking with disassembly option.

Volatility –f imagename malfind

Memory sections marked as Page_Execute_ReadWrite, which allows a piece of code to run and write itself, are indicative of code injection and are easy to identify. Code injection is a very common technique for malware to maintain persistence and ensure that the malicious code continues to run.

So there are two sections which are hooked or where injection happens are csrss.exe and msiexec.exe.

Viewing the process as shown below are

Volatility –f imagename pslist

Using psxview will show the presence of a rootkit operation which will look for the hidden process. Look for the TRUE condition which explores the hidden process:

volatility –f filename psxview

If we saw svchost.exe which have been identified by MRI rank using Redline, Volatility also confirms about that.

We can also see the registry operation has happened after running the Malware or Artifacts. We can also see this by Volatility hive option:

IDA PRO Analysis:

Upon analyzing malware in IDA Pro, we see the following things:

Taking the registry "SOFTWAREMicrosoftWindowsCurrentversionRun"

Set the key with 02 value and smservice process.

So the smservice process is created.

In the above image, it is also checking network connectivity, starting with the network connection.

It also tries to connect to a specific page and with specified useragent. Check the image below:

Persistence: the malware itself installs as a service and the path will be stored in registry below:

"SOFTWAREMicrosoftWindowsCurrentversionRun"

Malware creates copy of svchost.exe and cmd.exe

The above list of items indicates the maliciousness of the file. It also enumerates all the process disabling privileges and many more things. Details of reverse engineering of malware is out of scope here.

Virustotal Analysis: here

Also, the same result we can find using Online Analysis by Payload Security as below: here

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Conclusion

So Mandiant's Redline is a great tool for forensic investigation as it is very useful for investigating useful info like Process Injection, Mutex, Semaphore, etc. in the system. Also, this tool classifies the threats as per the MRI score.

Revers3r
Revers3r

Revers3r is a Information Security Researcher with considerable experience in Web Application Security, Vulnerability Assessment, Penetration Testing. He is also well-versed in Reverse Engineering, Malware Analysis. He's been a contributor to international magazines like Hakin9, Pentest, and E-Forensics. In his free time, he's contributed to the Response Disclosure Program. website: www.vulnerableghost.com