WEBVTT 00:00.640 --> 00:02.020 In this lecture. 00:02.140 --> 00:08.350 As we stated previously, one of the central goals of memory analysis is to determine whether there 00:08.350 --> 00:13.160 are any suspicious data points in active indicative of malware. 00:13.180 --> 00:21.880 So in the event data points such as DOS from the CRIDEX or like R2D2 memory image are located, they 00:21.880 --> 00:23.960 can be queried for further analysis. 00:23.980 --> 00:28.080 So we're going to in this lecture, we're going to do the memory dump. 00:28.090 --> 00:35.860 So during the course of the analysis, it may become necessary to dump the memory resident pages associated 00:35.860 --> 00:39.100 with the process, in this case, the mem dump. 00:40.540 --> 00:41.950 The mem dump here. 00:41.980 --> 00:49.120 The mem mem dump process where mem plugin is run against the memory image. 00:49.420 --> 00:49.990 Yeah. 00:50.230 --> 00:51.550 So let's delete this. 00:51.550 --> 00:54.850 And yeah, this is our profile. 00:55.230 --> 01:01.990 Now we're going to work in the same image file that we worked previously XP, SP2, x86. 01:02.800 --> 01:05.020 And firstly, we're going to attach the process. 01:05.020 --> 01:05.950 Yeah, yeah, yeah, yeah. 01:06.100 --> 01:06.880 One minute, one minute. 01:07.090 --> 01:14.860 We have to firstly identify the process file, which is I know it's 1986, but I want to show you. 01:15.950 --> 01:16.700 So. 01:17.660 --> 01:18.950 Now list. 01:19.860 --> 01:23.180 List or list of the list of processes I have. 01:24.770 --> 01:30.590 And yeah, we're going to we're going to export the. 01:31.710 --> 01:33.840 Explorer explorer. 01:33.930 --> 01:37.410 And here 1956. 01:37.410 --> 01:46.860 This is defined 116 and I'm exporting and dumping it because of this is the child reader that SL malware 01:46.990 --> 01:54.420 we're sure we are almost sure that the reader that SL contains malware and yeah we're going to. 01:56.990 --> 02:00.800 Uh, and yeah, the explorer that is the parent process of this. 02:00.800 --> 02:02.630 And as you can see, the PID. 02:03.350 --> 02:05.390 So it works under the Explorer. 02:05.390 --> 02:09.590 So we're going to execute, we're going to dump the Explorer access. 02:09.590 --> 02:15.500 So, you know, so that way we're going to we, we're going to have the access. 02:15.500 --> 02:22.970 And we also in in, in that dump, it's also included the reader dot access. 02:22.970 --> 02:29.660 So we don't we don't do the we don't dump it, uh, like separately the explorer access. 02:30.080 --> 02:30.380 Yeah. 02:30.470 --> 02:31.070 Yes. 02:31.280 --> 02:35.140 And in most times you're going to have the Dump Explorer exit. 02:35.570 --> 02:42.590 So but because the most malwares are associated with the main application explorer that access. 02:42.590 --> 02:43.550 So let's dump it. 02:43.550 --> 02:46.550 Now we know the process ID of the Explorer. 02:46.550 --> 02:47.210 That exit. 02:47.600 --> 02:48.050 Yeah. 02:48.120 --> 02:49.130 Where are you? 02:49.430 --> 02:51.560 Yeah, this is the Explorer that exit here. 02:51.560 --> 02:51.890 And. 02:51.890 --> 02:56.390 Yeah, now we can run our command. 02:56.390 --> 03:00.380 So we we choose the image file. 03:00.380 --> 03:04.340 We choose the profile of the memory image dump. 03:04.340 --> 03:08.960 So now we're going to use p 1956. 03:09.050 --> 03:15.680 As you can see, I previously used this command mem dump dump here with two. 03:16.580 --> 03:17.840 Negative characters. 03:18.750 --> 03:21.660 Yeah, just dumped it home. 03:22.260 --> 03:22.800 Carly. 03:24.190 --> 03:25.210 Desktop. 03:25.420 --> 03:26.800 Volatility. 03:26.830 --> 03:27.710 Volatility. 03:27.730 --> 03:28.300 Gain. 03:28.380 --> 03:30.820 Oxley Case 001. 03:32.220 --> 03:36.720 And yeah, that's the destination for destination folder that we're going to dump the memory. 03:40.320 --> 03:43.560 So as you can see here, this is the dump from it. 03:43.560 --> 03:48.240 And yeah, let's open our folder and see what happened here. 03:48.240 --> 03:48.810 Yeah. 03:49.600 --> 03:50.370 Volatility. 03:50.400 --> 03:51.420 Volatility. 03:51.480 --> 03:51.720 Okay. 03:51.840 --> 03:52.530 001. 03:52.530 --> 03:56.940 And this is, as you can see, we can actually we can open it with the wireshark. 03:57.830 --> 03:58.280 Here. 04:00.230 --> 04:01.520 It doesn't understand. 04:03.230 --> 04:03.980 Yeah. 04:05.170 --> 04:08.800 But are we going to are we going to analyze it with another programs here? 04:09.850 --> 04:10.570 So. 04:10.570 --> 04:11.900 But actually, Wireshark. 04:11.920 --> 04:17.200 Wireshark can use the files, but I think it's not compatible with Wireshark here. 04:17.410 --> 04:18.280 So. 04:19.110 --> 04:19.790 It was. 04:19.920 --> 04:24.330 It is a good practice to develop a naming convention, as you can see, actually. 04:24.340 --> 04:28.320 What what 1956 like reminds you of nothing. 04:28.320 --> 04:31.530 So you can you need to change this file to something meaningful. 04:31.530 --> 04:35.760 Meaning something has meaning that you with your action. 04:35.760 --> 04:39.270 So in this case, I'm going to change this file to explore or. 04:39.810 --> 04:40.290 Yeah. 04:40.320 --> 04:42.000 Case 001. 04:43.760 --> 04:45.470 Uh, explorer. 04:47.400 --> 04:49.350 That eggs or not? 04:49.950 --> 04:50.840 Don't use that. 04:50.850 --> 04:51.750 They are confusing. 04:51.750 --> 05:01.530 As you can see the that is for extension you can just use underscore explorer XM and yeah with after 05:01.530 --> 05:01.740 x. 05:01.740 --> 05:03.450 Yeah and. 05:04.260 --> 05:06.510 Explorer.exe process reader. 05:07.380 --> 05:08.160 SL. 05:09.720 --> 05:10.950 Mall here. 05:11.770 --> 05:14.110 And as you can see, this is more descriptive, right? 05:14.110 --> 05:14.590 Yeah. 05:14.710 --> 05:17.550 So this is more better to you earned. 05:17.570 --> 05:22.750 And like practice the developer naming convention for folders associated with a memory analysis. 05:22.750 --> 05:27.670 So then as you can see, this way, the files are kept in appropriate location. 05:27.670 --> 05:30.670 In this case, the author is using. 05:30.670 --> 05:35.620 And as you can see here, the case 001 explorer dot x here. 05:35.620 --> 05:41.170 And yeah, it should be noted that the acquisition May acquisition may contain malware and should be 05:41.170 --> 05:46.510 done on an appropriate, appropriate system now. 05:47.530 --> 05:49.570 We're going to dump the file. 05:50.340 --> 05:55.660 This and also another aspect, important aspect of the dumping process. 05:55.680 --> 06:03.300 So in the event that an analyst is able to identify a suspect process within the memory image, the 06:03.300 --> 06:03.750 DLL. 06:04.240 --> 06:07.500 DLL dump plugin can be utilized. 06:08.380 --> 06:12.820 To dump the contents of these files to the local system. 06:13.550 --> 06:21.320 This allows the analyst to examine the contents of the DLL files and compare them to legitimate files 06:21.320 --> 06:29.810 to determine whether they are malicious or something something like dangerous, for example. 06:29.810 --> 06:38.660 So the process that has been identified in this case is the reader cell with the process ID 200, 200, 06:38.690 --> 06:46.010 two, 228, and the parent process ID is 1956, which is the Explorer DOT XM. 06:46.220 --> 06:54.230 And this 228 was identified as a potentially malicious in several sections of this lecture. 06:54.230 --> 06:59.360 So to occur the DLL files and have them accessible to the local system. 06:59.480 --> 07:01.940 We're going to also dump this. 07:02.970 --> 07:04.290 So, for example. 07:06.810 --> 07:07.940 200. 07:07.950 --> 07:14.520 In this case, we're not going to dump the export exit, but we're going to dump the spatially spatially 07:14.520 --> 07:15.420 reader That. 07:15.460 --> 07:28.350 SL So because it is more effective way to do this and yeah, 228 we enter the reader.sl and. 07:30.160 --> 07:31.120 Uh, actually, that's. 07:33.030 --> 07:33.440 Okay. 07:33.450 --> 07:34.560 Can you see it? 07:37.480 --> 07:38.140 Yeah. 07:38.890 --> 07:39.220 Okay. 07:39.220 --> 07:43.630 So 228 and after this. 07:44.510 --> 07:46.040 As you can see, we specified that. 07:46.430 --> 07:54.950 And instead of just using the mem dump in this case, we're going to use the dll dump. 07:55.190 --> 07:57.260 DLL dump. 07:58.700 --> 07:59.570 Dump here. 08:00.290 --> 08:07.100 And yeah, now we're going to also click enter and that is the. 08:08.870 --> 08:11.240 That is the dump of the data file. 08:12.420 --> 08:13.140 Uh, yeah. 08:13.440 --> 08:15.230 So we don't we didn't specify. 08:15.240 --> 08:15.480 Yeah. 08:15.480 --> 08:18.240 We also did specify the dumpster here. 08:18.750 --> 08:19.260 Oh, why? 08:19.260 --> 08:20.250 Why this happened? 08:20.400 --> 08:21.270 Okay. 08:23.580 --> 08:23.880 Oh. 08:25.130 --> 08:28.710 We accidentally copied and pasted all of these outputs here? 08:28.890 --> 08:29.210 Yeah. 08:31.490 --> 08:32.120 Volatility. 08:32.120 --> 08:33.170 Desktop volatility. 08:33.170 --> 08:33.740 Volatility. 08:33.890 --> 08:34.580 Yeah. 08:36.250 --> 08:37.180 Yeah, yeah, yeah. 08:39.460 --> 08:40.690 That's because. 08:40.870 --> 08:41.440 Okay. 08:43.990 --> 08:47.290 So now let's open the file here. 08:47.320 --> 08:47.770 Oh. 08:50.290 --> 08:52.650 Yeah, these are the. 08:52.660 --> 08:55.360 Okay, let's create a folder case. 08:56.150 --> 09:04.020 000010001 and return as you actually can. 09:04.040 --> 09:07.790 As you can see, we can give a meaning to it like so. 09:07.940 --> 09:08.800 Redressal. 09:10.320 --> 09:11.450 What was it like? 09:11.810 --> 09:14.590 Dum, dum, dum, dum. 09:14.600 --> 09:16.660 And we're going to paste all of this. 09:16.670 --> 09:18.350 Actually, we had to do it. 09:18.830 --> 09:19.240 Okay. 09:19.250 --> 09:20.510 One, two, three. 09:20.510 --> 09:22.850 And paste all of these files into this. 09:23.460 --> 09:32.070 And as you can see, these are the DLL files that's associated with this malicious, malicious, malicious 09:32.070 --> 09:32.730 file. 09:33.000 --> 09:34.140 So. 09:35.660 --> 09:36.020 Yeah. 09:36.870 --> 09:41.610 These are the modules module names, so we can also use this. 09:41.610 --> 09:50.010 So as you can see here in this case, in this case, we we are using the volatile used the module names 09:50.010 --> 09:55.800 instead of the DLL files becomes because are sort of confusing here. 09:55.800 --> 10:07.680 So we're going to create a document, not just a txt file like module names, module names to module 10:07.680 --> 10:10.130 names to to deal. 10:11.350 --> 10:14.260 Deal Description dot txt. 10:15.580 --> 10:18.970 Here and enter this and we're going to paste it here. 10:19.180 --> 10:25.060 So with this, there is actually quite a point of this, as you can see here. 10:26.690 --> 10:27.950 With this. 10:28.850 --> 10:30.140 For example. 10:31.260 --> 10:31.420 Mhm. 10:32.190 --> 10:33.180 Change it. 10:34.550 --> 10:37.400 Or we can do this, for example. 10:38.080 --> 10:38.710 Yeah. 10:39.990 --> 10:42.330 And as you can see here. 10:44.010 --> 10:52.260 These are the reader dot dll files and I want to change the with a list. 10:52.260 --> 10:52.830 Okay. 10:52.830 --> 11:00.180 And as you can see, there's a list of the files that we are using to it and the you model 220 11:00.180 --> 11:05.850 (818) 233-8739. 11:06.520 --> 11:08.680 7C9. 11:09.540 --> 11:14.430 And as you can see, this module named the module DLL file name. 11:14.430 --> 11:20.460 This is the equivalent to Ntdll.dll here and here. 11:20.460 --> 11:23.790 This is equal to reader dot dot exe. 11:24.900 --> 11:34.920 And this is the So in this lecture you showed you how to dump memory and files from the malicious in 11:35.040 --> 11:37.050 the captured image file here. 11:37.050 --> 11:43.740 So in next lecture we're going to use the executable dump, which is actually quite interesting. 11:43.740 --> 11:45.510 So I'm waiting you next lecture.