Arizonal8/Memory-Forensics
GitHub: Arizonal8/Memory-Forensics
Stars: 0 | Forks: 0
# Week 10: Memory Forensics
## Overview
This lab performs a full memory forensics investigation of a Windows 7 system
infected with the Trickbot banking trojan. Using the Volatility Framework, the
investigation analyses a RAM dump to identify running processes, network
connections, code injection, malware family, persistence mechanisms, and
command-and-control (C2) infrastructure.
## Why This Is Necessary
Memory forensics is essential for investigating advanced malware because:
- Malware often operates entirely in memory without writing files to disk
- Encryption and obfuscation in files is bypassed — memory shows the decrypted,
running state of malicious code
- Process injection hides malware inside legitimate Windows processes
- Memory contains network artefacts, credentials, and keys not stored on disk
- Volatile evidence (running processes, network connections) exists only in RAM
and is lost when the system is powered off
## Tools Used
- **Volatility Framework** (v2.6) — open-source memory forensics framework
- **VirusTotal** — online malware hash analysis
- **Imageinfo, Pslist, Pstree, Psscan, Netscan, Malfind** — Volatility plugins
## Key Concepts Covered
- Identifying the OS profile from a memory dump (imageinfo)
- Listing and comparing processes using pslist, pstree, and psscan
- Detecting process injection via the malfind plugin
- Analysing network connections active at time of memory capture
- Using VirusTotal to identify malware family from injected PE hashes
- Examining handles and DLLs to identify malicious file paths
- Extracting registry hives from memory for offline analysis
## Malware Identified: Trickbot
Trickbot is a sophisticated, modular banking trojan first observed in 2016.
It is known for:
- Credential theft (browser, Windows credential store)
- Network propagation and lateral movement
- Modular payload delivery (sinj, pwgrab, networkdll modules)
- Command-and-control communication over HTTP/HTTPS
- Process injection into legitimate Windows processes (explorer.exe, svchost.exe)
## Investigation Findings
### Imageinfo
- **OS Profile:** Win7SP1x64 — Windows 7 Service Pack 1, 64-bit
- **Memory dump date:** 2018-07-24 19:46:32 UTC+0100
### Pslist — Process Analysis
- **PID 2928:** cmd.exe
- Start time: 2018-07-24 18:46:32
- Parent PID: 1632 (vmtoolsd.exe) — **suspicious** (cmd.exe should not be
spawned by VMware Tools daemon)
### Pstree — Process Hierarchy
- **PID 2292:** has **8 child processes**
- Start date: 2018-07-24 18:35:57
- Likely infection date: **2018-07-24**
### Psscan
- No hidden processes detected beyond those visible in pslist.
### Netscan — Suspicious Network Connections
| Remote IP | Port | Assessment |
|-----------|------|------------|
| 185.17.120.178 | 80 | Trickbot C2 (HTTP) |
| 188.124.167.132 | 8082 | Trickbot C2 (alt port) |
| 158.58.131.54 | 443 | Trickbot C2 (HTTPS) |
### Malfind — Code Injection
Processes with injected PE (MZ header) code:
- explorer.exe (PID 1220)
- svchost.exe (PIDs 576, 1896, 2292, 2464, 2484, 3468, 3560)
### VirusTotal Results
- **Detection rate:** 16–50 vendors flagged samples as malicious
- **Malware family:** **Trickbot**
### Handles / DLL Analysis
- **Malicious folder:** `C:\Users\Win7x64\AppData\Roaming\nsgJob`
- **Linked process:** explorer.exe (PID 1220)
- **File prefix found:** `8012d3` — Trickbot component files
### Registry Analysis
- **NTUSER.DAT offset:** 0xfffff8a0017ef010
- **SOFTWARE hive offset:** 0xfffff80000321010
- **SOFTWARE last updated:** 2018-07-05 14:23:01 UTC
- **Subkeys under Software:** 7
### Process Role Summary
| PID | Process | Role |
|-----|---------|------|
| 576 | svchost.exe | System data harvesting |
| 1220 | explorer.exe | Credential theft (password stealer) |
| 1896 | svchost.exe | Financial data interception (sinj module) |
| 2292 | svchost.exe | Parent of 8 child processes |
| 2464 | svchost.exe | Financial data interception (sinj module) |
| 2928 | cmd.exe | Network discovery / lateral movement |
## Screenshots
### Imageinfo
*Volatility imageinfo output confirming the memory dump is from a Windows 7
SP1 64-bit system with profile Win7SP1x64.*
*Full imageinfo output showing memory dump timestamp and system identifiers.*
### Process Analysis (Pslist)
*Complete pslist output showing all running processes at time of capture.*
*PID 2928 (cmd.exe) highlighted — spawned by vmtoolsd.exe (PID 1632),
which is suspicious and indicative of Trickbot lateral movement activity.*
*Parent-child process relationship analysis confirming the anomalous
cmd.exe lineage.*
### Process Tree (Pstree)
*Pstree output showing the full process hierarchy and identifying PID 2292
with 8 child processes — consistent with Trickbot module spawning.*
*Detailed view of PID 2292's 8 child processes and their start timestamps.*
### Psscan
*Full psscan output — no additional hidden processes identified beyond
those visible in pslist.*
*Summary confirming psscan and pslist results are consistent.*
### Network Connections (Netscan)
*Netscan output showing all network connections active at time of capture.*
*Three suspicious external IP addresses identified: 185.17.120.178:80,
188.124.167.132:8082, and 158.58.131.54:443 — all Trickbot C2 endpoints.*
### Code Injection (Malfind)
*Malfind output showing the MZ (4D 5A) PE header in injected memory
regions — confirming shellcode injection into legitimate processes.*
*List of all processes flagged by malfind: explorer.exe (PID 1220) and
multiple svchost.exe instances.*
### VirusTotal
*VirusTotal results showing 16–50 vendor detections for the extracted
memory samples.*
*Malware family confirmed as Trickbot by multiple antivirus vendors.*
### Handles and DLL Analysis
*Handle analysis revealing the Trickbot data directory:
C:\Users\Win7x64\AppData\Roaming\nsgJob linked to explorer.exe.*
*DLL list for explorer.exe (PID 1220) confirming injected Trickbot modules.*
*File prefix 8012d3 identified — a Trickbot component file naming pattern.*
### Registry Analysis
*Hivelist output showing memory addresses of all loaded registry hives.*
*Software hive analysis showing last update timestamp: 2018-07-05 14:23:01.*
*Enumeration of 7 subkeys under the Software registry key in memory.*
### Additional Analysis
*PID 576 (svchost.exe) identified as responsible for system data collection.*
*PID 1896 linked to the sinj (banking injection) Trickbot module for
intercepting financial transactions.*
*PID 1220 (explorer.exe) confirmed as Trickbot's credential harvesting
component, targeting the Windows credential store.*
*Network evidence showing data exfiltration traffic to C2 servers.*
*PID 2928 (cmd.exe) used by Trickbot for network discovery and lateral
movement across the compromised environment.*
## Learning Outcomes
- Acquire and analyse a Windows memory dump using Volatility
- Identify running processes and detect anomalous parent-child relationships
- Use malfind to detect process injection and extract injected PE files
- Analyse network connections to identify C2 communication
- Use VirusTotal to attribute malware samples to a known family
- Examine handles and DLLs to identify malicious artefacts in memory
- Extract and analyse registry hives from a memory dump