1
00:00:00,640 --> 00:00:02,020
In this lecture.

2
00:00:02,140 --> 00:00:08,350
As we stated previously, one of the central goals of memory analysis is to determine whether there

3
00:00:08,350 --> 00:00:13,160
are any suspicious data points in active indicative of malware.

4
00:00:13,180 --> 00:00:21,880
So in the event data points such as DOS from the CRIDEX or like R2D2 memory image are located, they

5
00:00:21,880 --> 00:00:23,960
can be queried for further analysis.

6
00:00:23,980 --> 00:00:28,080
So we're going to in this lecture, we're going to do the memory dump.

7
00:00:28,090 --> 00:00:35,860
So during the course of the analysis, it may become necessary to dump the memory resident pages associated

8
00:00:35,860 --> 00:00:39,100
with the process, in this case, the mem dump.

9
00:00:40,540 --> 00:00:41,950
The mem dump here.

10
00:00:41,980 --> 00:00:49,120
The mem mem dump process where mem plugin is run against the memory image.

11
00:00:49,420 --> 00:00:49,990
Yeah.

12
00:00:50,230 --> 00:00:51,550
So let's delete this.

13
00:00:51,550 --> 00:00:54,850
And yeah, this is our profile.

14
00:00:55,230 --> 00:01:01,990
Now we're going to work in the same image file that we worked previously XP, SP2, x86.

15
00:01:02,800 --> 00:01:05,020
And firstly, we're going to attach the process.

16
00:01:05,020 --> 00:01:05,950
Yeah, yeah, yeah, yeah.

17
00:01:06,100 --> 00:01:06,880
One minute, one minute.

18
00:01:07,090 --> 00:01:14,860
We have to firstly identify the process file, which is I know it's 1986, but I want to show you.

19
00:01:15,950 --> 00:01:16,700
So.

20
00:01:17,660 --> 00:01:18,950
Now list.

21
00:01:19,860 --> 00:01:23,180
List or list of the list of processes I have.

22
00:01:24,770 --> 00:01:30,590
And yeah, we're going to we're going to export the.

23
00:01:31,710 --> 00:01:33,840
Explorer explorer.

24
00:01:33,930 --> 00:01:37,410
And here 1956.

25
00:01:37,410 --> 00:01:46,860
This is defined 116 and I'm exporting and dumping it because of this is the child reader that SL malware

26
00:01:46,990 --> 00:01:54,420
we're sure we are almost sure that the reader that SL contains malware and yeah we're going to.

27
00:01:56,990 --> 00:02:00,800
Uh, and yeah, the explorer that is the parent process of this.

28
00:02:00,800 --> 00:02:02,630
And as you can see, the PID.

29
00:02:03,350 --> 00:02:05,390
So it works under the Explorer.

30
00:02:05,390 --> 00:02:09,590
So we're going to execute, we're going to dump the Explorer access.

31
00:02:09,590 --> 00:02:15,500
So, you know, so that way we're going to we, we're going to have the access.

32
00:02:15,500 --> 00:02:22,970
And we also in in, in that dump, it's also included the reader dot access.

33
00:02:22,970 --> 00:02:29,660
So we don't we don't do the we don't dump it, uh, like separately the explorer access.

34
00:02:30,080 --> 00:02:30,380
Yeah.

35
00:02:30,470 --> 00:02:31,070
Yes.

36
00:02:31,280 --> 00:02:35,140
And in most times you're going to have the Dump Explorer exit.

37
00:02:35,570 --> 00:02:42,590
So but because the most malwares are associated with the main application explorer that access.

38
00:02:42,590 --> 00:02:43,550
So let's dump it.

39
00:02:43,550 --> 00:02:46,550
Now we know the process ID of the Explorer.

40
00:02:46,550 --> 00:02:47,210
That exit.

41
00:02:47,600 --> 00:02:48,050
Yeah.

42
00:02:48,120 --> 00:02:49,130
Where are you?

43
00:02:49,430 --> 00:02:51,560
Yeah, this is the Explorer that exit here.

44
00:02:51,560 --> 00:02:51,890
And.

45
00:02:51,890 --> 00:02:56,390
Yeah, now we can run our command.

46
00:02:56,390 --> 00:03:00,380
So we we choose the image file.

47
00:03:00,380 --> 00:03:04,340
We choose the profile of the memory image dump.

48
00:03:04,340 --> 00:03:08,960
So now we're going to use p 1956.

49
00:03:09,050 --> 00:03:15,680
As you can see, I previously used this command mem dump dump here with two.

50
00:03:16,580 --> 00:03:17,840
Negative characters.

51
00:03:18,750 --> 00:03:21,660
Yeah, just dumped it home.

52
00:03:22,260 --> 00:03:22,800
Carly.

53
00:03:24,190 --> 00:03:25,210
Desktop.

54
00:03:25,420 --> 00:03:26,800
Volatility.

55
00:03:26,830 --> 00:03:27,710
Volatility.

56
00:03:27,730 --> 00:03:28,300
Gain.

57
00:03:28,380 --> 00:03:30,820
Oxley Case 001.

58
00:03:32,220 --> 00:03:36,720
And yeah, that's the destination for destination folder that we're going to dump the memory.

59
00:03:40,320 --> 00:03:43,560
So as you can see here, this is the dump from it.

60
00:03:43,560 --> 00:03:48,240
And yeah, let's open our folder and see what happened here.

61
00:03:48,240 --> 00:03:48,810
Yeah.

62
00:03:49,600 --> 00:03:50,370
Volatility.

63
00:03:50,400 --> 00:03:51,420
Volatility.

64
00:03:51,480 --> 00:03:51,720
Okay.

65
00:03:51,840 --> 00:03:52,530
001.

66
00:03:52,530 --> 00:03:56,940
And this is, as you can see, we can actually we can open it with the wireshark.

67
00:03:57,830 --> 00:03:58,280
Here.

68
00:04:00,230 --> 00:04:01,520
It doesn't understand.

69
00:04:03,230 --> 00:04:03,980
Yeah.

70
00:04:05,170 --> 00:04:08,800
But are we going to are we going to analyze it with another programs here?

71
00:04:09,850 --> 00:04:10,570
So.

72
00:04:10,570 --> 00:04:11,900
But actually, Wireshark.

73
00:04:11,920 --> 00:04:17,200
Wireshark can use the files, but I think it's not compatible with Wireshark here.

74
00:04:17,410 --> 00:04:18,280
So.

75
00:04:19,110 --> 00:04:19,790
It was.

76
00:04:19,920 --> 00:04:24,330
It is a good practice to develop a naming convention, as you can see, actually.

77
00:04:24,340 --> 00:04:28,320
What what 1956 like reminds you of nothing.

78
00:04:28,320 --> 00:04:31,530
So you can you need to change this file to something meaningful.

79
00:04:31,530 --> 00:04:35,760
Meaning something has meaning that you with your action.

80
00:04:35,760 --> 00:04:39,270
So in this case, I'm going to change this file to explore or.

81
00:04:39,810 --> 00:04:40,290
Yeah.

82
00:04:40,320 --> 00:04:42,000
Case 001.

83
00:04:43,760 --> 00:04:45,470
Uh, explorer.

84
00:04:47,400 --> 00:04:49,350
That eggs or not?

85
00:04:49,950 --> 00:04:50,840
Don't use that.

86
00:04:50,850 --> 00:04:51,750
They are confusing.

87
00:04:51,750 --> 00:05:01,530
As you can see the that is for extension you can just use underscore explorer XM and yeah with after

88
00:05:01,530 --> 00:05:01,740
x.

89
00:05:01,740 --> 00:05:03,450
Yeah and.

90
00:05:04,260 --> 00:05:06,510
Explorer.exe process reader.

91
00:05:07,380 --> 00:05:08,160
SL.

92
00:05:09,720 --> 00:05:10,950
Mall here.

93
00:05:11,770 --> 00:05:14,110
And as you can see, this is more descriptive, right?

94
00:05:14,110 --> 00:05:14,590
Yeah.

95
00:05:14,710 --> 00:05:17,550
So this is more better to you earned.

96
00:05:17,570 --> 00:05:22,750
And like practice the developer naming convention for folders associated with a memory analysis.

97
00:05:22,750 --> 00:05:27,670
So then as you can see, this way, the files are kept in appropriate location.

98
00:05:27,670 --> 00:05:30,670
In this case, the author is using.

99
00:05:30,670 --> 00:05:35,620
And as you can see here, the case 001 explorer dot x here.

100
00:05:35,620 --> 00:05:41,170
And yeah, it should be noted that the acquisition May acquisition may contain malware and should be

101
00:05:41,170 --> 00:05:46,510
done on an appropriate, appropriate system now.

102
00:05:47,530 --> 00:05:49,570
We're going to dump the file.

103
00:05:50,340 --> 00:05:55,660
This and also another aspect, important aspect of the dumping process.

104
00:05:55,680 --> 00:06:03,300
So in the event that an analyst is able to identify a suspect process within the memory image, the

105
00:06:03,300 --> 00:06:03,750
DLL.

106
00:06:04,240 --> 00:06:07,500
DLL dump plugin can be utilized.

107
00:06:08,380 --> 00:06:12,820
To dump the contents of these files to the local system.

108
00:06:13,550 --> 00:06:21,320
This allows the analyst to examine the contents of the DLL files and compare them to legitimate files

109
00:06:21,320 --> 00:06:29,810
to determine whether they are malicious or something something like dangerous, for example.

110
00:06:29,810 --> 00:06:38,660
So the process that has been identified in this case is the reader cell with the process ID 200, 200,

111
00:06:38,690 --> 00:06:46,010
two, 228, and the parent process ID is 1956, which is the Explorer DOT XM.

112
00:06:46,220 --> 00:06:54,230
And this 228 was identified as a potentially malicious in several sections of this lecture.

113
00:06:54,230 --> 00:06:59,360
So to occur the DLL files and have them accessible to the local system.

114
00:06:59,480 --> 00:07:01,940
We're going to also dump this.

115
00:07:02,970 --> 00:07:04,290
So, for example.

116
00:07:06,810 --> 00:07:07,940
200.

117
00:07:07,950 --> 00:07:14,520
In this case, we're not going to dump the export exit, but we're going to dump the spatially spatially

118
00:07:14,520 --> 00:07:15,420
reader That.

119
00:07:15,460 --> 00:07:28,350
SL So because it is more effective way to do this and yeah, 228 we enter the reader.sl and.

120
00:07:30,160 --> 00:07:31,120
Uh, actually, that's.

121
00:07:33,030 --> 00:07:33,440
Okay.

122
00:07:33,450 --> 00:07:34,560
Can you see it?

123
00:07:37,480 --> 00:07:38,140
Yeah.

124
00:07:38,890 --> 00:07:39,220
Okay.

125
00:07:39,220 --> 00:07:43,630
So 228 and after this.

126
00:07:44,510 --> 00:07:46,040
As you can see, we specified that.

127
00:07:46,430 --> 00:07:54,950
And instead of just using the mem dump in this case, we're going to use the dll dump.

128
00:07:55,190 --> 00:07:57,260
DLL dump.

129
00:07:58,700 --> 00:07:59,570
Dump here.

130
00:08:00,290 --> 00:08:07,100
And yeah, now we're going to also click enter and that is the.

131
00:08:08,870 --> 00:08:11,240
That is the dump of the data file.

132
00:08:12,420 --> 00:08:13,140
Uh, yeah.

133
00:08:13,440 --> 00:08:15,230
So we don't we didn't specify.

134
00:08:15,240 --> 00:08:15,480
Yeah.

135
00:08:15,480 --> 00:08:18,240
We also did specify the dumpster here.

136
00:08:18,750 --> 00:08:19,260
Oh, why?

137
00:08:19,260 --> 00:08:20,250
Why this happened?

138
00:08:20,400 --> 00:08:21,270
Okay.

139
00:08:23,580 --> 00:08:23,880
Oh.

140
00:08:25,130 --> 00:08:28,710
We accidentally copied and pasted all of these outputs here?

141
00:08:28,890 --> 00:08:29,210
Yeah.

142
00:08:31,490 --> 00:08:32,120
Volatility.

143
00:08:32,120 --> 00:08:33,170
Desktop volatility.

144
00:08:33,170 --> 00:08:33,740
Volatility.

145
00:08:33,890 --> 00:08:34,580
Yeah.

146
00:08:36,250 --> 00:08:37,180
Yeah, yeah, yeah.

147
00:08:39,460 --> 00:08:40,690
That's because.

148
00:08:40,870 --> 00:08:41,440
Okay.

149
00:08:43,990 --> 00:08:47,290
So now let's open the file here.

150
00:08:47,320 --> 00:08:47,770
Oh.

151
00:08:50,290 --> 00:08:52,650
Yeah, these are the.

152
00:08:52,660 --> 00:08:55,360
Okay, let's create a folder case.

153
00:08:56,150 --> 00:09:04,020
000010001 and return as you actually can.

154
00:09:04,040 --> 00:09:07,790
As you can see, we can give a meaning to it like so.

155
00:09:07,940 --> 00:09:08,800
Redressal.

156
00:09:10,320 --> 00:09:11,450
What was it like?

157
00:09:11,810 --> 00:09:14,590
Dum, dum, dum, dum.

158
00:09:14,600 --> 00:09:16,660
And we're going to paste all of this.

159
00:09:16,670 --> 00:09:18,350
Actually, we had to do it.

160
00:09:18,830 --> 00:09:19,240
Okay.

161
00:09:19,250 --> 00:09:20,510
One, two, three.

162
00:09:20,510 --> 00:09:22,850
And paste all of these files into this.

163
00:09:23,460 --> 00:09:32,070
And as you can see, these are the DLL files that's associated with this malicious, malicious, malicious

164
00:09:32,070 --> 00:09:32,730
file.

165
00:09:33,000 --> 00:09:34,140
So.

166
00:09:35,660 --> 00:09:36,020
Yeah.

167
00:09:36,870 --> 00:09:41,610
These are the modules module names, so we can also use this.

168
00:09:41,610 --> 00:09:50,010
So as you can see here in this case, in this case, we we are using the volatile used the module names

169
00:09:50,010 --> 00:09:55,800
instead of the DLL files becomes because are sort of confusing here.

170
00:09:55,800 --> 00:10:07,680
So we're going to create a document, not just a txt file like module names, module names to module

171
00:10:07,680 --> 00:10:10,130
names to to deal.

172
00:10:11,350 --> 00:10:14,260
Deal Description dot txt.

173
00:10:15,580 --> 00:10:18,970
Here and enter this and we're going to paste it here.

174
00:10:19,180 --> 00:10:25,060
So with this, there is actually quite a point of this, as you can see here.

175
00:10:26,690 --> 00:10:27,950
With this.

176
00:10:28,850 --> 00:10:30,140
For example.

177
00:10:31,260 --> 00:10:31,420
Mhm.

178
00:10:32,190 --> 00:10:33,180
Change it.

179
00:10:34,550 --> 00:10:37,400
Or we can do this, for example.

180
00:10:38,080 --> 00:10:38,710
Yeah.

181
00:10:39,990 --> 00:10:42,330
And as you can see here.

182
00:10:44,010 --> 00:10:52,260
These are the reader dot dll files and I want to change the with a list.

183
00:10:52,260 --> 00:10:52,830
Okay.

184
00:10:52,830 --> 00:11:00,180
And as you can see, there's a list of the files that we are using to it and the you model 220

185
00:11:00,180 --> 00:11:05,850
(818) 233-8739.

186
00:11:06,520 --> 00:11:08,680
7C9.

187
00:11:09,540 --> 00:11:14,430
And as you can see, this module named the module DLL file name.

188
00:11:14,430 --> 00:11:20,460
This is the equivalent to Ntdll.dll here and here.

189
00:11:20,460 --> 00:11:23,790
This is equal to reader dot dot exe.

190
00:11:24,900 --> 00:11:34,920
And this is the So in this lecture you showed you how to dump memory and files from the malicious in

191
00:11:35,040 --> 00:11:37,050
the captured image file here.

192
00:11:37,050 --> 00:11:43,740
So in next lecture we're going to use the executable dump, which is actually quite interesting.

193
00:11:43,740 --> 00:11:45,510
So I'm waiting you next lecture.