Overview of my Malware Analysis Methodology

Hello All,

This is a brief posting of how I analyze malicious executables. Linked below is a quick overview on my setup, toolkit, and steps. 

A way to get memory from a remote Windows Machine w/ PS and Launch Volatility!

This script was written to obtain a memory dump and launch Volatility commands against the dump locally.  I haven’t updated the code since I made it so, may need to tweak it a bit to work in your environment.

*Note enabling the strings function will more than likely lock up your computer. Powershell will attempt to load the entire memory dump in memory.

Download here

############################################
############################################
## RAM.ps1 - Remote Acquisition of Memory ##
## v1.0 ##
## James Saunders ##
## 02/25/2013 ##
############################################
############################################

param([String] $hst, [string] $opt="")
$hst = $hst.toUpper()

#Date
$date = Get-Date -uformat "%y_%m_%d"

#Set Directories
$bin = ".\bin"
$OutputDir = ".\captures\RAM\$hst\"
$PDDir = $OutputDir + "Processes and DLLs"
$KMODir = $OutputDir + "Kernel Memory and Objects"
$NetwDir = $OutputDir + "Networking"
$MalDir = $OutputDir + "Malware"
$StrDir = $OutputDir + "Strings"
ni $OutputDir -type directory -force| out-null
ni $PDDir -type directory -force| out-null
ni $KMODir -type directory -force| out-null
ni $NetwDir -type directory -force| out-null
ni $MalDir -type directory -force| out-null
ni $StrDir -type directory -force| out-null

#Set 3rd party utils
$psexec = $bin + "\psexec.exe"
$winpmem = $bin + "\winpmem-1.3.1.exe"
$volatility = $bin + "\volatility-2.2.standalone.exe"
cp $volatility $OutputDir
$volEXE = $OutputDir + "\volatility-2.2.standalone.exe"

#FileName Creation
$DumpName = "c:\" + $hst + ".raw"
$RetrievePath = "\\" + $hst + '\c$\' + $hst + ".raw"
$DumpFileName = $hst + ".raw"

function banner{
 write-host '++++++++++++++++++++++++++++++++++++++++++++++++++' -foregroundcolor black -backgroundcolor yellow
 write-host '+ RAM V1 +' -foregroundcolor black -backgroundcolor yellow
 write-host "+ Remote Acquisition of Memory +" -foregroundcolor black -backgroundcolor yellow
 write-host "++++++++++++++++++++++++++++++++++++++++++++++++++" -foregroundcolor black -backgroundcolor yellow
 write-host "`n"
}

function FurElise{
 [console]::beep(420, 200)
 [console]::beep(400, 200)
 [console]::beep(420, 200)
 [console]::beep(400, 200)
 [console]::beep(420, 200)
 [console]::beep(315, 200)
 [console]::beep(370, 200)
 [console]::beep(335, 200)
 [console]::beep(282, 600)
 [console]::beep(180, 200)
 [console]::beep(215, 200)
 [console]::beep(282, 200)
 [console]::beep(315, 600)
 [console]::beep(213, 200)
 [console]::beep(262, 200)
 [console]::beep(315, 200)
 [console]::beep(335, 600)
 [console]::beep(213, 200)
 [console]::beep(420, 200)
 [console]::beep(400, 200)
 [console]::beep(420, 200)
 [console]::beep(400, 200)
 [console]::beep(420, 200)
 [console]::beep(315, 200)
 [console]::beep(370, 200)
 [console]::beep(335, 200)
 [console]::beep(282, 600)
 [console]::beep(180, 200)
 [console]::beep(215, 200)
 [console]::beep(282, 200)
 [console]::beep(315, 600)
 [console]::beep(213, 200)
 [console]::beep(330, 200)
 [console]::beep(315, 200)
 [console]::beep(282, 600)
}

function RAMGrabber{
 #Send EXE to dump Memory
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Dumping Memory on $hst"
 &$psexec \\$hst -e -c $winpmem $DumpName 2>$null
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Dump Complete!"

#Copy Dump to local host
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Transferring Dump to $OutputDir"
 write-host " [+] " -foregroundcolor yellow -nonewline; write-host "Large file may take a while"
 cp $RetrievePath $OutputDir
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Transfer Complete!"

#Delete dump on remote machine
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Removing Dump from $hst"
 ri $RetrievePath
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Removal Complete!"
}

function Vol{
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Lauching Volatility 2.2"
 write-host "[+] " -foregroundcolor red -nonewline; write-host "This will take a while (music will play when complete)"
 #set these as globals so we only call once and can check os version
 $os = gwmi Win32_OperatingSystem -computername $hst
 if ($os.version -like "6*")
 {$profileType = "Win7SP1x86"}
 else
 {$profileType = "WinXPSP3x86"}

 #Runs Commands and saves to respective files

 ##Gathers image info
 write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Image Info"
 &$volEXE -f $DumpFileName imageinfo >> $OutputDir\imageinfo.txt |out-null

 ##Processes and DLLs
 write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Processes and DLLs Info"

 ###pslist
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pslist command"
 &$volEXE --profile=$profileType -f $DumpFileName pslist >> $PDDir\pslist.txt |out-null

 ###pslist -P
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pslist -P command"
 &$volEXE --profile=$profileType -f $DumpFileName pslist -P >> $PDDir\pslist.txt |out-null

 ###pstree
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pstree command"
 &$volEXE --profile=$profileType -f $DumpFileName pstree >> $PDDir\pstree.txt |out-null

 ###psscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing psscan command"
 &$volEXE --profile=$profileType -f $DumpFileName psscan >> $PDDir\psscan.txt |out-null

 ###dlllist
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing dlllist command"
 &$volEXE --profile=$profileType -f $DumpFileName dlllist >> $PDDir\dlllist.txt |out-null

 ###handles
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing handles command"
 &$volEXE --profile=$profileType -f $DumpFileName handles >> $PDDir\handles.txt |out-null

 ###getsids
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing getsids command"
 &$volEXE --profile=$profileType -f $DumpFileName getsids >> $PDDir\getsids.txt |out-null

 ##Kernel Memory and Objects
 write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Kernel Memory and Objects"

 ###modules
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modules command"
 &$volEXE --profile=$profileType -f $DumpFileName modules >> $KMODir\modules.txt |out-null

 ###modules -P
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modules -P command"
 &$volEXE --profile=$profileType -f $DumpFileName modules -P >> $KMODir\modules.txt |out-null

 ###modscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modscan command"
 &$volEXE --profile=$profileType -f $DumpFileName modscan >> $KMODir\modscan.txt |out-null

 ###ssdt
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing ssdt command"
 &$volEXE --profile=$profileType -f $DumpFileName ssdt >> $KMODir\ssdt.txt |out-null

 ###driverscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing driverscan command"
 &$volEXE --profile=$profileType -f $DumpFileName driverscan >> $KMODir\driverscan.txt |out-null

 ###filescan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing filescan command"
 &$volEXE --profile=$profileType -f $DumpFileName filescan >> $KMODir\filescan.txt |out-null

 ###mutantscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing mutantscan command"
 &$volEXE --profile=$profileType -f $DumpFileName mutantscan >> $KMODir\mutantscan.txt |out-null

 ###symlinkscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing symlinkscan command"
 &$volEXE --profile=$profileType -f $DumpFileName symlinkscan >> $KMODir\symlinkscan.txt |out-null

 ###thrdscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing thrdscan command"
 &$volEXE --profile=$profileType -f $DumpFileName thrdscan >> $KMODir\thrdscan.txt |out-null

 ##Networking Info
 write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Networking Info"

 ###connections
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connections command"
 &$volEXE --profile=$profileType -f $DumpFileName connections >> $NetwDir\connections.txt |out-null

 ###connections -P
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connections -P command"
 &$volEXE --profile=$profileType -f $DumpFileName connections -P >> $NetwDir\connections.txt |out-null

 ###connscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connscan command"
 &$volEXE --profile=$profileType -f $DumpFileName connscan >> $NetwDir\connscan.txt |out-null

 ###sockets
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockets command"
 &$volEXE --profile=$profileType -f $DumpFileName sockets >> $NetwDir\sockets.txt |out-null

 ###sockets -P
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockets -P command"
 &$volEXE --profile=$profileType -f $DumpFileName sockets -P >> $NetwDir\sockets.txt |out-null

 ###sockscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockscan command"
 &$volEXE --profile=$profileType -f $DumpFileName sockscan >> $NetwDir\sockscan.txt |out-null

 ###netscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing netscan command"
 &$volEXE --profile=$profileType -f $DumpFileName netscan >> $NetwDir\netscan.txt |out-null

 ##Malware Info
 write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Malware Info"

 ###malfind
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing malfind command"
 &$volEXE --profile=$profileType -f $DumpFileName malfind >> $MalDir\malfind.txt |out-null

 ###svcscan
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing svcscan command"
 &$volEXE --profile=$profileType -f $DumpFileName svcscan >> $MalDir\svcscan.txt |out-null

 ###ldrmodules -v
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing ldrmodules -v command"
 &$volEXE --profile=$profileType -f $DumpFileName ldrmodules -v >> $MalDir\ldrmodules.txt |out-null

 ###idt
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing idt command"
 &$volEXE --profile=$profileType -f $DumpFileName idt >> $MalDir\idt.txt |out-null

 ###gdt
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing gdt command"
 &$volEXE --profile=$profileType -f $DumpFileName gdt >> $MalDir\gdt.txt |out-null

 ###psxview
 write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing psxview command"
 &$volEXE --profile=$profileType -f $DumpFileName psxview >> $MalDir\psxview.txt |out-null

 #Commands Complete
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Volatility Commands Complete"

 #Removed EXE from Dump Path
 ri $volEXE
}

function Strings{
#Not Working Runs out of System Memory
 write-host "[+] " -foregroundcolor green -nonewline; write-host "Executing String Search"
 #Loads Dump
 $data = gc $DumpFileName

 #Searches Dump
 $pattern = '(((http|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?'
 $resultingMatches = [Regex]::Matches($data, $pattern, "IgnoreCase")
 $resultingMatches|foreach {
 ac $StrDir\http.txt $_.Value
 }

 #Searches Dump
 $pattern = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
 $resultingMatches = [Regex]::Matches($data, $pattern, "IgnoreCase")
 $resultingMatches|foreach {
 ac $StrDir\IPAddresses.txt $_.Value
 }

}

 

banner
RAMGrabber
Vol
FurElise
#Strings

##### HISTORY #####
#Created 02/25/2013

To creating an effective job portfolio

To create an effective job portfolio certain steps must be followed.

First you should gather the following:

1)      Create the Resume

• Include your contact information: phone number, email address, address, and websites.
• Education: Degree and College
• Certifications and affiliations
• Work Experience
• Applications, programming, Operating systems, and software you’re familiar with.

 

2)      Accumulate best examples of your work

• Results of projects
• Performance reviews

 

3)      Append Honors and Awards

• Professional recognitions
• Professional Rewards

 

4)      Include Professional affiliations

• Membership cards

 

5)      Add College Transcript

Finally, you should make a softcopy of the portfolio. Each of the sections should have its own folder contained in a Zip file. Then, make a hard copy of the zip file to your medium of choice.

Is Google making us stupid? No, just impatient.

I do not believe that Google is making us stupid; in fact it helps drives innovation. The vast index database Google has amassed allows a user to find information quickly that can be used for a variety of task s. People no longer try to reinvent the wheel but instead try to make improvements based on the information found. Productivity is saved by an IT staff because Google stores the fixes to complex problems plaguing end users, quickly getting them back to work. In my personal experience Google allows me to move past the trivial and focus on a complex task rather than skim through pages of texts. The only downside of Google is that it drives our attention span down, addicting us to instance information. The critical thinking required for reading long writing is no longer there, we became conditioned to expect quick blurbs of data. The quick access of data can only spread knowledge thus Google cannot make users stupid, just impatient.

This is a quick class writing assignment in response to an article by Nicholas Carr, “Is Google Making Us Stupid?” URL: http://www.theatlantic.com/magazine/archive/2008/07/is-google-making-us-stupid/6868/