Amadey Lab
CyberDefenders Endpoint Forensics Lab
Scenario
An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.
To make this a little easier when entering commands, I quickly renamed the file to something shorter and moved it to the folder where Volatility resides. This resource is also very good at understanding the basics of Volatility.
Question 1
In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?
Answer 1
Using the following commands:
./vol.py -f win7.vmem windows.pslist
./vol.py -f win7.vmem windows.pstreeI got a list of the processes that were running when the memory dump was taken, also the parent-child relationships between the processes. One of them did stick out to me, the rundll32.exe. It is sometimes used my malware strains to go undetected, using legitimate windows services. Its parent process lssass.exe is answer here.
Question 2
Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?
Answer 2
Using the following:
./vol.py -f win7.vmem windows.cmdline | grep lssass.exeI can extract any strings that are attached to the process within the memory dump, allowing me to grab the location of the file when it was executed.
C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exeQuestion 3
Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?
Answer 3
Using the netscan plugin, and searching once more of the lssass.exe file, the inbound and outbound connections were whittled down.
./vol.py -f win7.vmem windows.netscan | grep lssass.exeGiving me the answer: 41.75.84.12.
Question 4
Following the malware link with the C2, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?
Answer 4
The next step was to dump anything that belonged to the malware, using its PID number, 2748.
Using the following commands I was able to extract the data from the artifact and search it for any GET requests that were sent to the C2 server.
./vol.py -f win7.vmem windows.memmap.Memmap --pid 2748 --dump
strings pid.2748.dmp | grep 'GET /'This gave me 2 files that the malware had used a GET request for, from the C2 server.
Question 5
Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?
Answer 5
Using the filescan plugin, I was able to find the file paths of the 2 malicious dll files that were present in the artifact.
./vol.py -f win7.vmem windows.filescan | grep -i clip64.dllQuestion 6
Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?
Answer 6
Since the files that were grabbed from the C2 address were dll files, it makes sense as to why lssass.exe was trying to execute, rundll32.exe. Giving me the answer to this question.
Question 7
Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?
Answer 7
A quick search in the dump file for the original source of the malware, lssass.exe, revealed that it had found its way into the system32 tasks folder. Enabling it to find consistent presence on the machine.
Last updated