Memory Analysis has become very useful for malware hunting and investigation purposes. Redline is a tool which is used to analyze the memory samples collected from the live host system or a remote system.
RedLine Tools is your source for 'Quality American Made' Cutting Tools, Toolholders and Metalworking Lubricants. With over 18,000 products to choose from you are assured to get the best products for your application. Our sales volumes allow us to have a large inventory and we are able to offer you very competitive prices. Redline is a tool which is used to analyze the memory samples collected from the live host system or a remote system. Objective In this lab, we will cover all the steps to perform memory analysis using Redline for malware/malicious programs.
In this lab, we will cover all the steps to perform memory analysis using Redline for malware/malicious programs. In this lab, we will use various memory samples of malware infected systems.
Memory samples to use in Lab:
- Labs_raw.img
- Lab.mans
- Lab_Handles.mans
- Lab_Hooks.mans
- Lab_Hooks_raw.img
Also, the lab will consist of an IOC that can be used directly in section “Using IOC to automate the process in Redline”.
Note: .mans files are already loaded files of various memory samples. We will be using them directly within Redline to discover various malicious artifacts. This will also save a lot of time that raw memory images take to load.
In this section we will look out both raw image and saved .mans file can be loaded in Redline for analysis.
Loading a raw image in Redline
- Install Redline
- Launch Redline from Windows Start button. Following Redline interface will open
- For raw memory image, we will see how to load an image ‘conficker.img.’
- In the below dialog Box, browse to the location where the raw image is saved on your local machine.
- Click Next
- Select the checkbox for strings.
- Click Ok.
- Specify the name of the analysis section ‘Infosec_Institute_Lab_Analysis’-
and location where the analysis session results will be stored. - Click Ok.
- Redline will then prepare the session for analysis. Confirm the creation of folder name as the session name specified in step 10. Loading of raw memory image will look like this.
At this point, the raw memory dump is loaded in the Redline for further Analysis.
- On successful loading following, the screen will appear. Confirm that on left-hand side Processes, Driver Modules, etc. can be seen.
Opening a saved mans file
Redline save the analysis of any file in mans format. Below steps outline what steps should be followed to open an mans file in Redline
- In this section, we will be using Lab.mans file.
- .mans file can be open in Redline either from Redline Home page or Redline Launch Page. In this section, we will load the .mans file from Home Page. However if .mans file needs to be loaded from Launch Page perform this step.
From Launch Page click on “Open Previous Analysis” and locate the .mans file to be loaded into the system.
Click here to download the files associated with this article: https://drive.google.com/folderview?id=0B4V9rO4-QhMDMFBkRDhEU0xJX00&usp=sharing
- From Redline Home Page, click on Redline Icon on Top left corner like below and click on “Open a Saved Analysis”.
- Browse to Saved mans file location and Click on Open.
- This process will be much faster and below screen will appear after opening saved analysis much like that of the raw image.
- For this section, we will keep using Lab.mans file loaded in previous section “Opening a saved mans file“.
- After loading Redline gives a view of what all artifacts can be analyzed from a memory sample.
- Processes
- Handles
- Memory Sections
- Strings
- Hierarchical Processes
- Hooks
Now we will start analyzing each of artifacts in Redline
- Click on Processes. It will show all the process that were in memory when the memory was acquired.
- Redline has built-in signatures in which it will classify the process to be malicious and redline it. In above screenshot, we can see that two processes are redlined by Redline.
- Redline also gives a Malware Risk Index (MRI) score to each process. Higher the score, more malicious of its chances will be. We can see that both redlined process have MRI score of 97 and 94. Highly suspicious.
- Click on “Redlined Processes” to see only redline processes.
- Double Click on Redlined Process ‘svchost.exe’. It will open details about the process.
- Click on MRI tab at the bottom. MRI report shows up.
- It will also tell us why it has awarded that MRI scores to this process. In this it says:
- There are about 47 percent negative factors associated with this process.
Analyzing Network Connection using Redline
Normally when malware is injected into a system, it contacts its C&C server to revive payload, to infect other systems in the same network, etc. Analyzing the network connection can be beneficial during memory analysis.
- We will continue analyzing the Lab_Handles.mans file.
- We can see all the connection available in Redline while the memory was captured.
- We can see that Process ‘System,’ PID 4 is making a connection to 94.247.2.107 over port 80. It is very common for malware to hide their connection in plain sight. Why does it choose port 80? Because it is usually opened within organizations and least analyzed.
- A Google search for IP 94.247.2.107 confirms that the IP 94.247.2.107 is listed with TDSS worm.
Analyzing Strings using Redline
Since we have selected the strings earlier while loading the image, we can search for strings in the memory file.
- We will continue analyzing the Lab_Handles.mans file.
- Expand Processes and click on Strings.
- Search for ‘http://’. It will show all the strings scattered around memory where http:// is there. Below we can see that process 1928 Explorer.EXE connects to 192.168.30.129 with user foo and traverses to malware directory. This looks suspicious.
Analyzing Handles in Redline
- In this section, we will analyze the handles using Lab_Handles.mans file. Follow steps outlined in “Opening a saved mans file” section above to load Lab_Handles.mans file.
- Below screen will show all the handles present in memory while it is acquired.
- Now there are a lot of objects associated with an object like File Handles, Directory handles, Registry Handles, Mutants, etc. In the next step, we will see Mutant Handles.
- Click on Mutant handles and it will show all the mutants present in memory.
- We see the mutant named _!MSFTHISTORY!_ which is a known mutant for TDSS malware.
Analyzing Memory Sections using Redline
In Redline, we can analyze the memory sections to look out for injected code.
- In this section, we will continue analyzing Lab_Handles.mans file.
- We will see all the memory section available in memory.
- Click on “injected Memory Sections”.
- Below we can see that PID 1980 is injected.
In Redline, we can see the processes parent-child relationship. This is beneficial while analyzing the process to see which process was spawned from whom and also it gives an indication about when a system boots.
- Click on Hierarchical processes on the Left-Hand side.
- As we can see below is has shown us how the parent –child relationship among processes.
Malware usually hooks kernel artifacts like service descriptor table (SSDT), IDT, IRP to take broader control over the system. In this section, we will see how Redline can be used to analyze these sections.
- In this section, we will use LAB_Hooks.mans file. Follow steps outlined in “Opening a saved mans file” section above to load LAB_Hooks.mans file.
- Below screen shows all Hooks for this memory image.
- We can filter it with a specific type of Hook like SSDT, IDT, IRP hook.
Note that though Redline gives the Trust Status “Undetermined,” it is highly suspicious to have a driver called burito24b1-1710.sys in a system.
- A Google searches on burito24b1-1710.sys reveals that it has already been submitted to malwr.com
Using 3rd party tools greatly enhances the memory analysis.
- Click on IRP hooks to see what system drivers have been hooked.
- Here we can see that burito24b1-1710.sys has hooked tcpip.sys.
Automating the process with Indicator of Compromise (IOC) using Redline is a very great feature. IOC’s are usually shared among the security community so collecting them and running them against an acquired memory will give us HITS if it matches.
As we saw above for LAB_Hooks, driver burito24b1-1710.sys was not recognized malicious under SSDT by Redline but since we know it is malicious, let’s make an IOC and run that IOC against the Lab_Hooks.mans file.
We will be using Mandiant IOC builder to create an IOC.
- Create Directory ‘IOC’ where the IOC’s will be stored
- Open Mandiant IOC builder and select the folder created in step 1
- Give description for this IOC like below
- Enter the details of the driver as is seen in LAB_Hooks.mans file.
- Click ADD
- Click Item>Hook>Hook Hooked Module
- Below is the final signature for this IOC
- Click Save to save this IOC to the folder created in Step 1 of this section.
- Open Redline >Open Saved Memory
- Browse to the location of raw memory Image and IOC created above
- Select the IOC listed to see the description as well.
- Click Next
- Follow steps 7-11 as listed in section “Loading a raw image in Redline.”(Name the folder to save analysis “Infosec_Institute_Lab_Hooks”).
- Once loaded the IOC report will keep running in the background.
- Upon completion, browse to the folder ‘Infosec_Institute_Lab_Hooks’.
- Open Infosec_Institute_Lab_Hooks’ > IOCs>IOCReport>Hits>*.html
- As we can see below that based on our indicator, Redline has the following hits which is exactly what we have seen in SSDT; IRP hooks earlier.
Redline Tools Llc
As we can see, Redline is a powerful tool to analyze memory samples for malware hunting.
Our RedLine Tools carbide and HSS end mills are proudly made in the USA. Our incredible assortment allows you to select the best tool for your current project. Whether you need high performance or general purpose, HSS or carbide, we have the high quality tools you expect from our industry leading product offering. From micro endmills, to variable helix endmills, to variable index endmills and more, we have the widest selection available. Our tools are available in a range of coatings, AlTiN, AlTiNX, TiAlNX, AlCrN, and ZrN to provide the best performance in a wide variety of material groups.
Red Line Tool
Vpn program for a mac. If you’re looking for a milling tool that can handle high speeds and extreme temperature, our selection of carbide endmills provides you with the perfect option.
Our wide offering of endmills encompasses all types of applications, from face milling, to finish profiling, to specialty cutting. Using your existing mill or lathe machine, you can now exercise more exacting precision and accuracy, allowing for the best finishes and repeatable performance while minimizing the amount of chatter as well as deflection. To meet the exact specifications of your projects regardless of the speed or feed rate of your machine, browse our collection of endmills now.
**To view our End Mills catalog section, CLICK HERE.**