Hunting Malware Part 1

Lab 6

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 1

SCENARIO
Your manager, Tony, wants you to keep an eye on the machine for the administrative
assistant to the CFO. Email logs show that there has been a spike in spam emails attempting
to reach her email address. Even though she has completed the security awareness class,
Tony doesn’t want to take any chances. Tony hands you a Mandiant Analysis File to load into
Redline and see if there is anything suspicious that is running, or was running, on her
machine. After analysis, Tony, requires you to get a recent Mandiant Analysis File to analyze.

LAB OBJECTIVES
Use Redline to conduct memory analysis of a Mandiant Analysis (MANS) Files.

LEARNING OBJECTIVES
The objective of this lab is conduct memory analysis to detect DLL Injection and/or Rootkits.

RECOMMENDED TOOLS
• Mandiant Redline

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 2

NETWORK CONFIGURATION
Organization: FooCompany

• Hunting Workstation:
o IP: 172.16.151.50
o RDP Credentials: elshunter:ahuntingweg0!
• Administrative Assistant Workstation:
o IP: 172.16.151.75
o RDP Credentials: elshunter:ahuntingweg0!

TASKS
TASK 1. LOAD SAVED MANS FILE INTO REDLINE FOR
ANALYSIS.
1. Run Redline and load the Mandiant Analysis File called AnalysisSession1.

TASK 2. ANALYZE MANS FILE AND ANSWER THE

FOLLOWING QUESTIONS .
1. How many processes are Redlined?
2. What are their names and why were they Redlined?
3. Any of the Redlined processes show signs of injected code?
4. Any of the Redlined processes show indicators of potentially suspicious network
traffic?
5. Any other suspicious processes? If so, what are the indicators that the process is
suspicious?
6. What file most likely kicked off this suspicious binary?

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 3

TASK 3. CREATE A STANDARD COLLECTOR WITH REDLINE.
1. Create a Standard Collector within Redline to acquire the memory image of the
administrative assistant’s machine.

Note: Make sure you check the box Acquire Memory Image.

TASK 4. RUN THE COLLECTOR ON TARGET MACHINE.

1. Copy the Standard Collector from your machine (172.16.151.50) to the network share
on the administrative assistant’s machine (172.16.151.75).
2. Run RunRedlineAudit.bat from an elevated prompt.
3. Copy the files back to your machine for analysis.

TASK 5. ANALYZE MANS

NEWLY CREATED FILE AND
ANSWER THE FOLLOWING QUESTIONS.
1. Answer the same questions from Task #2.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 4

SOLUTIONS

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 5

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 6
TASK 1. LOAD SAVED MANS FILE INTO REDLINE FOR
ANALYSIS.
1. Double-click the file within the AnalysisSession1 folder on the desktop called
AnalysisSesssion1.

2. After Redline opens click on I am Reviewing a Full Live Response or Memory

Image at the bottom of the Home Page or on Processes at the far left, in Analysis
Data.

TASK 2. ANALYZE MANS FILE AND ANSWER THE

FOLLOWING QUESTIONS .
3. Click on Redlined Processes in Review Processes by MRI Scores and sort the
processes by MRI Score, if not already sorted.

You should see the following Redlined processes.

At this point we can answer the first question: “How many processes are Redlined?

• The answer is 4.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 7

We can also answer the 1st part of the 2nd question: “What are their names and why are
they Redlined?”

• The answer is conhost.exe, Meterpreter_Payload_Detection.exe, svchost.exe,

and VGAuthService.exe.

To answer the 2nd part of the question we must look at each Redlined process individually
to get more specific information about the process.

4. Double-click on conhost.exe (PID 3316).

To answer the question, “why are they Redlined?”, we must look at the MRI Report.

5. Click on MRI Report.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 8

While we have our focus on individual processes we can attempt to answer the next 2
questions by using the same tabs at the bottom.

6. Click on Sections, next to MRI Report, to see if there are any indicators of injected
code.
7. Apply filter for Injected only and hit Filter.

Any of the Redlined processes show signs of injected code?

• No results showing as Injected.

8. Click on the Ports tab, next to Handles.

Any of the Redlined processes show indicators of potentially suspicious network

traffic?

• Nothing shown under Ports.

9. We must do the same for the other 3 processes. To do so we can either click on
Processes at the far left, in Analysis Data, or in the top navigational bread crumb,
Home > Host > Processes > Full Detailed Information.

10. Double-click the next process, Meterpreter_Payload_Detection.exe.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 9

Any of the Redlined processes show signs of injected code?

• No results showing as Injected.

Any of the Redlined processes show indicators of potentially suspicious network

traffic?

• Nothing shown under Ports.

11. Do the same for svchost.exe and VGAuthService.exe.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 10

Any of the Redlined processes show signs of injected code?

• No results showing as Injected.

Any of the Redlined processes show indicators of potentially suspicious network

traffic?

• Nothing shown under Ports.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 11

For VGAuthService.exe there isn’t an explanation as to why Redline flagged it but we can
see 9 Negative Factors.

Any of the Redlined processes show signs of injected code?

• No results showing as Injected.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 12

Any of the Redlined processes show indicators of potentially suspicious network
traffic?

• Nothing shown under Ports.

Even though these 4 processes were Redlined, nothing immediately seems malicious to us.
Now we must see if any processes, which weren’t Redlined, are malicious. Let’s look at the
Hierarchical Processes view.

12. Click on Hierarchical Processes at the far left, in Analysis Data.

13. Look at all the processes, parent and child relationships, and attempt to locate the
suspect process. We will not use the MRI Score.

Any other suspicious processes? If so, what are the indicators that the process is
suspicious?

• Yes. There are 2 lsass processes running: 1 is the actual process (PID 492) and
1 is masquerading (PID 2816).

In the Sections tab, towards the bottom you might already see some indicators of Injected
and Untrusted. Let’s filter for those only.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 13

 14. Apply filter.

Now we can look at the Timeline to attempt to answer the last question, “What file most
likely kicked off this suspicious binary?”.

15. Click on Timeline at the far left, in Analysis Data.

16. Use the search box to find the term we’re looking for, 1sass.

4 entries found. We can see the binary of interest, 1sass, is 2 of the 4 entries.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 14

What file most likely kicked off this suspicious binary?

• We can see a file was run on the desktop called 1sass.chm executed by hh.exe.
CHM are Windows Help Files. Afterwards 1sass.exe was executed.

Note: The information we were seeking for could have been quickly obtained by looking at
Memory Sections at the far left, in Analysis Data under Processes. In Memory Sections,
select Injected Memory Sections under Review Memory Sections / DLLs. The output
would be 4 entries showing as Injected and 1sass.exe being the process.

Summary:

• How many processes are Redlined? What are they?

o 4
o conhost.exe, Meterpreter_Payload_Detection.exe, svchost.exe,
VGAuthService.exe
• Why were they Redlined?
o conhost.exe = This process has no executable existing in its process
address space, indicating that the binary was unmapped, therefore a
potential rogue thread is currently executing.
o Meterpreter_Payload_Detection.exe = This process was spawned from a
command shell. This is not a definite cause for concern but is atypical for
most processes.
o svchost.exe = This process was spawned with unexpected arguments:
"C:\Windows\system32\svchost.exe -k bthsvcs"
o VGAuthService.exe = No explanation shown but 9 DLLs are showing as
"Not signed and verified".
• Any of the Redlined processes show signs of injected code?
o Nothing visible under Sections for each process.
• Any of the Redlined processes show indicators of potentially suspicious network
traffic?
o Nothing visible under Ports for each process.
• Any other suspicious processes? If so, what are the indicators that the process is
suspicious?

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 15

 o Under Memory Sections 4 entries shown as Injected. Injected column
shows as checked. Process name is 1sass.exe. PID 2816.
o Under Hierarchical Processes PID 2816 has a MRI score of 57.
o Under Details 1sass is incorrectly spelled. It should be lsass.exe and
only 1 instance should be running.
o Under Details the Parent is incorrect. It should be wininit.exe.
o Under Details the Path is incorrect. It should be C:\Windows\system32.
o Under Details the Username should not be a user account. It should be
SYSTEM.
o Under MRI Report shows 5 negative factors, 1 of which is "Not signed
and verified".
o Under Ports 1 established connection between 172.16.151.140:49162
<> 172.16.151.133:445 (TCP)
o Under Ports 1 closed connection between 172.16.151.140:49159 <>
172.16.151.133:139 (TCP)
• What file most likely kicked off this suspicious binary?
o Under Timeline we see 4 entries for 1sass. hh.exe was executed right
before 1sass.exe:
▪ Name: hh.exe
▪ PID:1968
▪ "C:\Windows\hh.exe" "C:\Users\elslabs\Desktop\1sass.chm"

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 16

TASK 3. CREATE A STANDARD COLLECTOR WITH REDLINE.
1. Click on the Redline logo next to the navigational buttons and bread crumbs then click
Create a Standard Collector in the menu that appears.

2. In the next screen titled Start Your Analysis Session, under Review Script
Configuration check the box under Acquire Memory Image.

Optional: You can edit your script if you wish but for this exercise it’s not necessary.

3. Choose a folder where you wish to save your Collector to and click OK.

After a few seconds or minutes, depending on your setup and script, a box will be
displayed to you.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 17

TASK 4. RUN THE COLLECTOR ON TARGET MACHINE.
4. Copy the folder to the Shared Folder (network mapping) and RDP into the
Administrative Assistant’s machine.
5. Run CMD from an elevated prompt (Run As Administrator) and navigate to the
Redline Collector folder at C:\Share.
6. Run that batch file named RunRedlineAudit.bat.

Note: This process will take a while, especially if you added more to the Collector script.

7. Once the audit has completed. Close the CMD and log off the machine.
8. Log back into your machine (if you logged out the RDP session) to begin analysis.
9. Open AnalysisSession2 in Redline and click on I am Reviewing a Full Live
Response or Memory Image or Processes from the far left, in Analysis Data.

TASK 5. ANALYZE MANS

NEWLY CREATED FILE AND
ANSWER THE FOLLOWING QUESTIONS.
1. If any processes Redlined, follow the same steps for the Redlined processes in Task
2.
2. Let’s go to Memory Sections and Ports to see if anything stands out.
3. Click on Memory Sections under Processes in the far-left navigation, in Analysis
Data.
4. Click on Injected Memory Sections in Review Memory Sections / DLLs.

Nothing is showing as Injected in any processes. Let’s look at Ports.

5. Click on Ports under Processes in the far-left navigation, in Analysis Data.

After careful inspection we see a process, rundll32.exe, listening on port 443. Which is
odd for this workstation. Let’s go to Hierarchical Processes view and look at
runndll32.exe.

6. Click on Hierarchical Processes under Processes in the far-left navigation, in

Analysis Data.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 18

Nothing new is obtained by looking at this process. Let’s look at its parent process, dllhost
(PID 1396).

7. Let’s go back to Hierarchical Processes view and double-click on dllhost.exe.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 19

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 20
Within the MRI Report tab, we see a DLL that is “Not signed and verified”,
elsInjections.dll. By the name of it we can already tell that it’s malicious but we should
already know that will not always be the case.

Ok, so let’s look at the Timeline to attempt to determine what could have potentially
executed this rundll32.exe.

8. Click on Timeline at the far-left, in Analysis Data.

9. Use the search box to look for rundll32.exe.

2 results are returned. We can see a few entries right above it that tasking.exe,
powershell.exe, and conhost.exe was executed.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 21

Summary:

• How many processes are Redlined? What are they?

o 2
o SearchProtocol, VGAuthService.exe
• Why were they Redlined?
o SearchIndexer.exe = This process has no executable existing in its
process address space, indicating that the binary was unmapped,
therefore a potential rogue thread is currently executing.
o VGAuthService.exe = No explanation shown but 9 DLLs are showing as
"Not signed and verified".
• Any of the Redlined processes show signs of injected code?
o Nothing visible under Sections for each process.
• Any of the Redlined processes show indicators of potentially suspicious network
traffic?
o Nothing visible under Ports for each process.
• Any other suspicious processes? If so, what are the indicators that the process is
suspicious?
o Under Ports the machine rundll32.exe is listening on port 443 (TCP).
o Under Hierarchical Processes PID 1396 has a MRI score of 28.
o Under MRI Report for Dllhost.exe it shows 3 negative factors, 1 of which
is a suspicious DLL called elsInjections.dll.
• What most likely kicked off this suspicious binary?
o Under Timeline we see 2 entries for rundll32.exe. A few entries prior to
that we see 3 entries in concession: tasking.exe, powershell.exe, and
conhost.exe.

© Caendra Inc. 2017 | Threat Hunting v1 | Hunting Malware Part 1 22