CyberDefenders— Ramnit Blue Team Lab Walkthrough
An Endpoint Forensic Investigation with Volatility 3 and VirusTotal
Introduction:
Imagine this scenario: You’re a cybersecurity analyst, and suddenly, you receive an alert about suspicious process behavior from a user’s workstation. You’re handed a memory dump from the infected machine to investigate the incident, analyze the artifacts on the system, and discover the malware’s actions.
If this sounds like something you’re into, welcome to my weekly walkthrough, you’ve stumbled on the right blog! This week, we’re jumping into the Ramnit Lab from CyberDefenders.
For this challenge, we’ll dissect a memory dump of a device infected with malware performing suspicious operations on the victim’s system. Using Volatility 3 and VirusTotal, we’ll locate the malicious process, uncover its file path on the system, and learn about any IP addresses and domains the malware contacts. The goal is to gather a list of indicators of compromise (IOCs) to understand the malware’s behavior and prevent any further impact on the environment. Sounds like fun, right? Let’s get into it!
If you find this walkthrough is helpful in leveling up your skills or getting you through a tricky question, give it a clap! Your feedback lets me know that I helped you out on your security journey. Thanks for reading!
Thanks for reading along, hope it helps!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/ramnit/
Challenge Scenario:
Scenario:
Our intrusion detection system has alerted us to suspicious behavior on a workstation, pointing to a likely malware intrusion. A memory dump of this system has been taken for analysis. Your task is to analyze this dump, trace the malware’s actions, and report key findings. This analysis is critical in understanding the breach and preventing further compromise.
Tools:
Volatility 3
Setup the REMnux Analysis Environment & Extract the challenge file:
Safety first! When working with lab/challenge files from CyberDefenders (or any educational lab/challenge/range), it’s important to be responsible and stay safe by performing malware analysis tasks in a dedicated, isolated virtual machine environment. For this challenge I’m using REMnux, a specialized Linux distribution for malware analysis.
To keep this write-up focused, I’m going to skip a step-by-step setup directions of REMnux, but if you’d like to set up your own environment, please follow the guide provided by REMnux directly. For reference, I used the virtual appliance method:
Once we have a safe virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start the investigation!
Question 1: We need to identify the process responsible for this suspicious behavior. What is the name of the suspicious process?
Let’s kick off this investigation and start hunting for the suspicious process!
But before we dive into using Volatility, let’s quickly get familiar with the help documentation which is a handy way to see what plugins are available for use. We can bring up Volatility’s manual pages with the following command:
vol3 -hNow, our first task is to understand what processes were running on the victim’s system when the memory dump was taken during the incident. We’ll accomplish this by leveraging Volatility’s windows.pslist plugin to scan the image and list the running processes on the system using the syntax below:
vol3 -f memory.dmp windows.pslistAnalyzing the processes list, we need to identify the suspicious one. If the output seems overwhelming, don’t worry — it takes practice to sift through it. A great resource to understand normal Windows behavior is the Hunt Evil poster from the SANS Institute.
At first glance, everything seems normal for virtualized Windows system, doesn’t it? The exception is one process looks a little suspicious: a ChromeSetup.exe is running when the capture was taken. Since the intrusion detection system (IDS) alerted on suspected malware execution, let’s start by investigating this process and make a note of the process ID (PID) too, we’ll need it for the next question.
Question 2: To eradicate the malware, what is the exact file path of the process executable?
Awesome! Now that we have uncovered the malicious executable, let’s find out more about it by determining its file path on the victim’s device.
Back in Volatility, we’ll use the windows.cmdline plugin this time which allows us to view not only the process command line arguments but also the executable file path of the process.
To make it easier, let’s use grep to show us only the results with the process ID (PID) of ChromeSetup.exe. We’ll find this information in the pslist output from Question 1 in the far left column.
vol3 -f memory.dmp windows.cmdline | grep 4628
There we go! The executable is in the victim’s Downloads folder. It appears that the victim was searching for the Google Chrome browser, encountered a malicious link, and inadvertently downloaded and executed the malware on their system.
Question 3:
Identifying network connections is crucial for understanding the malware’s communication strategy. What is the IP address it attempted to connect to?
Continuing with the malware analysis, we need to identify any network connections the malware made to find the second stage or command and control (C2) server.
For this part, we’ll use Volatility’s windows.netscan plugin to scan the network artifacts in the image. Using grep again, we’ll filter the results to only show those matching the malicious PID.
vol3 -f memory.dmp windows.netscan | grep 4628The downside is that you won’t see the column names in the output, but you can refer to the screenshot below for reference.
Once we run the command, the table reveals that the malware is communicating with an external IP address seen in the ForeignAddr column. This is the IP address of the command and control (C2) server that we’re looking for!
Question 4: To pinpoint the geographical origin of the attack, which city is associated with the IP address the malware communicated with?
Now that we’ve discovered the malware infrastructure’s IP address, we’ll pivot and gather geolocation intelligence about it. For a higher degree of confidence, let’s check a couple of geolocation services since the location data results can vary depending on the method the database provider uses to determine the location.
Starting with VirusTotal, we can tentatively determine that the IP address is located in Hong Kong.
Next, we’ll check ipinfo.io for added validation:
Double-confirmed! Although we could continue checking with various geolocation and threat intelligence services, we’ve already found our answer for the purposes of this challenge.
Question 5: Hashes provide a unique identifier for files, aiding in detecting similar threats across machines. What is the SHA1 hash of the malware’s executable?
Next, we need to find the SHA1 hash of the malware executable so that we can gather more intelligence and perform further analysis to understand its impact.
The first step to obtain the file hash is to extract the executable from the memory dump. For this, we can leverage Volatility’s windows.dumpfiles plugin to dump file contents from the image. Use the syntax below, specifying an output directory for the dump and the PID of the ChromeSetup.exe process we found in Question 1.
vol3 -f memory.dmp -o <YOUR OUTPUT DIRECTORY> windows.dumpfiles --pid 4628
As the process completes, check the terminal output for the files that are being dumped to confirm that ChromeSetup.exe was extracted and note the corresponding file name on the right side (file.0xca82b85325a0… ).
Now, we can list the contents of the output directory to confirm that the extraction was successful. Finally, use the sha1sum command to calculate hash of the executable:
Awesome! Now that we have the SHA1 hash, we can answer Question 5. But, let’s take this a step further and jump over to VirusTotal to check if the sample, identified by the unique hash we extracted, has been previously analyzed:
Submitting the hash to VirusTotal confirms that this file is malicious and detected by most scanning engines on the platform. Let’s continue to the next question and learn more about the malware.
Question 6: Understanding the malware’s development timeline can offer insights into its deployment. What is the compilation UTC timestamp of the malware?
Since we already have the VirusTotal report for the malware open, we can use the existing analysis results on the platform to check the Creation Time value from the Details tab.
Question 7: Identifying domains involved with this malware helps in blocking future malicious communications and identifying current possible communications with that domain in our network. Can you provide the domain related to the malware?
We’ve made it to the last question! We’ll continue using the VirusTotal report to identify any domains that the malware contacts by navigating to the Relations Tab and then scroll down to Contacted Domains.
Between the IP address, SHA1 hash, and domain, we have a comprehensive list of indicators of compromise (IOCs) that we can use to hunt for the malware in the environment and block it. Let’s submit the final answer and wrap this investigation!
Conclusion:
Mission accomplished! With the help of Volatility, we successfully identified the malicious process, hunted for the malware path and file hash, and uncovered the IP addresses and domains the malware communicates with. With the objectives completed and a comprehensive list if IOCs in-hand, let’s close out this walkthrough of the Ramnit Lab!
A big thank you to CyberDefenders for another engaging and challenging lab. This lab was a great example of the importance of memory dump analysis during DFIR cases and showcased some excellent scenarios for analyzing memory artifacts. Hands-on practice with forensic tools through labs can be extremely beneficial, and every time I try a new challenge with Volatility, I discover some cool and new uses of the tool that makes it much more efficient the next time I need it. Practice makes perfect!
Remember if you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, don’t forget to give it a clap. Your feedback is invaluable and helps me create content that supports your journey in cybersecurity. We’re in this together. Thanks for the support!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
REMnux: https://remnux.org/
Volatility 3: https://github.com/volatilityfoundation/volatility3
SANS Hunt Evil Poster: https://www.sans.org/posters/hunt-evil/
Volatility Command Reference: https://github.com/volatilityfoundation/volatility/wiki/command-reference
ipinfo.io: https://ipinfo.io/
VirusTotal — C2 IP: https://www.virustotal.com/gui/ip-address/58.64.204.181/details
VirusTotal — Malware Sample: https://www.virustotal.com/gui/file/1ac890f5fa78c857de42a112983357b0892537b73223d7ec1e1f43f8fc6b7496/details
