9. Inspecting Registry

From a forensics perspective, the registry can provide valuable information about the context of the malware. While discussing the persistence methods in Chapter 7, Malware Functionalities and Persistence, you saw how malicious programs add entries in the registry to survive the reboot. In addition to persistence, the malware uses the registry to store configuration data, encryption keys, and so on. To print the registry key, subkeys, and its values, you can use the printkey plugin by providing the desired registry key path using the -K (--key) argument. In the following example of a memory image infected with Xtreme Rat, it adds the malicious executable C:WindowsInstallDirsystem.exe in the Run registry key. As a result, the malicious executable will be executed every time the system starts:

$ python vol.py -f xrat.vmem --profile=Win7SP1x86 printkey -K "MicrosoftWindowsCurrentVersionRun"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: SystemRootSystem32ConfigSOFTWARE
Key name: Run (S)
Last updated: 2018-04-22 06:36:43 UTC+0000

Subkeys:

Values:
REG_SZ VMware User Process : (S) "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" -n vmusr
REG_EXPAND_SZ HKLM : (S) C:WindowsInstallDirsystem.exe

In the following example, the Darkcomet RAT adds an entry in the registry to load its malicious DLL (mph.dll) via rundll32.exe:

$ python vol.py -f darkcomet.vmem --profile=Win7SP1x86 printkey -K "SoftwareMicrosoftWindowsCurrentVersionRun"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: ??C:UsersAdministrator
tuser.dat
Key name: Run (S)
Last updated: 2016-09-23 10:01:53 UTC+0000

Subkeys:

Values:
REG_SZ Adobe cleanup : (S) rundll32.exe "C:UsersAdministratorLocal SettingsApplication DataAdobe updatermph.dll", StartProt
----------------------------

There are other registry keys that store valuable information in binary form, which can be of great value to a forensic investigator. The volatility plugins such as userassist, shellbags, and shimcache parse these registry keys that contain binary data and display information in a much more readable format.

The Userassist registry key contains a list of programs that have been executed by the user on the system and the time when the program was run. To print userassist registry information, you can use Volatility's userassist plugin, as shown here. In the following example, a suspiciously named executable (info.doc.exe) was executed from the E: drive (possibly the USB drive) at 2018-04-30 06:42:37:

$ python vol.py -f inf.vmem --profile=Win7SP1x86 userassist
Volatility Foundation Volatility Framework 2.6
----------------------------
Registry: ??C:Users	est
tuser.dat 

[REMOVED]

REG_BINARY E:info.doc.exe : 
Count: 1
Focus Count: 0
Time Focused: 0:00:00.500000
Last updated: 2018-04-30 06:42:37 UTC+0000
Raw Data:
0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf
The shimcache and shellbags plugins can be useful when investigating a malware incident. The shimcache plugin can be helpful for proving the existence of a malware on the system and the time it ran. The shellbags plugin can give information about access to the files, folder, external storage devices, and network resources.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.146.184