Red Lines Tools
Memory Analysis has become very useful for malware hunting and investigation purposes. Redline is a tool which is used to analyze the memory samples collected from the live host system or a remote system.
In this lab, we will cover all the steps to perform memory analysis using Redline for malware/malicious programs. In this lab, we will use various memory samples of malware infected systems.
Our RedLine Tools carbide and HSS end mills are proudly made in the USA. Our incredible assortment allows you to select the best tool for your current project. Whether you need high performance or general purpose, HSS or carbide, we have the high quality tools you expect from our industry leading product offering. From micro endmills, to variable helix endmills, to variable index endmills and more, we have. Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. With Redline, you can.
Memory samples to use in Lab:
- Labs_raw.img
- Lab.mans
- Lab_Handles.mans
- Lab_Hooks.mans
- Lab_Hooks_raw.img
Also, the lab will consist of an IOC that can be used directly in section “Using IOC to automate the process in Redline”.
Note: .mans files are already loaded files of various memory samples. We will be using them directly within Redline to discover various malicious artifacts. This will also save a lot of time that raw memory images take to load.
In this section we will look out both raw image and saved .mans file can be loaded in Redline for analysis.
Loading a raw image in Redline
- Install Redline
- Launch Redline from Windows Start button. Following Redline interface will open
- For raw memory image, we will see how to load an image ‘conficker.img.’
- In the below dialog Box, browse to the location where the raw image is saved on your local machine.
- Click Next
- Select the checkbox for strings.
- Click Ok.
- Specify the name of the analysis section ‘Infosec_Institute_Lab_Analysis’-
and location where the analysis session results will be stored. - Click Ok.
- Redline will then prepare the session for analysis. Confirm the creation of folder name as the session name specified in step 10. Loading of raw memory image will look like this.
At this point, the raw memory dump is loaded in the Redline for further Analysis.
- On successful loading following, the screen will appear. Confirm that on left-hand side Processes, Driver Modules, etc. can be seen.
Opening a saved mans file
Redline save the analysis of any file in mans format. Below steps outline what steps should be followed to open an mans file in Redline
- In this section, we will be using Lab.mans file.
- .mans file can be open in Redline either from Redline Home page or Redline Launch Page. In this section, we will load the .mans file from Home Page. However if .mans file needs to be loaded from Launch Page perform this step.
From Launch Page click on “Open Previous Analysis” and locate the .mans file to be loaded into the system.
Click here to download the files associated with this article: https://drive.google.com/folderview?id=0B4V9rO4-QhMDMFBkRDhEU0xJX00&usp=sharing
- From Redline Home Page, click on Redline Icon on Top left corner like below and click on “Open a Saved Analysis”.
- Browse to Saved mans file location and Click on Open.
- This process will be much faster and below screen will appear after opening saved analysis much like that of the raw image.
- For this section, we will keep using Lab.mans file loaded in previous section “Opening a saved mans file“.
- After loading Redline gives a view of what all artifacts can be analyzed from a memory sample.
- Processes
- Handles
- Memory Sections
- Strings
- Hierarchical Processes
- Hooks
Now we will start analyzing each of artifacts in Redline
- Click on Processes. It will show all the process that were in memory when the memory was acquired.
- Redline has built-in signatures in which it will classify the process to be malicious and redline it. In above screenshot, we can see that two processes are redlined by Redline.
- Redline also gives a Malware Risk Index (MRI) score to each process. Higher the score, more malicious of its chances will be. We can see that both redlined process have MRI score of 97 and 94. Highly suspicious.
- Click on “Redlined Processes” to see only redline processes.
- Double Click on Redlined Process ‘svchost.exe’. It will open details about the process.
- Click on MRI tab at the bottom. MRI report shows up.
- It will also tell us why it has awarded that MRI scores to this process. In this it says:
- There are about 47 percent negative factors associated with this process.
Analyzing Network Connection using Redline
Normally when malware is injected into a system, it contacts its C&C server to revive payload, to infect other systems in the same network, etc. Analyzing the network connection can be beneficial during memory analysis.
- We will continue analyzing the Lab_Handles.mans file.
- We can see all the connection available in Redline while the memory was captured.
- We can see that Process ‘System,’ PID 4 is making a connection to 94.247.2.107 over port 80. It is very common for malware to hide their connection in plain sight. Why does it choose port 80? Because it is usually opened within organizations and least analyzed.
- A Google search for IP 94.247.2.107 confirms that the IP 94.247.2.107 is listed with TDSS worm.
Analyzing Strings using Redline
Since we have selected the strings earlier while loading the image, we can search for strings in the memory file.
- We will continue analyzing the Lab_Handles.mans file.
- Expand Processes and click on Strings.
- Search for ‘http://’. It will show all the strings scattered around memory where http:// is there. Below we can see that process 1928 Explorer.EXE connects to 192.168.30.129 with user foo and traverses to malware directory. This looks suspicious.
Analyzing Handles in Redline
- In this section, we will analyze the handles using Lab_Handles.mans file. Follow steps outlined in “Opening a saved mans file” section above to load Lab_Handles.mans file.
- Below screen will show all the handles present in memory while it is acquired.
- Now there are a lot of objects associated with an object like File Handles, Directory handles, Registry Handles, Mutants, etc. In the next step, we will see Mutant Handles.
- Click on Mutant handles and it will show all the mutants present in memory.
- We see the mutant named _!MSFTHISTORY!_ which is a known mutant for TDSS malware.
Analyzing Memory Sections using Redline
In Redline, we can analyze the memory sections to look out for injected code.
- In this section, we will continue analyzing Lab_Handles.mans file.
- We will see all the memory section available in memory.
- Click on “injected Memory Sections”.
- Below we can see that PID 1980 is injected.
In Redline, we can see the processes parent-child relationship. This is beneficial while analyzing the process to see which process was spawned from whom and also it gives an indication about when a system boots.
- Click on Hierarchical processes on the Left-Hand side.
- As we can see below is has shown us how the parent –child relationship among processes.
Malware usually hooks kernel artifacts like service descriptor table (SSDT), IDT, IRP to take broader control over the system. In this section, we will see how Redline can be used to analyze these sections.
- In this section, we will use LAB_Hooks.mans file. Follow steps outlined in “Opening a saved mans file” section above to load LAB_Hooks.mans file.
- Below screen shows all Hooks for this memory image.
- We can filter it with a specific type of Hook like SSDT, IDT, IRP hook.
Note that though Redline gives the Trust Status “Undetermined,” it is highly suspicious to have a driver called burito24b1-1710.sys in a system.
- A Google searches on burito24b1-1710.sys reveals that it has already been submitted to malwr.com
Using 3rd party tools greatly enhances the memory analysis.
- Click on IRP hooks to see what system drivers have been hooked.
- Here we can see that burito24b1-1710.sys has hooked tcpip.sys.
Automating the process with Indicator of Compromise (IOC) using Redline is a very great feature. IOC’s are usually shared among the security community so collecting them and running them against an acquired memory will give us HITS if it matches.
As we saw above for LAB_Hooks, driver burito24b1-1710.sys was not recognized malicious under SSDT by Redline but since we know it is malicious, let’s make an IOC and run that IOC against the Lab_Hooks.mans file.
We will be using Mandiant IOC builder to create an IOC.
- Create Directory ‘IOC’ where the IOC’s will be stored
- Open Mandiant IOC builder and select the folder created in step 1
- Give description for this IOC like below
- Enter the details of the driver as is seen in LAB_Hooks.mans file.
- Click ADD
- Click Item>Hook>Hook Hooked Module
- Below is the final signature for this IOC
- Click Save to save this IOC to the folder created in Step 1 of this section.
- Open Redline >Open Saved Memory
- Browse to the location of raw memory Image and IOC created above
- Select the IOC listed to see the description as well.
- Click Next
- Follow steps 7-11 as listed in section “Loading a raw image in Redline.”(Name the folder to save analysis “Infosec_Institute_Lab_Hooks”).
- Once loaded the IOC report will keep running in the background.
- Upon completion, browse to the folder ‘Infosec_Institute_Lab_Hooks’.
- Open Infosec_Institute_Lab_Hooks’ > IOCs>IOCReport>Hits>*.html
- As we can see below that based on our indicator, Redline has the following hits which is exactly what we have seen in SSDT; IRP hooks earlier.
Redline Tools
As we can see, Redline is a powerful tool to analyze memory samples for malware hunting.
RedLine Tools is proud to be the carbide cutting tool manufacturers with the widest selection in the industry. Offering over 29,000 products, we ensure that our inventory carries the tool that you need. In addition to our RedLine Tools, we offer supporting products from quality manufacturers - Rego-Fix for collets, Golden Seal for coolant Seals and Zebra Products for coolant management. RedLine Tools is a brand of Productivity, Inc. Whether you need one tool or a complete tooling package, Redline Tools has the quality products you need at very competitive prices.
Address: 15150 25th Avenue North
Plymouth (Mpls.), MN 55447
Hours: 7:00am-5:00pm Central Standard Time
Email:support@redlinetools.com
Phone: (800) 791-7542
(763) 742-1206
Redline Tools Llc
Return Policy:
If for any reason you are not satisfied with any item purchased, you may return the product within 90 days for a full refund or replacement, whichever you prefer. Merchandise must be unopened, in original packaging, unused. Shipping and handling charges are non-refundable.
Shipping:
Free ground shipping on all domestic (U.S) orders over $100. Excludes coolant. Coolants and Cutting Oils may require shipment via Common Carrier based on size and weight and are not part of our special shipping programs.
Pricing Clause:
Information, including product pricing and availability, may be changed or updated without notice. RedLine Tools reserves the right to refuse service, terminate accounts, and/or cancel orders in its discretion, including, without limitation, if RedLine Tools believes that customer conduct violates applicable law or is harmful to the interests of RedLine Tools.
Privacy Policy:
The use of this site is governed by this User Agreement (“Agreement”), including the general disclaimers and privacy policy, set forth below. Please read it carefully. By accessing or using this website, you agree to these Terms and Conditions.
Content:
RedLine Tools cannot guarantee or warrant that the information on this website is accurate, complete, or up-to-date. Information Collection and UseVisitors and Parties understand and agree that RedLine Tools may collect, maintain, and process information provided by them to RedLine Tools.
Security:
RedLine Tools takes seriously the security of your personal information. RedLine Tools has therefore implemented technology and security policies and procedures intended to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to, such information, reasonably appropriate to the level of the data concerned. However, due to the open communication nature of the Internet, we cannot guarantee that communications between you and the website, and the website and you, or data stored on RedLine Tools systems, will be free from unauthorized access by third parties.
Terms of Use:
By using redlinetools.com website, you are indicating your acceptance of the terms and conditions set forth below as well as your agreement that your access and use are subject to all applicable laws, as governed and interpreted pursuant to the laws of the State of Minnesota, United States of America. If you do not agree with any of these terms and conditions, do not use this website.
Copyright and Trademark Notices:
RedLine Tools retains copyright on all text, graphic images and other materials on its website and as to the website as a whole. The website also contains many marks which are subject to trademark, service mark, trade dress and/or other intellectual property rights held by RedLine Tools visitors are strictly prohibited from the reproduction, distribution, or retransmission by any means of any materials posted on RedLine Tools website without the prior and express written permission of RedLine Tools notwithstanding the foregoing, visitors may download a copy of the materials for personal non-commercial home use.
Payment Methods:
We accept major credit cards including American Express, Visa, MasterCard, and Discover. Information, including product pricing and availability, may be changed or updated without notice. RedLine Tools reserves the right to refuse service, terminate accounts, and/or cancel orders at its discretion, including, without limitation, if RedLine Tools believes that customer conduct violates applicable law or is harmful to the interests of RedLine Tools.
Redline Tools Distributors
Industries: