Lab 6: Memory Forensics - CyberOps Week 7

Objectives

1. Identify the OS profile using imageinfo

Show Hint

Run: volatility -f memory.dmp imageinfo

2. List running processes with pslist

Show Hint

Run: volatility -f memory.dmp --profile=Win10x64_19041 pslist

3. Identify suspicious process

Show Hint

Look for unusual process names, strange parent processes, or processes with no visible windows that shouldn't be running.

4. Check network connections with netscan

Show Hint

Run: volatility -f memory.dmp --profile=Win10x64_19041 netscan

5. Dump the suspicious process

Show Hint

Run: volatility -f memory.dmp --profile=Win10x64_19041 procdump -p [PID]

6. Check for code injection with malfind

Show Hint

Run: volatility -f memory.dmp --profile=Win10x64_19041 malfind

7. Extract strings from suspicious process

Show Hint

Run: volatility -f memory.dmp --profile=Win10x64_19041 memdump -p 3856 && strings 3856.dmp

8. Identify the malware family

Show Hint

Based on the IOCs (C2 domain, mutex, registry keys), determine the malware family name.

Volatility Terminal

Analysis Notes

Volatility Framework 2.6.1 Memory Forensics Workstation - Ready Target: memory.dmp (512 MB RAM dump from compromised Windows 10 system) Type 'help' for available commands or start with 'volatility -f memory.dmp imageinfo'

forensics@analyst:~$

Discovered IOCs

OS Profile: Not yet identified

Suspicious Process: Not yet identified

Process ID (PID): Not yet identified

C2 Server: Not yet identified

Mutex Name: Not yet identified

Code Injection: Not yet analyzed

MALWARE IDENTIFIED

Family: TrickBot Banking Trojan

Category: Banking Trojan / Malware Loader

Capabilities:

Credential theft (browser, email, banking)
Network propagation via SMB
Secondary payload delivery (ransomware)
Screen capture and keylogging
Process injection and persistence

Threat Level: CRITICAL

LAB 6: MEMORY FORENSICS - VOLATILITY ANALYSIS

Objectives

Discovered IOCs

MALWARE IDENTIFIED

LAB COMPLETE!