Comprehensive Memory Forensics

Report: Analysis of Coreflood Trojan

using Volatility

Project Title
Memory Analysis and Behavioral Investigation of Coreflood Trojan Using
Volatility Framework

Course Details
Course Name: Computer Forensics
Instructor Name: Dr Sana Qadir

Prepared By
Muhammad Ahmed Zafar
Muhammad Talha Habib
Momin Rauf

(SEECS)
National University of Science and Technology
Executive Summary
This report presents a complete forensic investigation of a malware intrusion
involving the Coreflood Trojan, performed through in-depth memory analysis using
the Volatility Framework. The investigation was conducted in three structured
phases:

 Phase 1: Initial memory acquisition and process enumeration to identify

anomalies.
 Phase 2: Deep dive into process handles and code injection indicators.
 Phase 3: Identification of persistence mechanisms and discovery of injected
malicious DLLs.

The forensic examination reveals a sophisticated spyware implant with capabilities

for code injection, data exfiltration, browser targeting, and remote command-and-
control operations. Multiple persistence mechanisms were identified including
RunOnce and possible abuse of AppInit_DLLs.

Contents
Comprehensive Memory Forensics Report: Analysis of Coreflood Trojan using
Volatility................................................................................................................. 1
Project Title......................................................................................................... 1
Course Details..................................................................................................... 1
Prepared By......................................................................................................... 1
(SEECS) National University of Science and Technology........................................1
Executive Summary............................................................................................. 2
1. Introduction....................................................................................................... 2
2. Objectives.......................................................................................................... 2
3. Tools Used.......................................................................................................... 2
4. Methodology...................................................................................................... 3
5. Phase-Wise Analysis.......................................................................................... 3
Phase 1: Memory Acquisition and Preliminary Analysis......................................3
Phase 2: Code Injection Discovery and Behavioral Analysis...............................4
Phase 3: Persistence Mechanisms and Malicious Module Extraction..................4
6. Indicators of Compromise (IOCs).......................................................................4
7. Summary of Findings......................................................................................... 5
8. Conclusion......................................................................................................... 5
9. Recommendations............................................................................................. 5
10. References....................................................................................................... 6
1. Introduction
The Coreflood Trojan is a well-known malware strain classified under spyware and
remote access tools (RATs). It has been known to exfiltrate data, hijack browser
sessions, and enable remote shell operations by injecting malicious code into
legitimate processes. This report aims to detect, extract, and analyze the presence
and activity of Coreflood within a Windows memory image.

2. Objectives
 To identify anomalies and malicious behavior in the memory dump.
 To analyze code injection vectors used by Coreflood Trojan.
 To detect persistence mechanisms used to survive reboots.
 To extract and examine injected malicious DLLs.
 To propose mitigation strategies based on forensic findings.

3. Tools Used
Tool/Framework Purpose
Volatility Framework Memory forensic analysis (malfind, pslist, handles)
strings.exe Extract readable ASCII/Unicode strings from binaries
pestudio Static malware analysis of PE files
UPX (detected) Known packer used to obfuscate executables
Windows Sysinternals Utilities for memory and system analysis

4. Methodology
The investigation was carried out in three structured stages:

1. Memory Dump Acquisition

o Acquired the physical memory dump of the infected Windows machine.
2. Volatility-Based Analysis
o Used pslist, malfind, handles, vaddump, dlllist, filescan, and dumpfiles
commands for analysis.
3. Behavioral and Static Analysis
o Extracted injected memory regions and DLLs, analyzed them using
strings.exe and pestudio.
4. Reporting and Correlation
o Correlated memory artifacts, malicious strings, persistence indicators,
and anomalies into actionable findings.
5. Phase-Wise Analysis
Phase 1: Memory Acquisition and Preliminary Analysis
 Process Enumeration: Using pslist and psscan, an instance of iexplore.exe was
discovered running with unusual attributes and memory usage.

 DLL Listing: dlllist revealed several modules attached to iexplore.exe, some

with abnormal load addresses.

 Code Injection Suspicion: malfind reported an injected region with

PAGE_EXECUTE_READWRITE permissions—commonly associated with injected
code.

 IAT Discovery: The Import Address Table (IAT) of the suspected module
revealed API calls typical of malware (e.g., LoadLibrary, GetProcAddress,
CreateProcess).

Phase 2: Code Injection Discovery and Behavioral

Analysis
 Memory Dumping: Used vaddump to extract the injected region for offline
analysis.
 String Analysis: Running strings on the memory region revealed:
o References to multiple web browsers (iexplore, firefox, chrome).
o Regex patterns targeting URLs of popular login sites.
o Possible output formatting strings suggesting remote command
execution.
 Secondary Injection Check: Scanned explorer.exe using malfind. While an
EXECUTE_READWRITE segment was found, it lacked substantive content—
possibly paged out or decoy code.
 Evidence of C2 Communication: String output suggested command
responses, indicating presence of a C2 server interacting with the host.

Phase 3: Persistence Mechanisms and Malicious Module

Extraction
 Registry Persistence Clues:
o RunOnce registry key usage detected via strings.
 o Potential use of rundll32 to execute malicious DLLs on startup.
o Hints of AppInit_DLLs mechanism in strings—though not confirmable via
memory.
 Suspicious DLL Discovery:
o Located a module named comsbap.dIl (notice the capital “I” instead of
lowercase “L”) using filescan.
o No legitimate comsbap.dll found in system32—confirmed anomaly.
 DLL Extraction: Dumped the DLL using dumpfiles.
 Static Analysis (pestudio):
o DLL was packed using UPX, a common malware obfuscation
technique.
o Abnormal section headers and hidden imports.
o No legitimate signatures or version information.
 Behavioral Conclusion: DLL likely contains encrypted payload, C2 routines,
or browser credential harvesting logic.

6. Indicators of Compromise (IOCs)

IOC Type Indicator
Malicious Process iexplore.exe (with injected code)
Suspicious DLL C:\Windows\System32\comsbap.dIl
Registry Key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Packer Detected UPX-packed DLL module
Memory Region RWX section in iexplore.exe (no MZ header)
C2 Indicators Strings showing shell output and command execution

7. Summary of Findings
 Injected Code: Confirmed presence in iexplore.exe with suspicious API usage.
 Malicious DLL: comsbap.dIl confirmed as non-standard packed DLL potentially
used for spyware and command execution.
 Persistence Mechanism:
o RunOnce used to execute DLL via rundll32.exe
o Possible use of AppInit_DLLs (requires further registry inspection).
 Indicators of C2: Presence of output formatting and remote command
execution strings points toward an active control server.
 Browser Targeting: Multi-browser compatibility for surveillance and injection
(Firefox, Chrome, IE).
8. Conclusion
The forensic evidence collected throughout the investigation confirms the presence
of an advanced spyware variant related to the Coreflood Trojan family. The
malware used code injection, packed DLLs, and registry-based persistence
mechanisms to embed itself into legitimate processes and maintain control after
reboots.

The discovery of injected memory in iexplore.exe, the presence of a disguised

malicious DLL (comsbap.dIl), and command-style string outputs strongly suggest
remote command execution and potential exfiltration capabilities.

9. Recommendations
1. Immediate Actions:
o Remove comsbap.dIl from the system32 directory and revoke execution
via rundll32.exe.
o Delete associated RunOnce registry keys.
o Conduct a full disk and registry scan using updated malware
signatures.
2. Preventative Measures:
o Implement stricter EDR (Endpoint Detection and Response) policies to
detect RWX regions and injection patterns.
o Disable AppInit_DLLs infrastructure via registry if not required.
o Enforce code signing policies for DLLs in critical directories.
3. Forensics Recommendations:
o Capture volatile memory periodically for high-value assets.
o Automate detection of packed binaries using YARA rules integrated
with Volatility.

10. References
 Volatility Framework Documentation: https://volatilityfoundation.org
 Windows Sysinternals Suite: https://docs.microsoft.com/en-us/sysinternals/
 PEStudio: https://www.winitor.com
 UPX Packer: https://upx.github.io
 Microsoft Registry Persistence Techniques: https://learn.microsoft.com/en-
us/windows/win32/sysinfo/registry
 Coreflood Technical Analysis (SANS): https://isc.sans.edu