Introduction to Virtual Memory and Malware Analysis using Volatility
Welcome to my first blog post, where we will analyze volatile memories for malware. This post is intended for Cyber Forensic beginners or people with a knack for learning about the same.
In this tutorial, we will use Volatility, one of the most popular volatile memory software analyzers. Volatility is a powerful tool for malware analysis that enables analysts to extract valuable information from a system’s memory. Its flexibility and plugin architecture makes it popular among security professionals and researchers. With this software’s assistance, we can access valuable data saved in the computer’s memory, such as the active processes, the most recent modifications to files, or even the user’s browsing history.
We will execute several volatility commands for the scenario: An organization’s Computer Incident Response Team (CIRT) suspects that the computer systems in programming labs 1 and 2 have been infected by a trojan. The CIRT team captured each lab’s disk image and memory dumps. You have been given the memory dump files collected from lab 1 and lab 2 PCs to investigate the existence of malware.
I will be using Volatility 2.6.1 with Python 2.7.18 on a Remnux virtual machine for the same. I will also use the alias “vol” here, which refers to ‘python2 <path/to/vol.py>’.
Prerequisite
- Downloading and installing Volatility.
- The dumps we will analyze can be found here.
- A sandbox-ed virtual machine (suggested).
The Malware Analysis
Memory dump analysis
Imageinfo is generally the first command to be executed during volatile memory analysis. It performs a series of checks to determine the format of the memory dump and the version of the operating system that was running when the dump was taken. It can identify the type of operating system, the service pack level, the architecture (32-bit or 64-bit), and the build number of the system.
$ vol -f memorydumplab1.vemv imageinfoWith -f specify your dump file and the volatility plugin you want to use. You should obtain the following result:
$ vol -f memorydumplab1.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/Desktop/Assignment/Lab/memorydumplab1.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80544ce0L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-08-15 18:24:00 UTC+0000
Image local date and time : 2010-08-15 14:24:00 -0400We have now obtained the computer OS from which this memory dump was taken (WinXPSP2x86). The investigation now begins. We can specify the OS profile ( — profile=WinXPSP2x86) and try to find out what happened to the compromised systems.
Now we will look into the running processes on the victim machine using the pslist command.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x810b1660 System 4 0 58 183 ------ 0
0xff2ab020 smss.exe 544 4 3 21 ------ 0 2010-08-11 06:06:21 UTC+0000
0xff1ecda0 csrss.exe 608 544 10 369 0 0 2010-08-11 06:06:23 UTC+0000
0xff1ec978 winlogon.exe 632 544 20 518 0 0 2010-08-11 06:06:23 UTC+0000
0xff247020 services.exe 676 632 16 269 0 0 2010-08-11 06:06:24 UTC+0000
0xff255020 lsass.exe 688 632 19 344 0 0 2010-08-11 06:06:24 UTC+0000
0xff218230 vmacthlp.exe 844 676 1 24 0 0 2010-08-11 06:06:24 UTC+0000
0x80ff88d8 svchost.exe 856 676 17 199 0 0 2010-08-11 06:06:24 UTC+0000
0xff217560 svchost.exe 936 676 10 272 0 0 2010-08-11 06:06:24 UTC+0000
0x80fbf910 svchost.exe 1028 676 71 1341 0 0 2010-08-11 06:06:24 UTC+0000
0xff22d558 svchost.exe 1088 676 5 80 0 0 2010-08-11 06:06:25 UTC+0000
0xff203b80 svchost.exe 1148 676 14 208 0 0 2010-08-11 06:06:26 UTC+0000
0xff1d7da0 spoolsv.exe 1432 676 13 135 0 0 2010-08-11 06:06:26 UTC+0000
0xff1b8b28 vmtoolsd.exe 1668 676 5 221 0 0 2010-08-11 06:06:35 UTC+0000
0xff1fdc88 VMUpgradeHelper 1788 676 4 100 0 0 2010-08-11 06:06:38 UTC+0000
0xff143b28 TPAutoConnSvc.e 1968 676 5 100 0 0 2010-08-11 06:06:39 UTC+0000
0xff25a7e0 alg.exe 216 676 6 105 0 0 2010-08-11 06:06:39 UTC+0000
0xff364310 wscntfy.exe 888 1028 1 27 0 0 2010-08-11 06:06:49 UTC+0000
0xff38b5f8 TPAutoConnect.e 1084 1968 1 61 0 0 2010-08-11 06:06:52 UTC+0000
0xff3865d0 explorer.exe 1724 1708 12 341 0 0 2010-08-11 06:09:29 UTC+0000
0xff3667e8 VMwareTray.exe 432 1724 1 49 0 0 2010-08-11 06:09:31 UTC+0000
0xff374980 VMwareUser.exe 452 1724 6 189 0 0 2010-08-11 06:09:32 UTC+0000
0x80f94588 wuauclt.exe 468 1028 4 134 0 0 2010-08-11 06:09:37 UTC+0000
0xff3ad1a8 IEXPLORE.EXE 2044 1724 10 366 0 0 2010-08-15 18:11:17 UTC+0000
0x80fdc368 logon.scr 124 632 1 15 0 0 2010-08-15 18:21:28 UTC+0000
0xff125020 cmd.exe 1136 1668 0 -------- 0 0 2010-08-15 18:24:00 UTC+0000 2010-08-15 18:24:00 UTC+0000To analyze it better, we can use the pstree command.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x810b1660:System 4 0 58 183 1970-01-01 00:00:00 UTC+0000
. 0xff2ab020:smss.exe 544 4 3 21 2010-08-11 06:06:21 UTC+0000
.. 0xff1ec978:winlogon.exe 632 544 20 518 2010-08-11 06:06:23 UTC+0000
... 0xff255020:lsass.exe 688 632 19 344 2010-08-11 06:06:24 UTC+0000
... 0xff247020:services.exe 676 632 16 269 2010-08-11 06:06:24 UTC+0000
.... 0xff1b8b28:vmtoolsd.exe 1668 676 5 221 2010-08-11 06:06:35 UTC+0000
..... 0xff125020:cmd.exe 1136 1668 0 ------ 2010-08-15 18:24:00 UTC+0000
.... 0x80ff88d8:svchost.exe 856 676 17 199 2010-08-11 06:06:24 UTC+0000
.... 0xff1d7da0:spoolsv.exe 1432 676 13 135 2010-08-11 06:06:26 UTC+0000
.... 0x80fbf910:svchost.exe 1028 676 71 1341 2010-08-11 06:06:24 UTC+0000
..... 0x80f94588:wuauclt.exe 468 1028 4 134 2010-08-11 06:09:37 UTC+0000
..... 0xff364310:wscntfy.exe 888 1028 1 27 2010-08-11 06:06:49 UTC+0000
.... 0xff217560:svchost.exe 936 676 10 272 2010-08-11 06:06:24 UTC+0000
.... 0xff143b28:TPAutoConnSvc.e 1968 676 5 100 2010-08-11 06:06:39 UTC+0000
..... 0xff38b5f8:TPAutoConnect.e 1084 1968 1 61 2010-08-11 06:06:52 UTC+0000
.... 0xff22d558:svchost.exe 1088 676 5 80 2010-08-11 06:06:25 UTC+0000
.... 0xff218230:vmacthlp.exe 844 676 1 24 2010-08-11 06:06:24 UTC+0000
.... 0xff25a7e0:alg.exe 216 676 6 105 2010-08-11 06:06:39 UTC+0000
.... 0xff203b80:svchost.exe 1148 676 14 208 2010-08-11 06:06:26 UTC+0000
.... 0xff1fdc88:VMUpgradeHelper 1788 676 4 100 2010-08-11 06:06:38 UTC+0000
... 0x80fdc368:logon.scr 124 632 1 15 2010-08-15 18:21:28 UTC+0000
.. 0xff1ecda0:csrss.exe 608 544 10 369 2010-08-11 06:06:23 UTC+0000
0xff3865d0:explorer.exe 1724 1708 12 341 2010-08-11 06:09:29 UTC+0000
. 0xff3667e8:VMwareTray.exe 432 1724 1 49 2010-08-11 06:09:31 UTC+0000
. 0xff374980:VMwareUser.exe 452 1724 6 189 2010-08-11 06:09:32 UTC+0000
. 0xff3ad1a8:IEXPLORE.EXE 2044 1724 10 366 2010-08-15 18:11:17 UTC+0000Although IEXPLORE.EXE (PID 2044/1884) within explorer.exe appears odd, it is difficult to establish whether the system is engaging in suspicious activities at first glance.
The plugin, psxview, will list processes actively attempting to conceal themselves while operating on the computer.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 psxview
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x06499b80 svchost.exe 1148 True True True True True True True
0x04b5a980 VMwareUser.exe 452 True True True True True True True
0x010f7588 wuauclt.exe 468 True True True True True True True
0x0211ab28 TPAutoConnSvc.e 1968 True True True True True True True
0x04c2b310 wscntfy.exe 888 True True True True True True True
0x061ef558 svchost.exe 1088 True True True True True True True
0x06015020 services.exe 676 True True True True True True True
0x0485d1a8 IEXPLORE.EXE 2044 True True True True True True True
0x06384230 vmacthlp.exe 844 True True True True True True True
0x0655fc88 VMUpgradeHelper 1788 True True True True True True True
0x06945da0 spoolsv.exe 1432 True True True True True True True
0x05f027e0 alg.exe 216 True True True True True True True
0x05f47020 lsass.exe 688 True True True True True True True
0x04a065d0 explorer.exe 1724 True True True True True True True
0x066f0978 winlogon.exe 632 True True True True True True True
0x0115b8d8 svchost.exe 856 True True True True True True True
0x063c5560 svchost.exe 936 True True True True True True True
0x01122910 svchost.exe 1028 True True True True True True True
0x0113f368 logon.scr 124 True True True True True True True
0x069d5b28 vmtoolsd.exe 1668 True True True True True True True
0x04be97e8 VMwareTray.exe 432 True True True True True True True
0x049c15f8 TPAutoConnect.e 1084 True True True True True True True
0x02e47020 cmd.exe 1136 True True False True False False False 2010-08-15 18:24:00 UTC+0000
0x066f0da0 csrss.exe 608 True True True True False True True
0x05471020 smss.exe 544 True True True True False False False
0x01214660 System 4 True True True True False False False
0x066f1c08 logonui.exe 1168 False True False False False False False 2010-08-11 06:09:35 UTC+0000It was noticed that both systems had processes running that did not show up in previous commands, namely logonui.exe, and wuauclt.exe.
Checking the active sockets and open connections on the computer is a wise move after viewing the currently operating processes. We’ll use a few different plugins to accomplish this.
First, we have connscan. It scans for TCP connections existing on the victim machine.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x00eda590 172.16.176.143:1058 65.54.81.209:80 2044
0x01079e70 172.16.176.143:1082 209.234.234.16:80 2044
0x0107c888 172.16.176.143:1059 4.23.40.126:80 2044
0x0108fcd8 172.16.176.143:1072 65.55.15.124:80 2044
0x010fa448 172.16.176.143:1065 65.55.253.21:80 2044
0x02214988 172.16.176.143:1092 65.54.81.14:80 2044
0x026c68a8 172.16.176.143:1074 65.55.15.243:80 2044
0x02ae4bb0 172.16.176.143:1073 65.55.15.123:80 2044
0x048b25f0 172.16.176.143:1085 65.55.149.119:80 2044
0x04a045f8 172.16.176.143:1057 65.54.81.49:80 2044
0x04a04e70 172.16.176.143:1095 69.43.160.145:80 2044
0x04a4a4a0 172.16.176.143:1084 12.120.180.24:80 2044
0x04be2558 172.16.176.143:1079 65.54.81.22:80 2044
0x05536e70 172.16.176.143:1090 65.54.81.14:80 2044
0x05802340 172.16.176.143:1062 65.55.18.18:80 2044
0x05c9e200 172.16.176.143:1067 65.54.81.14:80 2044
0x05deea30 172.16.176.143:1068 65.54.81.14:80 2044
0x06015ab0 172.16.176.143:1053 207.46.170.10:80 2044
0x0605f208 172.16.176.143:1086 202.89.231.60:80 2044
0x06125538 172.16.176.143:1083 65.54.81.79:80 2044
0x0623a438 172.16.176.143:1066 96.6.41.210:80 2044
0x06450720 172.16.176.143:1077 65.55.149.121:80 2044
0x064509f0 172.16.176.143:1063 64.4.18.73:80 2044
0x06497a68 172.16.176.143:1075 65.55.15.124:80 2044
0x067bd218 172.16.176.143:1070 65.54.81.209:80 2044
0x07c17be0 172.16.176.143:1060 65.55.239.161:80 2044It is noticeable that IEXPLORE.EXE has multiple port connections with remote machines on port 80 (HTTP), which is its intended functionality; hence, more conclusive evidence needs to be determined.
Next, we have sockets. It examines the network stack of the target system in memory and retrieves information about the processes, protocols, and addresses associated with the sockets.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6.1
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x80fd1008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0xff158c00 2044 1052 17 UDP 127.0.0.1 2010-08-15 18:11:19 UTC+0000
0xff258008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff2984a0 1088 1078 17 UDP 0.0.0.0 2010-08-15 18:11:23 UTC+0000
0xff367008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17 UTC+0000
0x80ffc128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24 UTC+0000
0xff225b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff254008 1028 123 17 UDP 127.0.0.1 2010-08-15 18:24:00 UTC+0000
0x80fce930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38 UTC+0000
0xff127d28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39 UTC+0000
0xff3a97a0 1088 1061 17 UDP 0.0.0.0 2010-08-15 18:11:21 UTC+0000
0xff12b580 1148 1900 17 UDP 127.0.0.1 2010-08-15 18:24:00 UTC+0000
0xff1b8250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000
0xff382e98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00 UTC+0000
0x80fbdc40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17 UTC+0000We observe that IEXPLORER.EXE still has a port open in each but is not using it for any connections, along with multiple others being used by other processes.
Finally, netscan will search a Vista (or later) image for connections and sockets (although it cannot be utilized in our scenario due to using the XP profile).
The victim machine’s most recent commands will now be examined using a variety of commands.
First, we have cmdscan. It extracts command history by scanning for “_COMMAND_HISTORY” to identify the command shell history for all running processes and returns a list of executed commands and the corresponding process ID and process name.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: csrss.exe Pid: 608
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0x4e23b0 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
Title: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
AttachedProcess: TPAutoConnect.e Pid: 1084 Handle: 0x448
----
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448
----
Screen 0x4e2ab0 X:80 Y:25
Dump:
TPAutoConnect User Agent, Copyright (c) 1999-2009 ThinPrint AG, 7.17.512.1
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0xf78958 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: ??ystemRoot%\system32\cmd.exe
Title:Next, we use consoles. It extracts command history by scanning for “_CONSOLE_INFORMATION” in the memory dump to identify the command shell consoles active on the system when the dump was taken.
None of these provide us with anything of evidential use.
Finally, we use the cmdline plugin. It scans the memory dump to identify running processes and retrieves the command-line arguments used to start those processes.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 544
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 608
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 632
Command line : winlogon.exe
************************************************************************
services.exe pid: 676
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 688
Command line :
************************************************************************
vmacthlp.exe pid: 844
Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
************************************************************************
svchost.exe pid: 856
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 936
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1028
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1088
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1148
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
spoolsv.exe pid: 1432
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
vmtoolsd.exe pid: 1668
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
************************************************************************
VMUpgradeHelper pid: 1788
Command line : "C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe" /service
************************************************************************
TPAutoConnSvc.e pid: 1968
Command line : "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"
************************************************************************
alg.exe pid: 216
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wscntfy.exe pid: 888
Command line : C:\WINDOWS\system32\wscntfy.exe
************************************************************************
TPAutoConnect.e pid: 1084
Command line : TPAutoConnect.exe -q -i vmware -a COM1 -F 30
************************************************************************
explorer.exe pid: 1724
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
VMwareTray.exe pid: 432
Command line : "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
************************************************************************
VMwareUser.exe pid: 452
Command line : "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
************************************************************************
wuauclt.exe pid: 468
Command line : "C:\WINDOWS\system32\wuauclt.exe"
************************************************************************
IEXPLORE.EXE pid: 2044
Command line : "C:\Program Files\Internet Explorer\iexplore.exe"
************************************************************************
logon.scr pid: 124
Command line : C:\WINDOWS\System32\logon.scr /s
************************************************************************
cmd.exe pid: 1136We now know the complete path to all currently executing processes, particularly IEXPLORE.EXE.
Not jumping to conclusions too early, let's analyze if Volatility can help find the malicious process by using the malfind plugin. It scans the memory dump for code marked as executable but without a corresponding file on disk, indicating the presence of malware in the system.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 malfind | grep -Fi "process"
Volatility Foundation Volatility Framework 2.6.1
Process: csrss.exe Pid: 608 Address: 0x7f6f0000
Process: winlogon.exe Pid: 632 Address: 0x2c930000
Process: winlogon.exe Pid: 632 Address: 0x37ec0000
Process: winlogon.exe Pid: 632 Address: 0x33470000
Process: winlogon.exe Pid: 632 Address: 0x71ee0000
Process: winlogon.exe Pid: 632 Address: 0x78850000
Process: winlogon.exe Pid: 632 Address: 0x793e0000
Process: explorer.exe Pid: 1724 Address: 0x1b20000
Process: IEXPLORE.EXE Pid: 2044 Address: 0x7ff80000
$ vol -f memorydumplab2.vmem --profile=WinXPSP2x86 malfind | grep -Fi "process"
Volatility Foundation Volatility Framework 2.6.1
Process: csrss.exe Pid: 608 Address: 0x7f6f0000
Process: winlogon.exe Pid: 632 Address: 0x2c930000
Process: winlogon.exe Pid: 632 Address: 0x37ec0000
Process: winlogon.exe Pid: 632 Address: 0x33470000
Process: winlogon.exe Pid: 632 Address: 0x71ee0000
Process: winlogon.exe Pid: 632 Address: 0x78850000
Process: winlogon.exe Pid: 632 Address: 0x793e0000
Process: IEXPLORE.EXE Pid: 1884 Address: 0x10c0000
Process: IEXPLORE.EXE Pid: 1884 Address: 0xf50000
Process: IEXPLORE.EXE Pid: 1884 Address: 0xe60000
...This gives us a clear hint about the malicious files on each system.
Now that we have clear information about what processes are suspicious, we can begin analyzing them individually.
We’ll start by analyzing the environment variables and imported DLLs for the processes using the plugin envars and dlllist, respectively, along with -p <PID>.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 -p 2044 dlllist
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
IEXPLORE.EXE pid: 2044
Command line : "C:\Program Files\Internet Explorer\iexplore.exe"
Service Pack 2
Base Size LoadCount LoadTime Path
---------- ---------- ---------- ------------------------------ ----
0x00400000 0x19000 0xffff C:\Program Files\Internet Explorer\iexplore.exe
0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll
0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77760000 0x16e000 0xffff C:\WINDOWS\system32\SHDOCVW.dll
0x77a80000 0x94000 0xffff C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 0x12000 0xffff C:\WINDOWS\system32\MSASN1.dll
0x754d0000 0x80000 0xffff C:\WINDOWS\system32\CRYPTUI.dll
0x76c30000 0x2e000 0xffff C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 0x28000 0xffff C:\WINDOWS\system32\IMAGEHLP.dll
0x77120000 0x8c000 0xffff C:\WINDOWS\system32\OLEAUT32.dll
0x774e0000 0x13c000 0xffff C:\WINDOWS\system32\ole32.dll
0x5b860000 0x54000 0xffff C:\WINDOWS\system32\NETAPI32.dll
0x771b0000 0xa6000 0xffff C:\WINDOWS\system32\WININET.dll
0x76f60000 0x2c000 0xffff C:\WINDOWS\system32\WLDAP32.dll
0x77c00000 0x8000 0xffff C:\WINDOWS\system32\VERSION.dll
...
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 -p 2044 envars
Volatility Foundation Volatility Framework 2.6.1
Pid Process Block Variable Value
-------- -------------------- ---------- ------------------------------ -----
2044 IEXPLORE.EXE 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
2044 IEXPLORE.EXE 0x00010000 APPDATA C:\Documents and Settings\Administrator\Application Data
2044 IEXPLORE.EXE 0x00010000 CLIENTNAME Console
2044 IEXPLORE.EXE 0x00010000 CommonProgramFiles C:\Program Files\Common Files
2044 IEXPLORE.EXE 0x00010000 COMPUTERNAME BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
2044 IEXPLORE.EXE 0x00010000 FP_NO_HOST_CHECK NO
2044 IEXPLORE.EXE 0x00010000 GIEVMXDVLMISML EWONSYG
2044 IEXPLORE.EXE 0x00010000 HOMEDRIVE C:
2044 IEXPLORE.EXE 0x00010000 HOMEPATH \Documents and Settings\Administrator
2044 IEXPLORE.EXE 0x00010000 LOGONSERVER \\BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 NUMBER_OF_PROCESSORS 1
2044 IEXPLORE.EXE 0x00010000 OS Windows_NT
2044 IEXPLORE.EXE 0x00010000 Path C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
2044 IEXPLORE.EXE 0x00010000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_ARCHITECTURE x86
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_IDENTIFIER x86 Family 6 Model 23 Stepping 10, GenuineIntel
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_LEVEL 6
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_REVISION 170a
2044 IEXPLORE.EXE 0x00010000 ProgramFiles C:\Program Files
2044 IEXPLORE.EXE 0x00010000 SESSIONNAME Console
2044 IEXPLORE.EXE 0x00010000 SystemDrive C:
2044 IEXPLORE.EXE 0x00010000 SystemRoot C:\WINDOWS
2044 IEXPLORE.EXE 0x00010000 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
2044 IEXPLORE.EXE 0x00010000 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
2044 IEXPLORE.EXE 0x00010000 USERDOMAIN BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 USERNAME Administrator
2044 IEXPLORE.EXE 0x00010000 USERPROFILE C:\Documents and Settings\Administrator
2044 IEXPLORE.EXE 0x00010000 windir C:\WINDOWSWe can notice the weird GIEVMXDVLMISML = EWONSYG environment variable in the process. All the DLLs and environment variables for the suspicious processes can be checked, but it is time-consuming to do manually; hence, we’ll move on to the next part, malware analysis.
Let’s analyze the relevant executable using procdump and memdump plugins to get the process’s executable and memory dump, respectively.
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 -p 2044 procdump --dump-dir ./proc1/
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0xff3ad1a8 0x00400000 IEXPLORE.EXE OK: executable.2044.exe
$ vol -f memorydumplab1.vmem --profile=WinXPSP2x86 -p 2044 memdump --dump-dir ./proc1/
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing IEXPLORE.EXE [ 2044] to 2044.dmp“executable.2044.exe” is a reconstruction of the executable “IEXPLORE.EXE”, and “2044.dmp”, the recovered dump, represents the process’s addressable memory.
PE analysis
We’ll start by simply analyzing these files using the strings command.
Since it dumps a lot of data, finding useful data is time-consuming.
$ strings ./proc1/2044.dmp | grep -Fi "antrexhost" -C 5
NTLM Security Package
Schannel
Schannel Security Package
WDigest
Digest Authentication for Windows
antrexhost.com
Digest
Digest SSPI Authentication Package
MSN Security Package
w@`$
ock.dll
--
293922AD530048AD91A5293EBD1E735D
TUID=1
: col.stb.s-msn.com
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
(0=w
antrexhost.com
p, deflate
LSDNAf
(0=w
ANwd@Ow
ection: Keep-Alive
--By being patient enough and reading the extracted dump using the strings command, we can notice multiple occurrences of “antrexhost.com”, which seems suspicious.
Next, we check the executables for malware. This can be done in two ways:
- by static analysis and reverse engineering the executable to analyze the malware's functioning and source code.
- or a dynamic analysis using sandboxes or online tools to observe its behavior and identify potential malicious activity.
Since dynamic analysis requires a lot of time and setup, we’ll move on to basic static analysis. First, we’ll check using VirusTotal, a web-based platform that allows users to submit files and URLs for scanning by multiple antivirus engines and other security tools.
As expected, VirusTotal predicts explorer.exe, IEXPLORE.EXE, wuauclt.exe, and others as Trojans.
This clearly points out that the systems were affected by generic trojan malware of the Swort family. We can also predict that the TCP connections on port 80 with antrexhost.com via HTTP POST are likely waiting for commands from a remote user similar to this backdoor trojan.
Further, we can use Yara rules on the dumped processes and memories.
$ yara ./rules/malware_index.yar -r ./proc1
Insta11Strings ./proc1/2044.dmp
Insta11 ./proc1/2044.dmp
SharedStrings ./proc1/2044.dmp
Datper ./proc1/2044.dmp
...This shows that multiple files are matched with Yara rules for malware.
Further, we can continue the malware analysis using PEStudio. The files are shifted to a Windows 11 FlareVM using Google Drive, which also lists processes 216, 468, and 1724 as virus-infected.
The findings from PEStduio support our previous arguments about Trojan malware infecting the systems.
Conclusions
The victim lab machines are affected by backdoor trojan malware capable of attaching itself to other programs like explorer.exe and iexplore.exe.
The CIRT team should briefly:
- Isolate the affected systems.
- Contain the infection.
- Determine the scope of the infection.
- Investigate the cause of the infection.
- Remediate the vulnerabilities.
I hope you enjoyed reading it. The field of cybersecurity offers a lot of opportunities for learning and enjoyment, and I look forward to writing more about it. If you have any recommendations, do let me know. Till then, happy learning!
