Skip to content

Tartori/malware_analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
apihooks_malfind.py
apihooks_malfind.py
 
 
cheatsheet.md
cheatsheet.md
 
 
missingservices.py
missingservices.py
 
 
readme.md
readme.md
 
 

Repository files navigation

exercises 2

general

brew install volatility
alias vol=vol.py
alias voli='vol -f $image'
alias volp='voli --profile=$profile'

image01

  image=image01.vmem
  profile=WinXPSP3x86

  voli imageinfo
  volp pstree
  volp malfind
  volp ldrmodules -p 1928
  volp ldrmodules -p 868
  volp ldrmodules -p 668

a --> viele lsass.exe

  • boottime ca 2010-10 einige lsass im 2011-11
  • verschiedene parents

--> einige memory images mit MZ

--> ldrmodules

  • main image zombified
  • einige dlls corrupted

1928, 868

-> main image zombified -> dlls corrupted

668

-> eine dll corrupted

  mkdir dump
  volp malfind -D dump
  hexdump -C dump/process.0x81c47c00.0x1000000.dmp
  file dump/process.0x81c47c00.0x1000000.dmp

upload of upload.dmp to virustotal --> Stuxnet

volp  printkey -K "ControlSet001\Services"  --output=json --output-file=reg02.json
volp svcscan --output=json --output-file=svcscan02.json

---


~/school/Forensics/Bangeter/Exercises
λ python missingservices.py --svc=../images/svcscan02.json --reg=../images/reg02.json

u'MRxCls', u'MRxNet', <-- stuxnet

image 02

Tasks:

  • find processes that are using networking / crypto

How to:

  image=image02.vmss
  voli imageinfo
  profile=Win7SP1x86
  volp psscan
  volp dlllist > dll.txt

--> search for WS2_32.dll WININET.dll and CRYPT32.dll

volp netscan

maybeweird:

0xbf882b80         TCPv4    0.0.0.0:16471                  0.0.0.0:0            LISTENING        544      services.exe
0xbdb68008         TCPv4    127.0.0.1:49223                127.0.0.1:49224      ESTABLISHED      -1
0xbdb79838         TCPv4    127.0.0.1:49224                127.0.0.1:49223      ESTABLISHED      -1

0xbf882b80         TCPv4    0.0.0.0:16471                  0.0.0.0:0            LISTENING        544      services.exe

port 16471 --> zeroaccess

image 03

  image=image03.bin
  profile=WinXPSP3x86
  voli imageinfo
  volp pstree
  volp malfind
  Process: chrome.exe Pid: 2820 Address: 0x130000
  Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
  Flags: CommitCharge: 39, MemCommit: 1, PrivateMemory: 1, Protection: 6

  0x00130000  4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00   MZ..............
  0x00130010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
  0x00130020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
  0x00130030  00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00   ................
  mkdir dump3
  volp malfind -D dump3
  hexdump -C dump3/process.0x81c47c00.0x1000000.dmp
  file dump3/process.0x81c47c00.0x1000000.dmp
  find . -type f -print0  | xargs -0 shasum
  find . -type f -print0  | xargs -0 file

Alle files gleiche hashes

hooks auf getclipboarddata

false positive hooks

53 hooks per process die auf invalid regions zeigen

ldrmodules

upload dmp to virustotaln --> Zbot (Zeus)

volp printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

persistance --> C:\Documents and Settings\Administrator\Application Data\Akryiv\seogb.exe

image 07

  image=image07.dmp
  profile=Win7SP1x86
  voli imageinfo
  voli --profile $profile getsids
  voli --profile $profile pslist | grep " 1 "

  volp malfind -D dump7
  hexdump -C dump7/process.0x81c47c00.0x1000000.dmp
  file dump7/process.0x81c47c00.0x1000000.dmp
  find . -type f -print0  | xargs -0 file

  volp malfind --output=json --output-file=malfind07.json
  volp apihooks --output=json --output-file=hooks07.json
  volp vadinfo --output=json --output-file=vadinfo07.json
  python apihooks_malfind.py --hooks=../images/hooks07.json --malfind=../images/malfind07.json --vad=../images/vadinfo07.json

image 07

upload to virus total --> no result

analyzing strings --> recdataoneveter.cc https://www.threatcrowd.org/domain.php?domain=recdataoneveter.cc

google search --> tinyba

volp printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

persistance --> C:\Users\mubo\AppData\Roaming\46794E7B\bin.exe

## image 08

image=image08.vmem
voli imageinfo
profile=WinXPSP3x86

volp psxview -R
volp dlllist --pid=1336
volp psscan
volp dlllist --offset=0x000000000113f648

Vermutungen

  • ev schreibt er in den csrss.exe process?
  • er löscht sich aus der PDB

upload of exe --> Heur.ty? Prolaco

fsecure infos: https://www.f-secure.com/v-descs/trojan-downloader_w32_heurfu_gen.shtml

image 100

image=image100.raw
profile=Win7SP1x86
voli imageinfo

    volp pslist
    0x8446a7a0 notepader.exe          3092   1152      6      169      1      0 2015-08-24 16:13:40 UTC+0000

    volp ldrmodules
    ...
    3092 notepader.exe        0x00400000 True   False  True  \Users\mubo\Documents\reports\notepader.exe
    3092 notepader.exe        0x77390000 True   True   True  \Windows\System32\ntdll.dll
    3092 notepader.exe        0x77190000 True   True   True  \Windows\System32\kernel32.dll
    ...
    3712 DumpIt.exe           0x75990000 True   True   True  \Windows\System32\msvcrt.dll
    3712 DumpIt.exe           0x00d00000 True   False  True  \Users\mubo\Desktop\DumpIt.exe
    3712 DumpIt.exe           0x75960000 True   True   True  \Windows\System32\imm32.dll
    3712 DumpIt.exe           0x77520000 True   True   True  \Windows\System32\advapi32.dll
    3712 DumpIt.exe           0x76c50000 True   True   True  \Windows\System32\gdi32.dll
    3712 DumpIt.exe           0x77190000 True   True   True  \Windows\System32\kernel32.dll
    3712 DumpIt.exe           0x756a0000 True   True   True  \Windows\System32\KernelBase.dll
    3712 DumpIt.exe           0x76ab0000 True   True   True  \Windows\System32\sechost.dll
    3712 DumpIt.exe           0x758c0000 True   True   True  \Windows\System32\usp10.dll
    3712 DumpIt.exe           0x770c0000 True   True   True  \Windows\System32\user32.dll
    3712 DumpIt.exe           0x76ad0000 True   True   True  \Windows\System32\msctf.dll
    3712 DumpIt.exe           0x76cf0000 True   True   True  \Windows\System32\shlwapi.dll
    3712 DumpIt.exe           0x76aa0000 True   True   True  \Windows\System32\lpk.dll
    3712 DumpIt.exe           0x76ba0000 True   True   True  \Windows\System32\rpcrt4.dll
    3712 DumpIt.exe           0x77390000 True   True   True  \Windows\System32\ntdll.dll
    ...
    3744 dllhost.exe          0x75990000 False  False  False \Windows\System32\msvcrt.dll
    3744 dllhost.exe          0x00190000 False  False  False \Windows\System32\dllhost.exe
    3744 dllhost.exe          0x75960000 False  False  False \Windows\System32\imm32.dll
    3744 dllhost.exe          0x752f0000 False  False  False \Windows\System32\cryptbase.dll
    3744 dllhost.exe          0x70a60000 False  False  False \Windows\System32\thumbcache.dll
    3744 dllhost.exe          0x766f0000 False  False  False \Windows\System32\ole32.dll
    3744 dllhost.exe          0x76c50000 False  False  False \Windows\System32\gdi32.dll
    3744 dllhost.exe          0x75390000 False  False  False \Windows\System32\RpcRtRemote.dll
    3744 dllhost.exe          0x76cf0000 False  False  False \Windows\System32\shlwapi.dll
    3744 dllhost.exe          0x75aa0000 False  False  False \Windows\System32\shell32.dll
    3744 dllhost.exe          0x74bb0000 False  False  False \Windows\System32\rsaenh.dll
    3744 dllhost.exe          0x758c0000 False  False  False \Windows\System32\usp10.dll
    3744 dllhost.exe          0x770c0000 False  False  False \Windows\System32\user32.dll
    3744 dllhost.exe          0x77190000 False  False  False \Windows\System32\kernel32.dll
    3744 dllhost.exe          0x77390000 False  False  False \Windows\System32\ntdll.dll
    3744 dllhost.exe          0x77030000 False  False  False \Windows\System32\clbcatq.dll
    3744 dllhost.exe          0x756a0000 False  False  False \Windows\System32\KernelBase.dll

volp psxview
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
...
0x3d8c1b40 dllhost.exe            3744 True   True   True     False  True  True    False
...
0x3d6c9a10 conhost.exe            3496 False  True   False    False  False False   False
0x3d73ba10 conhost.exe            3496 False  True   False    False  False False   False
volp dlldump --pid=3092 --dump-dir=dlldump100

maybe cryptor? https://www.mailguard.com.au/blog/zero-day-malware-variant-cryptor-embedded-in-chm-documents/

image 101

image=image101.vmem
voli imageinfo
profile=WinXPSP3x86

volp psxview -R

...
0x08f51880 logonui.exe            1652 False  True   True     False  False False   False
0x0990d980                          17 False  False  True     False  False False   False
0x09c6bc08                           3 False  False  True     False  False False   False

volp ldrmodules
...
3684 unlinker-local.      0x00400000 True   False  True  \Documents and Settings\Administrator\temp\unlinker-local\Release\unlinker-local.exe
3684 unlinker-local.      0x7c900000 True   True   True  \WINDOWS\system32\ntdll.dll
3684 unlinker-local.      0x7c800000 False  False  False \WINDOWS\system32\kernel32.dll
...
volp dlldump --pid=3684 --dump-dir=dlldump101

upload module...400000.dll --> Win32/Zbot

general stuff

registry keys:

dll
"SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows"
autorun
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
services
"SYSTEM\ControlSet001\services"

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages