Intro:
This challenge was made by @jackcr for GrrCon 2012.
I'm going to try and tackle this one due to its educating nature.
Before I begin, I make a copy of the memdump, and do a quick hashsum for keeping chain of evidence:
20:04:13 - [neo@zion] > ~/grrcon2012 : md5sum memdump.img 0a7030da3f5693e187222316a27e7229 memdump.img
Let's check what type of file we are dealing with here:
20:05:30 - [neo@zion] > ~/grrcon2012 : file memdump.img memdump.img: data
I'm thinking, can I use Volatility straight away, or do I need to convert the format memdump?
20:03:57 - [neo@zion] > ~/grrcon2012 : img_stat -t -v memdump.img tsk_img_open: Type: 0 NumImg: 1 Img1: memdump.img tsk_img_findFiles: memdump.img found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 536330240 max offset: 536330240 path: memdump.img raw
Had it been some other format, I'd have to convert that, but we are good to go with the raw, as Volatility can handle it.
Let's determine the OS version:
20:07:17 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img imageinfo -v
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/neo/grrcon2012/memdump.img)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-04-28 02:23:21 UTC+0000
Image local date and time : 2012-04-27 22:23:21 -0400
I will proceed by looking into the process list and come up with some sort of first impression of what is going on:
Pslist and pstree will not show the unlinked or hidden processes, so I'm also using psscan.
06:53:17 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 pslist -v Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x823c8830 System 4 0 51 269 ------ 0 0x8211a020 smss.exe 360 4 3 19 ------ 0 2012-04-28 01:56:37 UTC+0000 0x82129220 csrss.exe 596 360 11 340 0 0 2012-04-28 01:56:38 UTC+0000 0x82194020 winlogon.exe 624 360 17 535 0 0 2012-04-28 01:56:39 UTC+0000 0x82146460 services.exe 672 624 15 238 0 0 2012-04-28 01:56:39 UTC+0000 0x821497f0 lsass.exe 684 624 26 410 0 0 2012-04-28 01:56:39 UTC+0000 0x821d4500 svchost.exe 852 672 22 203 0 0 2012-04-28 01:56:40 UTC+0000 0x82147da0 svchost.exe 940 672 9 215 0 0 2012-04-28 01:56:41 UTC+0000 0x8211a880 svchost.exe 1024 672 75 1480 0 0 2012-04-28 01:56:41 UTC+0000 0x8217d020 svchost.exe 1072 672 5 82 0 0 2012-04-28 01:56:41 UTC+0000 0x82124020 svchost.exe 1124 672 14 193 0 0 2012-04-28 01:56:42 UTC+0000 0x822b0020 spoolsv.exe 1356 672 11 106 0 0 2012-04-28 01:56:43 UTC+0000 0x8202a020 alg.exe 1880 672 5 102 0 0 2012-04-28 01:56:53 UTC+0000 0x822b7a58 userinit.exe 1212 624 0 -------- 0 0 2012-04-28 02:20:54 UTC+0000 2012-04-28 02:21:21 UTC+0000 0x8214a020 explorer.exe 1096 1212 13 317 0 0 2012-04-28 02:20:54 UTC+0000 0x820211d0 userinit.exe 1836 624 0 -------- 0 0 2012-04-28 02:20:55 UTC+0000 2012-04-28 02:22:05 UTC+0000 0x82222268 reader_sl.exe 2008 1096 2 27 0 0 2012-04-28 02:20:56 UTC+0000 0x821f67e8 AdobeARM.exe 1796 1096 10 215 0 0 2012-04-28 02:20:56 UTC+0000 0x82247da0 cmd.exe 1120 1096 1 33 0 0 2012-04-28 02:21:15 UTC+0000 0x821ab3d0 mdd.exe 1396 1120 1 24 0 0 2012-04-28 02:23:20 UTC+0000
06:53:17 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 pstree Volatility Foundation Volatility Framework 2.6 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x823c8830:System 4 0 51 269 1970-01-01 00:00:00 UTC+0000 . 0x8211a020:smss.exe 360 4 3 19 2012-04-28 01:56:37 UTC+0000 .. 0x82194020:winlogon.exe 624 360 17 535 2012-04-28 01:56:39 UTC+0000 ... 0x82146460:services.exe 672 624 15 238 2012-04-28 01:56:39 UTC+0000 .... 0x8211a880:svchost.exe 1024 672 75 1480 2012-04-28 01:56:41 UTC+0000 .... 0x8217d020:svchost.exe 1072 672 5 82 2012-04-28 01:56:41 UTC+0000 .... 0x82147da0:svchost.exe 940 672 9 215 2012-04-28 01:56:41 UTC+0000 .... 0x8202a020:alg.exe 1880 672 5 102 2012-04-28 01:56:53 UTC+0000 .... 0x82124020:svchost.exe 1124 672 14 193 2012-04-28 01:56:42 UTC+0000 .... 0x822b0020:spoolsv.exe 1356 672 11 106 2012-04-28 01:56:43 UTC+0000 .... 0x821d4500:svchost.exe 852 672 22 203 2012-04-28 01:56:40 UTC+0000 ... 0x820211d0:userinit.exe 1836 624 0 ------ 2012-04-28 02:20:55 UTC+0000 ... 0x821497f0:lsass.exe 684 624 26 410 2012-04-28 01:56:39 UTC+0000 ... 0x822b7a58:userinit.exe 1212 624 0 ------ 2012-04-28 02:20:54 UTC+0000 .... 0x8214a020:explorer.exe 1096 1212 13 317 2012-04-28 02:20:54 UTC+0000 ..... 0x82222268:reader_sl.exe 2008 1096 2 27 2012-04-28 02:20:56 UTC+0000 ..... 0x82247da0:cmd.exe 1120 1096 1 33 2012-04-28 02:21:15 UTC+0000 ...... 0x821ab3d0:mdd.exe 1396 1120 1 24 2012-04-28 02:23:20 UTC+0000 ..... 0x821f67e8:AdobeARM.exe 1796 1096 10 215 2012-04-28 02:20:56 UTC+0000 .. 0x82129220:csrss.exe 596 360 11 340 2012-04-28 01:56:38 UTC+0000
6:52:22 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 psscan -v Volatility Foundation Volatility Framework 2.6 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x0000000002013ad0 userinit.exe 1064 624 0x13794000 2012-04-28 02:21:10 UTC+0000 2012-04-28 02:21:10 UTC+0000 0x00000000020211d0 userinit.exe 1836 624 0x07f6d000 2012-04-28 02:20:55 UTC+0000 2012-04-28 02:22:05 UTC+0000 0x000000000202a020 alg.exe 1880 672 0x09f0c000 2012-04-28 01:56:53 UTC+0000 0x000000000207b020 svchost.exe 1204 672 0x08fb6000 2012-04-20 19:02:43 UTC+0000 0x000000000207f4e8 svchost.exe 1092 672 0x07f87000 2012-04-20 19:02:43 UTC+0000 0x000000000211a020 smss.exe 360 4 0x06886000 2012-04-28 01:56:37 UTC+0000 0x000000000211a880 svchost.exe 1024 672 0x08057000 2012-04-28 01:56:41 UTC+0000 0x0000000002124020 svchost.exe 1124 672 0x09156000 2012-04-28 01:56:42 UTC+0000 0x0000000002129220 csrss.exe 596 360 0x0736e000 2012-04-28 01:56:38 UTC+0000 0x0000000002146460 services.exe 672 624 0x0776b000 2012-04-28 01:56:39 UTC+0000 0x0000000002147da0 svchost.exe 940 672 0x07ed1000 2012-04-28 01:56:41 UTC+0000 0x00000000021497f0 lsass.exe 684 624 0x077b6000 2012-04-28 01:56:39 UTC+0000 0x000000000214a020 explorer.exe 1096 1212 0x008cc000 2012-04-28 02:20:54 UTC+0000 0x000000000217d020 svchost.exe 1072 672 0x09087000 2012-04-28 01:56:41 UTC+0000 0x0000000002194020 winlogon.exe 624 360 0x074f3000 2012-04-28 01:56:39 UTC+0000 0x00000000021ab3d0 mdd.exe 1396 1120 0x14ef4000 2012-04-28 02:23:20 UTC+0000 0x00000000021d4500 svchost.exe 852 672 0x07b3f000 2012-04-28 01:56:40 UTC+0000 0x00000000021dbda0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x00000000021f67e8 AdobeARM.exe 1796 1096 0x02922000 2012-04-28 02:20:56 UTC+0000 0x0000000002222268 reader_sl.exe 2008 1096 0x0a7e5000 2012-04-28 02:20:56 UTC+0000 0x0000000002247da0 cmd.exe 1120 1096 0x1525d000 2012-04-28 02:21:15 UTC+0000 0x00000000022b0020 spoolsv.exe 1356 672 0x0967b000 2012-04-28 01:56:43 UTC+0000 0x00000000022b7a58 userinit.exe 1212 624 0x008ad000 2012-04-28 02:20:54 UTC+0000 2012-04-28 02:21:21 UTC+0000 0x00000000023c8830 System 4 0 0x00039000 0x0000000006289500 svchost.exe 852 672 0x07b3f000 2012-04-28 01:56:40 UTC+0000 0x000000000c41d830 System 4 0 0x00039000 0x000000000d370020 svchost.exe 1204 672 0x08fb6000 2012-04-20 19:02:43 UTC+0000 0x000000000d42b7e8 AdobeARM.exe 1796 1096 0x02922000 2012-04-28 02:20:56 UTC+0000 0x000000001608ca58 userinit.exe 1212 624 0x008ad000 2012-04-28 02:20:54 UTC+0000 2012-04-28 02:21:21 UTC+0000 0x00000000191ef020 smss.exe 360 4 0x06886000 2012-04-28 01:56:37 UTC+0000 0x00000000191ef880 svchost.exe 1024 672 0x08057000 2012-04-28 01:56:41 UTC+0000 0x0000000019889020 winlogon.exe 624 360 0x074f3000 2012-04-28 01:56:39 UTC+0000 0x0000000019c90da0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x0000000019cc5020 spoolsv.exe 1356 672 0x0967b000 2012-04-28 01:56:43 UTC+0000 0x0000000019e32020 svchost.exe 1072 672 0x09087000 2012-04-28 01:56:41 UTC+0000 0x0000000019ec8ad0 userinit.exe 1064 624 0x13794000 2012-04-28 02:21:10 UTC+0000 2012-04-28 02:21:10 UTC+0000 0x000000001a2f44e8 svchost.exe 1092 672 0x07f87000 2012-04-20 19:02:43 UTC+0000 0x000000001a59ada0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x000000001a5f61d0 userinit.exe 1836 624 0x07f6d000 2012-04-28 02:20:55 UTC+0000 2012-04-28 02:22:05 UTC+0000 0x000000001a677268 reader_sl.exe 2008 1096 0x0a7e5000 2012-04-28 02:20:56 UTC+0000 0x000000001a8ecda0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x000000001a932ad0 userinit.exe 1064 624 0x13794000 2012-04-28 02:21:10 UTC+0000 2012-04-28 02:21:10 UTC+0000 0x000000001d653830 System 4 0 0x00039000 0x000000001eca17e8 AdobeARM.exe 1796 1096 0x02922000 2012-04-28 02:20:56 UTC+0000 0x000000001ef06020 svchost.exe 1204 672 0x08fb6000 2012-04-20 19:02:43 UTC+0000 0x000000001f05a830 System 4 0 0x00039000
06:53:17 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 psxview Volatility Foundation Volatility Framework 2.6 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x02194020 winlogon.exe 624 True True True True True True True 0x02146460 services.exe 672 True True True True True True True 0x022b0020 spoolsv.exe 1356 True True True True True True True 0x0214a020 explorer.exe 1096 True True True True True True True 0x0217d020 svchost.exe 1072 True True True True True True True 0x021f67e8 AdobeARM.exe 1796 True True True True True True True 0x0211a880 svchost.exe 1024 True True True True True True True 0x0202a020 alg.exe 1880 True True True True True True True 0x021d4500 svchost.exe 852 True True True True True True True 0x021497f0 lsass.exe 684 True True True True True True True 0x02222268 reader_sl.exe 2008 True True True True True True True 0x02147da0 svchost.exe 940 True True True True True True True 0x02124020 svchost.exe 1124 True True True True True True True 0x021ab3d0 mdd.exe 1396 True True True True True True True 0x02247da0 cmd.exe 1120 True True True True True True True 0x0211a020 smss.exe 360 True True True True False False False 0x023c8830 System 4 True True True True False False False 0x020211d0 userinit.exe 1836 True True False True False False False 2012-04-28 02:22:05 UTC+0000 0x02129220 csrss.exe 596 True True True True False True True 0x022b7a58 userinit.exe 1212 True True False True False False False 2012-04-28 02:21:21 UTC+0000 0x19889020 winlogon.exe 624 False True False False False False False 0x1eca17e8 AdobeARM.exe 1796 False True False False False False False 0x1a5f61d0 userinit.exe 1836 False True False False False False False 2012-04-28 02:22:05 UTC+0000 0x0c41d830 System 4 False True False False False False False 0x0d370020 svchost.exe 1204 False True False False False False False 0x1608ca58 userinit.exe 1212 False True False False False False False 2012-04-28 02:21:21 UTC+0000 0x19e32020 svchost.exe 1072 False True False False False False False 0x06289500 svchost.exe 852 False True False False False False False 0x021dbda0 net.exe 1444 False True False False False False False 2012-04-28 02:21:41 UTC+0000 0x1a8ecda0 net.exe 1444 False True False False False False False 2012-04-28 02:21:41 UTC+0000 0x02013ad0 userinit.exe 1064 False True False False False False False 2012-04-28 02:21:10 UTC+0000 0x19c90da0 net.exe 1444 False True False False False False False 2012-04-28 02:21:41 UTC+0000 0x0207b020 svchost.exe 1204 False True True False False False False 0x191ef880 svchost.exe 1024 False True False False False False False 0x19ec8ad0 userinit.exe 1064 False True False False False False False 2012-04-28 02:21:10 UTC+0000 0x1a2f44e8 svchost.exe 1092 False True False False False False False 0x191ef020 smss.exe 360 False True False False False False False 0x1d653830 System 4 False True False False False False False 0x0207f4e8 svchost.exe 1092 False True True False False False False 0x1a59ada0 net.exe 1444 False True False False False False False 2012-04-28 02:21:41 UTC+0000 0x1a677268 reader_sl.exe 2008 False True False False False False False 0x1f05a830 System 4 False True False False False False False 0x0d42b7e8 AdobeARM.exe 1796 False True False False False False False 0x1a932ad0 userinit.exe 1064 False True False False False False False 2012-04-28 02:21:10 UTC+0000 0x19cc5020 spoolsv.exe 1356 False True False False False False False 0x1ef06020 svchost.exe 1204 False True False False False False False
Looking at the the results, I don't see any outstanding process that would give away any foul-play.
The cmd.exe and mdd.exe looked suspicious at first, but this turns out to be a remnant of the creator making a memdump off the system.
What I find odd is that there were a couple of net.exe processes active at a time, but they are already exited.
0x00000000021dbda0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x0000000019c90da0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x000000001a59ada0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000 0x000000001a8ecda0 net.exe 1444 1120 0x13642000 2012-04-28 02:21:40 UTC+0000 2012-04-28 02:21:41 UTC+0000
As I can see these processes are already terminated, but sure for the sake of getting into the habit of running commands, I try to dump those processes.
ERROR : volatility.debug : Cannot find PID 1444. If its terminated or unlinked, use psscan and then supply --offset=OFFSET
Let's try offset: 0x00000000021dbda0 of the first net.exe process.
Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ ---------- ---------- -------------------- Error: Cannot acquire process AS
I'll proceed with listing of the network sessions/connections:
07:08:21 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 connections Volatility Foundation Volatility Framework 2.6 Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8201ce68 172.16.150.20:1365 172.16.150.10:139 4 0x82018e00 172.16.150.20:1424 221.54.197.32:443 1096
07:08:21 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 connscan Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x01a0bdc0 172.16.150.20:2119 172.16.150.10:389 640 0x01a14e68 160.217.253.129:0 67.99.80.76:11776 1 0x01fb7d90 172.16.150.20:2133 173.194.76.109:993 872 0x01fb8c60 172.16.150.20:2134 172.16.150.10:445 1128 0x02018e00 172.16.150.20:1424 221.54.197.32:443 1096 0x0201ce68 172.16.150.20:1365 172.16.150.10:139 4 0x02026dd0 172.16.150.20:1406 172.16.150.10:1025 684 0x02054628 3.0.61.2:26996 8.113.58.130:22369 2183130032 0x02168718 172.16.150.20:1428 199.7.59.190:80 1796 0x0218a8f8 172.16.150.20:1418 172.16.150.10:445 1124 0x021fe2d0 172.16.150.20:1396 172.16.150.10:135 684 0x022227e8 97.0.110.0:11520 109.0.112.0:30976 3014753 0x0222aa40 172.16.150.20:1427 199.7.52.190:80 1796 0x02233e68 172.16.150.20:1397 172.16.150.10:1025 684 0x0b9a5c60 172.16.150.20:2134 172.16.150.10:445 1128 0x0c3bfa40 172.16.150.20:1427 199.7.52.190:80 1796 0x0d3a1e68 160.217.253.129:0 67.99.80.76:11776 1 0x0d3f1e68 172.16.150.20:1365 172.16.150.10:139 4 0x0d409628 3.0.61.2:26996 8.113.58.130:22369 2183130032 0x1360dc60 172.16.150.20:2134 172.16.150.10:445 1128 0x1a068e68 172.16.150.20:1397 172.16.150.10:1025 684 0x1a264d90 172.16.150.20:2133 173.194.76.109:993 872 0x1a6132d0 172.16.150.20:1396 172.16.150.10:135 684 0x1a6777e8 97.0.110.0:11520 109.0.112.0:30976 3014753 0x1a97ae68 172.16.150.20:1397 172.16.150.10:1025 684 0x1cd75a40 172.16.150.20:1427 199.7.52.190:80 1796 0x1df7aa40 172.16.150.20:1427 199.7.52.190:80 1796 0x1e607e68 172.16.150.20:1365 172.16.150.10:139 4 0x1f3a1a40 172.16.150.20:1427 199.7.52.190:80 1796 0x1f977e68 160.217.253.129:0 67.99.80.76:11776 1
16:39:11 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 sockets Volatility Foundation Volatility Framework 2.6 Offset(V) PID Port Proto Protocol Address Create Time ---------- -------- ------ ------ --------------- --------------- ----------- 0x82023008 4 0 47 GRE 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x82264618 684 500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x82123e98 4 137 17 UDP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x8202f008 4 1073 6 TCP 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x82228518 4 1365 6 TCP 172.16.150.20 2012-04-28 02:10:14 UTC+0000 0x8220f658 4 445 6 TCP 0.0.0.0 2012-04-28 01:56:37 UTC+0000 0x82157e98 940 135 6 TCP 0.0.0.0 2012-04-28 01:56:41 UTC+0000 0x8219de98 624 1169 17 UDP 127.0.0.1 2012-04-28 01:56:59 UTC+0000 0x8225d9f8 4 138 17 UDP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x82021e98 1024 123 17 UDP 127.0.0.1 2012-04-28 01:56:52 UTC+0000 0x82165b78 684 0 255 Reserved 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x8203ce98 1880 1068 6 TCP 127.0.0.1 2012-04-28 01:56:53 UTC+0000 0x822c8a10 1072 1025 17 UDP 0.0.0.0 2012-04-28 01:56:49 UTC+0000 0x82023250 1024 123 17 UDP 172.16.150.20 2012-04-28 01:56:52 UTC+0000 0x821fde98 852 3389 6 TCP 0.0.0.0 2012-04-28 01:57:04 UTC+0000 0x8205c8e0 684 1027 17 UDP 127.0.0.1 2012-04-28 01:56:49 UTC+0000 0x81fe0598 1096 1424 6 TCP 0.0.0.0 2012-04-28 02:20:56 UTC+0000 0x822638c8 1072 1026 17 UDP 0.0.0.0 2012-04-28 01:56:49 UTC+0000 0x821a0758 1124 1900 17 UDP 127.0.0.1 2012-04-28 01:57:01 UTC+0000 0x82057630 684 4500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x8217cd08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x822c42a0 4 445 17 UDP 0.0.0.0 2012-04-28 01:56:37 UTC+0000 0x82124648 4 139 6 TCP 172.16.150.20 2012-04-28 01:56:38 UTC+0000
16:54:33 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 sockscan Volatility Foundation Volatility Framework 2.6 Offset(P) PID Port Proto Protocol Address Create Time ---------- -------- ------ ------ --------------- --------------- ----------- 0x0144e4f8 696 1996 6 TCP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x0144f4f8 696 1992 17 UDP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x0156f4f8 640 4287 6 TCP 0.0.0.0 2012-04-11 19:52:07 UTC+0000 0x016914f8 696 1451 17 UDP 0.0.0.0 2012-03-29 12:29:52 UTC+0000 0x019e04f8 640 3816 6 TCP 0.0.0.0 2012-04-03 02:10:43 UTC+0000 0x01a08388 1436 2098 6 TCP 0.0.0.0 2012-04-14 23:11:38 UTC+0000 0x01a0b008 696 2136 17 UDP 0.0.0.0 2012-04-14 23:40:31 UTC+0000 0x01a122a0 1436 2106 6 TCP 0.0.0.0 2012-04-14 23:11:41 UTC+0000 0x01a18c90 640 2119 6 TCP 0.0.0.0 2012-04-14 23:23:03 UTC+0000 0x01a8c4f8 696 1969 17 UDP 0.0.0.0 2012-04-14 19:17:55 UTC+0000 0x01ba44f8 4 1142 6 TCP 0.0.0.0 2012-03-28 20:45:07 UTC+0000 0x01d0d4f8 4 1138 6 TCP 0.0.0.0 2012-04-05 15:18:46 UTC+0000 0x01e414f8 4 3719 6 TCP 172.16.150.20 2012-04-10 17:47:47 UTC+0000 0x01e424f8 696 3713 17 UDP 0.0.0.0 2012-04-10 17:47:47 UTC+0000 0x01fb4bb8 696 2118 6 TCP 0.0.0.0 2012-04-14 23:23:03 UTC+0000 0x01fe0598 1096 1424 6 TCP 0.0.0.0 2012-04-28 02:20:56 UTC+0000 0x01ff6710 4 1271 6 TCP 172.16.150.20 2012-04-28 01:58:53 UTC+0000 0x02012008 1796 1427 6 TCP 0.0.0.0 2012-04-28 02:20:59 UTC+0000 0x02021e98 1024 123 17 UDP 127.0.0.1 2012-04-28 01:56:52 UTC+0000 0x02023008 4 0 47 GRE 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x02023250 1024 123 17 UDP 172.16.150.20 2012-04-28 01:56:52 UTC+0000 0x0202f008 4 1073 6 TCP 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x0203ce98 1880 1068 6 TCP 127.0.0.1 2012-04-28 01:56:53 UTC+0000 0x02057630 684 4500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x0205c8e0 684 1027 17 UDP 127.0.0.1 2012-04-28 01:56:49 UTC+0000 0x020c3cf8 4 445 6 TCP 0.0.0.0 2012-03-28 18:46:29 UTC+0000 0x020c3e98 4 445 17 UDP 0.0.0.0 2012-03-28 18:46:29 UTC+0000 0x020c62d8 4 139 6 TCP 172.16.150.20 2012-03-28 18:46:29 UTC+0000 0x020cc008 1080 1034 17 UDP 0.0.0.0 2012-03-28 17:26:41 UTC+0000 0x02123e98 4 137 17 UDP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x02124648 4 139 6 TCP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x02157e98 940 135 6 TCP 0.0.0.0 2012-04-28 01:56:41 UTC+0000 0x02165b78 684 0 255 Reserved 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x0217cd08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x0219de98 624 1169 17 UDP 127.0.0.1 2012-04-28 01:56:59 UTC+0000 0x021a0758 1124 1900 17 UDP 127.0.0.1 2012-04-28 01:57:01 UTC+0000 0x021fde98 852 3389 6 TCP 0.0.0.0 2012-04-28 01:57:04 UTC+0000 0x0220f658 4 445 6 TCP 0.0.0.0 2012-04-28 01:56:37 UTC+0000 0x02228518 4 1365 6 TCP 172.16.150.20 2012-04-28 02:10:14 UTC+0000 0x0225d9f8 4 138 17 UDP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x022638c8 1072 1026 17 UDP 0.0.0.0 2012-04-28 01:56:49 UTC+0000 0x02264618 684 500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x022c42a0 4 445 17 UDP 0.0.0.0 2012-04-28 01:56:37 UTC+0000 0x022c8a10 1072 1025 17 UDP 0.0.0.0 2012-04-28 01:56:49 UTC+0000 0x0b9118e0 684 1027 17 UDP 127.0.0.1 2012-04-28 01:56:49 UTC+0000 0x0c3c3710 4 1271 6 TCP 172.16.150.20 2012-04-28 01:58:53 UTC+0000 0x0c49b4f8 696 1996 6 TCP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x0d21c4f8 696 1992 17 UDP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x0d2bc4f8 640 4287 6 TCP 0.0.0.0 2012-04-11 19:52:07 UTC+0000 0x0d315388 1436 2098 6 TCP 0.0.0.0 2012-04-14 23:11:38 UTC+0000 0x142d98e0 684 1027 17 UDP 127.0.0.1 2012-04-28 01:56:49 UTC+0000 0x17821bb8 696 2118 6 TCP 0.0.0.0 2012-04-14 23:23:03 UTC+0000 0x1826abb8 696 2118 6 TCP 0.0.0.0 2012-04-14 23:23:03 UTC+0000 0x1830d4f8 640 3816 6 TCP 0.0.0.0 2012-04-03 02:10:43 UTC+0000 0x18838008 4 0 47 GRE 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x18838250 1024 123 17 UDP 172.16.150.20 2012-04-28 01:56:52 UTC+0000 0x19313bb8 696 2118 6 TCP 0.0.0.0 2012-04-14 23:23:03 UTC+0000 0x195e64f8 640 3816 6 TCP 0.0.0.0 2012-04-03 02:10:43 UTC+0000 0x1980c630 684 4500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x198914f8 4 1142 6 TCP 0.0.0.0 2012-03-28 20:45:07 UTC+0000 0x1990ce98 940 135 6 TCP 0.0.0.0 2012-04-28 01:56:41 UTC+0000 0x1996e4f8 4 3719 6 TCP 172.16.150.20 2012-04-10 17:47:47 UTC+0000 0x19ab1e98 1880 1068 6 TCP 127.0.0.1 2012-04-28 01:56:53 UTC+0000 0x19b32e98 624 1169 17 UDP 127.0.0.1 2012-04-28 01:56:59 UTC+0000 0x19c32e98 852 3389 6 TCP 0.0.0.0 2012-04-28 01:57:04 UTC+0000 0x19c529f8 4 138 17 UDP 172.16.150.20 2012-04-28 01:56:38 UTC+0000 0x19d11d08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x19edbd08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x1a2e4008 4 1073 6 TCP 0.0.0.0 2012-04-28 01:56:53 UTC+0000 0x1a361008 1080 1034 17 UDP 0.0.0.0 2012-03-28 17:26:41 UTC+0000 0x1a3b5758 1124 1900 17 UDP 127.0.0.1 2012-04-28 01:57:01 UTC+0000 0x1a3f84f8 4 3719 6 TCP 172.16.150.20 2012-04-10 17:47:47 UTC+0000 0x1a4c4658 4 445 6 TCP 0.0.0.0 2012-04-28 01:56:37 UTC+0000 0x1a5f6e98 1024 123 17 UDP 127.0.0.1 2012-04-28 01:56:52 UTC+0000 0x1aa8a4f8 4 3719 6 TCP 172.16.150.20 2012-04-10 17:47:47 UTC+0000 0x1aaf6630 684 4500 17 UDP 0.0.0.0 2012-04-28 01:56:50 UTC+0000 0x1abf6e98 940 135 6 TCP 0.0.0.0 2012-04-28 01:56:41 UTC+0000 0x1b6a5d08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x1b9a1d08 1124 1900 17 UDP 172.16.150.20 2012-04-28 01:57:01 UTC+0000 0x1cdf14f8 696 1996 6 TCP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1cff24f8 696 1992 17 UDP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1d3764f8 696 1996 6 TCP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1d5b74f8 696 1992 17 UDP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1d859710 4 1271 6 TCP 172.16.150.20 2012-04-28 01:58:53 UTC+0000 0x1e0cb388 1436 2098 6 TCP 0.0.0.0 2012-04-14 23:11:38 UTC+0000 0x1e1924f8 640 4287 6 TCP 0.0.0.0 2012-04-11 19:52:07 UTC+0000 0x1ea1d4f8 696 1996 6 TCP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1eb20710 4 1271 6 TCP 172.16.150.20 2012-04-28 01:58:53 UTC+0000 0x1f27e4f8 696 1992 17 UDP 0.0.0.0 2012-04-07 08:27:45 UTC+0000 0x1fa014f8 640 4287 6 TCP 0.0.0.0 2012-04-11 19:52:07 UTC+0000
The first IP I want to investigate is 221.54.197.32. The PID suggests it has been established under explorer.exe, which troubles me greatly, but after researching a bit, I find that it is completely normal for explorer.exe to be reaching out to Microsoft's IP ranges. But this one seems to be completely different. Normally I would run a quick whois, and a reverse IP lookup in order to enumerate DNS records for attribution, but since this challenge is about 5 years old as of writing this post, there's no point going that direction. Unfortunately I cannot "retrolook" that far back into IP history.
Today that IP is owned by a japanese bank.
19:30:50 - [neo@zion] > ~ : dig -x 221.54.197.32 ;; ANSWER SECTION: 32.197.54.221.in-addr.arpa. 5 IN PTR softbank221054197032.bbtec.net.
18:59:20 - [neo@zion] > ~ : whois 221.54.197.32 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 221.16.0.0 - 221.111.255.255 netname: BBTEC descr: Japan Nation-wide Network of Softbank Corp. country: JP admin-c: SA421-AP status: ALLOCATED PORTABLE notify: kimatsud@softbank.co.jp mnt-irt: IRT-SOFTBANK-JP irt: IRT-SOFTBANK-JP address: Tokyo Shiodome bldg., address: 1-9-1, Higashi-Shimbashi address: Minatoku,Tokyo, Japan e-mail: abuse@bbtec.net admin-c: TT123-AP tech-c: ST222-AP tech-c: NH279-AP role: SoftbankBB ABUSE address: Tokyo Shiodome bldg., 1-9-1, Higashi-Shimbashi, Minatoku,Tokyo country: JP phone: +81-3-6688-5120 e-mail: abuse@bbtec.net admin-c: ST222-AP nic-hdl: SA421-AP notify: admin@bbtec.net
Next idea: I'll try to find any references for that IP in memory, leveraging yarascan.
18:59:02 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 yarascan -Y "221.54.197.32" --wide Volatility Foundation Volatility Framework 2.6 Rule: r1 Owner: Process explorer.exe Pid 1096 0x01310191 32 32 31 2e 35 34 2e 31 39 37 2e 33 32 00 bb 01 221.54.197.32... 0x013101a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013101b1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013101c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013101d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013101e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013101f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310201 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310211 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310221 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310231 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310241 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310251 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310261 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310271 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01310281 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Rule: r1 Owner: Process explorer.exe Pid 1096 0x01a1fcf9 32 32 31 2e 35 34 2e 31 39 37 2e 33 32 00 01 00 221.54.197.32... 0x01a1fd09 00 00 00 ff ff ff ff 00 e9 90 7c 10 b0 91 7c ff ..........|...|. 0x01a1fd19 ff ff ff 0a b0 91 7c 4c d0 90 7c 3f e4 90 7c 30 ......|L..|?..|0 0x01a1fd29 fd a1 01 01 00 00 00 17 00 01 00 00 00 00 00 00 ................ 0x01a1fd39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fd99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fda9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01a1fdb9 00 00 00 00 00 00 00 38 00 00 00 23 00 00 00 23 .......8...#...# 0x01a1fdc9 00 00 00 00 00 00 00 00 00 00 00 00 00 31 01 00 .............1.. 0x01a1fdd9 00 00 00 00 00 00 00 00 00 30 01 00 00 00 00 e9 .........0...... 0x01a1fde9 06 81 7c 1b 00 00 00 00 02 00 00 fc ff a1 01 00 ..|............. Rule: r1 Owner: Process explorer.exe Pid 1096 0x019d0191 32 32 31 2e 35 34 2e 31 39 37 2e 33 32 00 bb 01 221.54.197.32... 0x019d01a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d01b1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d01c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d01d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d01e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d01f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0201 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0211 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0221 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0231 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0241 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0251 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0261 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0271 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x019d0281 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
The explorer.exe is still suspicious for me, but perhaps I'm just chasing a ghost. I want to learn more about the IAT for explorer.exe, so I call upon, apihooks, impscan, handles.
07:59:14 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 apihooks Volatility Foundation Volatility Framework 2.6 ************************************************************************ Hook mode: Usermode Hook type: Import Address Table (IAT) Process: 1024 (svchost.exe) Victim module: tapisrv.dll (0x733e0000 - 0x73420000) Function: activeds.dll!Hook address: 0x76e1ef81 Hooking module: adsldpc.dll Disassembly(0): 0x76e1ef81 8bff MOV EDI, EDI 0x76e1ef83 55 PUSH EBP 0x76e1ef84 8bec MOV EBP, ESP 0x76e1ef86 ff7508 PUSH DWORD [EBP+0x8] 0x76e1ef89 ff157810e176 CALL DWORD [0x76e11078] 0x76e1ef8f f7d8 NEG EAX 0x76e1ef91 1bc0 SBB EAX, EAX 0x76e1ef93 40 INC EAX 0x76e1ef94 5d POP EBP 0x76e1ef95 c20400 RET 0x4 0x76e1ef98 90 NOP
I also initiate impscan and handles for -p 1096 (explorer.exe), but I don't see anything outstanding at first look.
I want to narrow down my search to see only the mutant strings.
08:25:20 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 handles -p 1096 | grep Mutant Volatility Foundation Volatility Framework 2.6 0x82122810 1096 0x20 0x1f0001 Mutant SHIMLIB_LOG_MUTEX 0x82382d30 1096 0x58 0x1f0001 Mutant 0x82199ef0 1096 0x60 0x1f0001 Mutant 0x82320348 1096 0xb0 0x1f0001 Mutant ExplorerIsShellMutex 0x8213eec8 1096 0xc4 0x120001 Mutant ShimCacheMutex 0x821fc428 1096 0x144 0x1f0001 Mutant 0x821dcbb8 1096 0x220 0x1f0001 Mutant 0x821d96f8 1096 0x294 0x1f0001 Mutant 0x821bee30 1096 0x2a0 0x1f0001 Mutant 0x8217bf08 1096 0x2ac 0x1f0001 Mutant 0x821422b8 1096 0x2f0 0x1f0001 Mutant )!VoqA.I4 0x8226f620 1096 0x2f8 0x1f0001 Mutant _SHuassist.mtx 0x81fff188 1096 0x308 0x1f0001 Mutant ZonesCounterMutex 0x81ffa7c0 1096 0x310 0x1f0001 Mutant ZonesCacheCounterMutex 0x821a2c80 1096 0x314 0x1f0001 Mutant ZonesLockedCacheCounterMutex 0x821a32a8 1096 0x448 0x1f0001 Mutant 0x823828e0 1096 0x46c 0x100000 Mutant c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! 0x821a3dd0 1096 0x484 0x1f0001 Mutant 0x82219dd0 1096 0x488 0x1f0001 Mutant 0x8202b470 1096 0x48c 0x1f0001 Mutant 0x8221e8d0 1096 0x4dc 0x100000 Mutant _!MSFTHISTORY!_ 0x81fe33d0 1096 0x500 0x100000 Mutant c:!documents and settings!administrator!cookies! 0x8218a678 1096 0x508 0x100000 Mutant c:!documents and settings!administrator!local settings!history!history.ie5!
I come across the string ")!VoqA.I4", and I immediately start looking in Google.
Then I find my first true indicator: the Poison Ivy backdoor uses that Mutant.
I read up on the references, and I start to suspect it might just be the case, although I don't have much evidence to prove that just yet.
References:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
https://digital-forensics.sans.org/blog/2012/07/24/mutex-for-malware-discovery-and-iocs
There's a separate command for parsing the memdump after mutants, let's run that:
08:31:24 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 mutantscan Volatility Foundation Volatility Framework 2.6 ... 0x00000000021422b8 2 1 1 0x00000000 )!VoqA.I4 0x000000000215a9a8 2 1 1 0x00000000 RAS_MO_01 0x00000000021cdf98 2 1 1 0x00000000 RAS_MO_02 ... 0x00000000196af9a8 2 1 1 0x00000000 RAS_MO_01 0x000000001a5972b8 2 1 1 0x00000000 )!VoqA.I4 0x000000001a742f98 2 1 1 0x00000000 RAS_MO_02 0x000000001b1692b8 2 1 1 0x00000000 )!VoqA.I4 ...
The RAS_MO_01 again stands out for me, and so I run a few searches in Google.
I find that it is common on systems where TrueCryptor is present, but other than that, this is a fairly frequent Mutant to be seen.
I'm going to proceed and reinforce my PoisonIvy/TrueCryptor theory by running malfind plugin.
It is looking for nested/injected dll, processes.
11:24:37 - [neo@zion] > ~/grrcon2012 : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 malfind -D /home/neo/grrcon2012/malfind/
-rw-rw-r-- 1 neo neo 1.0M Jun 27 10:44 process.0x82129220.0x7f6f0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1290000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1300000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1310000.dmp -rw-rw-r-- 1 neo neo 8.0K Jun 27 10:44 process.0x8214a020.0x1320000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1330000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1410000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1970000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1980000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1990000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x19a0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x19b0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x19c0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x19d0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1a20000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1a30000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1bc0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c40000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c50000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c60000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c70000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c80000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1c90000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1ca0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1cb0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1cc0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1cd0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1ce0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1cf0000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1d00000.dmp -rw-rw-r-- 1 neo neo 4.0K Jun 27 10:44 process.0x8214a020.0x1d10000.dmp -rw-rw-r-- 1 neo neo 36K Jun 27 10:44 process.0x8214a020.0x1de0000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x12320000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x2bf90000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x2d080000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x2ee40000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x37350000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x4c430000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x647a0000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x766c0000.dmp -rw-rw-r-- 1 neo neo 16K Jun 27 10:44 process.0x82194020.0x7f1e0000.dmp
We sure come across some suspicious processes. I don't want to waste too much time on manually checking every dumpfile, I'll go ahead and make MD5 hashes and dump them onto VirusTotal.
I'm going to use a vt_check.py script from github to check whether those dumpfiles are of interest or just false positive hits.
md5sum /grrcon2012/malfind/* | awk '{print $1}' | vt_check.py
934959800c33d2823003477b37ee9e7e 670fbd8374cd84389982162db70acde1 | VirusTotal hit | 9/54 670fbd8374cd84389982162db70acde1 | VirusTotal hit | 9/54 74e0e2a4b9486d61fb77b44aacd0a787 df359ebf124b73cc02c2b7430f9e601a d29b4df8c2aed98c75eff4db0935e572 b9607e63295e935aa5ddc2a32e692883 274037b6202f1d15f020548479ececa9 fdf2907fcdfd451aba08f0303a3b8892 803e1ffc77bad61e547315a62bb33cd1 87ca51c846cc219643781cd870ea23fa 15e109030ac6331ecdf7ba56cf9d2d8e f017cc4f6b2b457d0df5d6ede98eddbd 0a496d40d9ce0b2fbafbef2cd22dd03f | VirusTotal Hit | 2/47 6de6053efa275db54e0682362dc5977b 44ac19aab7364a3201bb11a6a8037866 391d1dfecd1cb052b02b0613b02ad0f4 2461cf2e6142904a1aace6c644fece63 19e2e9fff032a8fc48ea1b9968309718 3cd129f966ffdc6f323d6ae049d99909 6264f0e72759a0b23d3c32caabfa3166 e0c18e33e162afa0e3afa1ede46ffbd2 ffc0ad57e1f1792011f9e4bd959a2fef 7acffd891ff82e96e8fc539dbfe4d9f6 b801c813e13baf9802acc61f85e61165 40af244a4c8bebbe9f513a4b5a1ba6a8 a54d074e20770c3ea6746e6d911ebc1f eb2209df6b89f904392e1fa19ac724fb 23ea3c7b0708edd78343f3ba0b5d25e5 d67bf80b9d6991432eeb40ed118390a0 ac9d96033c6eaedf1d4bc1e97d8344c8 1fcac84b3c1343f7686c353132f5cd1a 6c8576978d7d524fc4b192454a111a95 c720fd5bda38e8c55e5e0ae177eaa6e5 263db13933e6e06b515fafa6cad8adac 34b9fba04cf9d060aab0c39bf80f195d ebf1fa53bbe18aebe63301897d6f3cd7 e436f38c20d442b464161e440e7f5be2 09bca694f9e1dfab325aa80dbe4ba2d4 3c5f7124369df5170ae22518544e1561 1855b81760468a79ff039d72adf3d86d
Two hashes that got hit:
670fbd8374cd84389982162db70acde1 | VirusTotal hit | 9/54 0a496d40d9ce0b2fbafbef2cd22dd03f | VirusTotal Hit | 2/47
https://www.virustotal.com/intelligence/search/?query=670fbd8374cd84389982162db70acde1
Engine Signature Version Update AegisLab Virus.Troj.Agent!c 4.2 20160820 Avast Win32:Agent-AAGI [Trj] 8.0.1489.320 20160820 AVG BackDoor.PoisonIvy.U 16.0.0.4647 20160820 Comodo UnclassifiedMalware 25642 20160819 GData Generic.Trojan.Agent.X5RL0A 25 20160820 Ikarus Backdoor.Poison T3.2.1.6.0 20160819 NANO-Antivirus Trojan.Dos.Poison.bmcno 1.0.38.8984 20160820 Qihoo-360 Win32/Trojan.7e5 1.0.0.1120 20160820 Symantec Backdoor.Darkmoon 20151.1.1.4 20160820
https://www.virustotal.com/intelligence/search/?query=0a496d40d9ce0b2fbafbef2cd22dd03f
Engine Signature Version Update AVG BackDoor.PoisonIvy 13.0.0.3169 20131024 Norman PoisonIvy.WXC 7.02.06 20131024
Now that we have two OSINT sources confirming that we're dealing with a variant of PoisonIvy, I'm going to call upon 2 volatility plugins that were created for identifying PoisonIvy in memory.
19:33:59 - [neo@zion] ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 poisonivyscan Volatility Foundation Volatility Framework 2.6 Name PID Data VA -------------------- -------- ---------- explorer.exe 1096 0x01310000 explorer.exe 1096 0x019d0000
19:40:55 - [neo@zion] ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 poisonivyconfig Volatility Foundation Volatility Framework 2.6 -------------------------------------------------------------------------------- Process: explorer.exe (1096) Infection: PoisonIvy has ADMIN privileges! Version: 231 Base VA: 0x1300000 Extra VA: 0x1970000 Data VA: 0x1310000 Mutex: )!VoqA.I4 Original file: C:\WINDOWS\system32\svchosts.exe Melt original file: True Command and Control: Host 0: 221.54.197.32:443 (direct) Password: tigers Id: tigers Group: Keylogger: Keylogger: False Copy file: Copy routine: 0x19c0000 Destination: %WINDIR%\System32\svchosts.exe Persistence: Active Setup: False HKLM Run: True HKLM Run name: svchosts Setup routine: 0x1410000 Injector: Inject into other processes: True Persistently: False Injector TID: 0 Injector Routine: 0x0 Target process name: explorer.exe Target default browser: True Proxy: Use Proxy: False Decrypt: 0x13009a9 -------------------------------------------------------------------------------- Process: explorer.exe (1096) Infection: PoisonIvy has ADMIN privileges! Version: 231 Base VA: 0x1290000 Extra VA: 0x1970000 Data VA: 0x19d0000 Mutex: )!VoqA.I4 Original file: C:\WINDOWS\system32\svchosts.exe Melt original file: True Command and Control: Host 0: 221.54.197.32:443 (direct) Password: tigers Id: tigers Group: Keylogger: Keylogger: False Copy file: Copy routine: 0x19c0000 Destination: %WINDIR%\System32\svchosts.exe Persistence: Active Setup: False HKLM Run: True HKLM Run name: svchosts Setup routine: 0x1410000 Injector: Inject into other processes: True Persistently: False Injector TID: 0 Injector Routine: 0x0 Target process name: explorer.exe Target default browser: True Proxy: Use Proxy: False Decrypt: 0x12909a9
We now have a bunch of useful information:
The backdoor: svchosts.exe.
Injected into: explorer.exe
C2 encryption password: tiger
C2 channel: 221.54.197.32 :: 443
Next I'm going to have a look at the file system, what files were spawned or created.
Invoking filescan, timeliner, mftparser, usnparser.
16:27:41 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 filescan --output=greptext --output-file=/home/neo/grrcon2012/filescan.txt ... >|0x2211e00|1|0|RW-rwd|\Device\HarddiskVolume1\Documents and Settings\binge\Local Settings\Temporary Internet Files\Content.IE5\G1UV09YV\swing-mechanics.doc[1].exe >|0x1a126e00|1|0|RW-rwd|\Device\HarddiskVolume1\Documents and Settings\binge\Local Settings\Temporary Internet Files\Content.IE5\G1UV09YV\swing-mechanics.doc[1].exe >|0x1acd8e00|1|0|RW-rwd|\Device\HarddiskVolume1\Documents and Settings\binge\Local Settings\Temporary Internet Files\Content.IE5\G1UV09YV\swing-mechanics.doc[1].exe
Looking at the name svchost, I find something suspicious, there's also svchost and svchosts.exe, which is odd.
>|0x1fef320|1|0|R--rw-|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe >|0x2119200|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe >|0x221d118|1|0|R--rwd|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe >|0x22a7550|1|0|R--rwd|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe >|0xbc0e200|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe >|0x14b16200|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe >|0x19c12118|1|0|R--rwd|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe >|0x1b7c8200|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe >|0x1bedb200|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\svchosts.exe
Also , there's an interesting folder in system32 called systems, which should not be there at all.
>|0x2061440|1|0|-W----|\Device\HarddiskVolume1\WINDOWS\system32\systems\f.txt >|0x2061f28|1|0|R--rw-|\Device\HarddiskVolume1\WINDOWS\system32\systems\sysmon.exe >|0x215d528|1|0|R--r--|\Device\HarddiskVolume1�INDOWS\system32\systems\g.exe >|0x21be7a0|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\r.exe >|0x2220380|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\g.exe >|0x22247e0|1|0|R--rw-|\Device\HarddiskVolume1\WINDOWS\system32\systems\p.exe >|0x2229978|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\p.exe >|0x22e4ab8|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\w.exe >|0x19e12528|1|0|R--r--|\Device\HarddiskVolume1�INDOWS\system32\systems\g.exe >|0x1a435380|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\g.exe >|0x1a5d37a0|1|0|R--r-d|\Device\HarddiskVolume1\WINDOWS\system32\systems\r.exe >|0x1a636440|1|0|-W----|\Device\HarddiskVolume1\WINDOWS\system32\systems\f.txt >|0x1a636f28|1|0|R--rw-|\Device\HarddiskVolume1\WINDOWS\system32\systems\sysmon.exe
Let's compare these results with the prefetch data, I want to know which of those were executed.
17:08:47 - [neo@zion] > ~ : python /home/neo/volatility-2.6/vol.py -f /home/neo/grrcon2012/memdump.img --profile=WinXPSP3x86 prefetchparser Volatility Foundation Volatility Framework 2.6 Scanning for Prefetch files, this can take a while............. Prefetch file Execution Time Times Size ------------------------------------------ ---------------------------- ----- -------- SVCHOSTS.EXE-6B6C8D2.PF 2012-04-28 02:20:56 UTC+0000 1 5396 VERCLSID.EXE-3667BD89.PF 2012-04-28 02:20:56 UTC+0000 22 19478 ADOBEARM.EXE-2D1B11BF.PF 2012-04-28 02:20:56 UTC+0000 7 64402 NTOSBOOT-B00DFAAD.PF 2012-04-28 01:56:28 UTC+0000 5 461494 MSIMN.EXE-38BA891D.PF 2012-04-28 01:58:09 UTC+0000 3 71576 WUAUCLT.EXE-399A8E72.PF 2012-04-28 01:57:37 UTC+0000 23 20840 NET.EXE-1A53C2F.PF 2012-04-28 02:21:40 UTC+0000 5 14368 WUAUCLT.EXE-399A8E72.PF 2012-04-28 01:57:37 UTC+0000 23 20840 CMD.EXE-87B4001.PF 2012-04-28 02:21:16 UTC+0000 8 10998 P.EXE-4500029.PF 2012-04-28 02:13:16 UTC+0000 4 13634 USERINIT.EXE-30B18140.PF 2012-04-28 02:20:55 UTC+0000 179 22052 EXPLORER.EXE-82F38A9.PF 2012-04-28 02:20:54 UTC+0000 7 64416 READER_SL.EXE-2B4EA1CB.PF 2012-04-28 02:20:56 UTC+0000 6 10238 USERINIT.EXE-30B18140.PF 2012-04-28 02:20:55 UTC+0000 179 22052 MDD.EXE-1686AFD3.PF 2012-04-28 02:22:00 UTC+0000 3 8712 MDD.EXE-7B34726.PF 2012-04-28 02:23:20 UTC+0000 1 51450 READER_SL.EXE-2B4EA1CB.PF 2012-04-28 02:20:56 UTC+0000 6 10238 VERCLSID.EXE-3667BD89.PF 2012-04-28 02:20:56 UTC+0000 22 19478 VERCLSID.EXE-3667BD89.PF 2012-04-28 02:20:56 UTC+0000 22 19478 SVCHOSTS.EXE-6B6C8D2.PF 2012-04-28 02:20:56 UTC+0000 1 5396
Challenge Questions:
1. How was the attack delivered?
2. What time was the attack delivered?
3. What was that name of the file that dropped the backdoor?
4. What is the ip address of the C2 server?
5. What type of backdoor is installed?
6. What is the mutex the backdoor is using?
7. Where is the backdoor placed on the filesystem?
8. What process name and process id is the backdoor running in?
9. What additional tools do you believe were placed on the machine?
10. What directory was created to place the newly dropped tools?
11. How did the attacker escalate privileges?
12. What level of privileges did the attacker obtain?
13. How was lateral movement performed?
14. What was the first sign of lateral movement?
15. What documents were exfiltrated?
16. How and where were the documents exfiltrated?
17. What additional steps did the attacker take to maintain access?
18. How long did the attacker have access to the network?
19. What is the secret code inside the exfiltrated documents?
20. What is the password for the backdoor?
Comments
Post a Comment