API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 9th, 2018
1,651
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 56.31 KB | None | 0 0
raw download clone embed print report
  1. https://www.evild3ad.com/1136/volatility-memory-forensics-federal-trojan-aka-r2d2/
  2.  
  3. Foreword: I encourage everyone to participate, whether or not you have done this before or not, hands on is the best way to learn and I have included resources on volatility, which is a commonly used memory forensics framework. The solution will be posted on Monday, as to give everyone enough time to work on this challenge. If you can answer some questions great, if you can complete the whole challenge even better.
  4.  
  5. For an example of the write up, using pastebin for large blocks of text is fine and encouraged.
  6.  
  7. https://hackforums.net/showthread.php?tid=5809120&pid=56810368#pid56810368
  8.  
  9. Tools:
  10.  
  11. Volatility or Rekall
  12. whois
  13. reglookup
  14. autopsy/foremost
  15. Yara
  16. Google
  17. sha256sum
  18. strings
  19. VirusTotal
  20.  
  21. Once again no need for Kali/Caine/Deft/SANS Sift of course if you want you can use whatever you want.
  22.  
  23. Scenario: A friend from another country is a well known journalist, who writes articles exposing government corruption and civil rights abuses, unfortunately they have reason to suspect that they may have been infected by a malware from a government entity. and she needs your help.
  24.  
  25.  
  26. Image Download: http://www.mediafire.com/file/yxqodp1p2aca91x/0zapftis.rar
  27. Password: infected
  28. RAR sha256sum: 0ab81aec6d61593a03a7b6fbda9266af8dd9c8df1b6477faa880fafd19cb21b1 0zapftis.rar
  29. Extracted File Type: vmem
  30.  
  31.  
  32. Resources:
  33.  
  34. https://github.com/volatilityfoundation/volatility/wiki
  35. https://www.howtoforge.com/tutorial/how-...nsic-tool/
  36. https://downloads.volatilityfoundation.o...t_v2.4.pdf
  37.  
  38.  
  39. Questions:
  40.  
  41. Questions on machine state:
  42.  
  43. What OS is used on the machine?
  44.  
  45. What processes are running and do any stand out?
  46.  
  47. What files are currently in the memory? Drivers and Windows objects, and do any of these stand out?
  48.  
  49. What networking connections and ports are present on the machine?
  50.  
  51. Do any of these connections or ports used stand out? If so why?
  52.  
  53. If there is a connection what country does does this IP block belong to?
  54.  
  55.  
  56. Malware Questions:
  57.  
  58. Is there malware present on the machine?
  59.  
  60. If there is malware dump the file and get the sha256 and identify the malware, also what has the malware changed to the system?
  61.  
  62. Have any commands been issued in a shell? If so what are these commands?
  63.  
  64. What methods of persistence are used in this malware?
  65.  
  66. Attribution:
  67.  
  68. What country could be responsible? Make sure to post relevant sources to support your conclusion.
  69.  
  70. Germany
  71.  
  72. https://www.dw.com/en/hacking-for-the-government-germany-opens-zitis-cyber-surveillance-agency/a-40511027
  73. https://www.symantec.com/connect/blogs/backdoorr2d2-long-arm-law
  74.  
  75.  
  76. Solution:
  77.  
  78. First thing is that there is a lot of Googling searching about to see if any files are of interest so this is a time consuming job I only posted the relevant information. Now we have to have a game plan :
  79.  
  80. Incident Response Plan:
  81.  
  82. 1. Preparation: Training, tools and an understanding of what we will be doing
  83. 2. Identification: Identify the attack and what happened
  84. • Level 1 – Unauthorized Access
  85. • Level 2 – Denial of Services
  86. • Level 3 – Malicious Code
  87. • Level 4 – Improper Usage
  88. • Level 5 – Scans/Probes/Attempted Access
  89. • Level 6 – Investigation Incident
  90.  
  91. 4. Containment: Not allowing an attacker to further compromise machines
  92. 5. Investigation: Looking over the logs and other data to get a reach a technically and evidence to support our conclusion
  93. 6. Eradication: Stopping the threat
  94. 7. Recovery
  95. 8. Follow-Up: An objective look at what happened and how security and response can be improved.
  96.  
  97. Questions on machine state:
  98.  
  99. What OS is used on the machine?
  100.  
  101. volatility -f 0zapftis.vmem imageinfo
  102. Volatility Foundation Volatility Framework 2.6
  103. INFO : volatility.debug : Determining profile based on KDBG search...
  104. Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
  105. AS Layer1 : IA32PagedMemoryPae (Kernel AS)
  106. AS Layer2 : FileAddressSpace (/home/oto/forensics/challenges/german/0zapftis.vmem)
  107. PAE type : PAE
  108. DTB : 0x319000L
  109. KDBG : 0x80544ce0L
  110. Number of Processors : 1
  111. Image Type (Service Pack) : 2
  112. KPCR for CPU 0 : 0xffdff000L
  113. KUSER_SHARED_DATA : 0xffdf0000L
  114. Image date and time : 2011-10-10 17:06:54 UTC+0000
  115. Image local date and time : 2011-10-10 13:06:54 -0400
  116.  
  117.  
  118. What processes are running and do any stand out?
  119.  
  120. volatility -f 0zapftis.vmem pslist
  121. Volatility Foundation Volatility Framework 2.6
  122. Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
  123. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
  124. 0x819cc830 System 4 0 55 162 ------ 0
  125. 0x81945020 smss.exe 536 4 3 21 ------ 0 2011-10-10 17:03:56 UTC+0000
  126. 0x816c6020 csrss.exe 608 536 11 355 0 0 2011-10-10 17:03:58 UTC+0000
  127. 0x813a9020 winlogon.exe 632 536 24 533 0 0 2011-10-10 17:03:58 UTC+0000
  128. 0x816da020 services.exe 676 632 16 261 0 0 2011-10-10 17:03:58 UTC+0000
  129. 0x813c4020 lsass.exe 688 632 23 336 0 0 2011-10-10 17:03:58 UTC+0000
  130. 0x81772ca8 vmacthlp.exe 832 676 1 24 0 0 2011-10-10 17:03:59 UTC+0000
  131. 0x8167e9d0 svchost.exe 848 676 20 194 0 0 2011-10-10 17:03:59 UTC+0000
  132. 0x817757f0 svchost.exe 916 676 9 217 0 0 2011-10-10 17:03:59 UTC+0000
  133. 0x816c6da0 svchost.exe 964 676 63 1058 0 0 2011-10-10 17:03:59 UTC+0000
  134. 0x815daca8 svchost.exe 1020 676 5 58 0 0 2011-10-10 17:03:59 UTC+0000
  135. 0x813aeda0 svchost.exe 1148 676 12 187 0 0 2011-10-10 17:04:00 UTC+0000
  136. 0x817937e0 spoolsv.exe 1260 676 13 140 0 0 2011-10-10 17:04:00 UTC+0000
  137. 0x81754990 VMwareService.e 1444 676 3 145 0 0 2011-10-10 17:04:00 UTC+0000
  138. 0x8136c5a0 alg.exe 1616 676 7 99 0 0 2011-10-10 17:04:01 UTC+0000
  139. 0x815c4da0 wscntfy.exe 1920 964 1 27 0 0 2011-10-10 17:04:39 UTC+0000
  140. 0x813bcda0 explorer.exe 1956 1884 18 322 0 0 2011-10-10 17:04:39 UTC+0000
  141. 0x816d63d0 VMwareTray.exe 184 1956 1 28 0 0 2011-10-10 17:04:41 UTC+0000
  142. 0x8180b478 VMwareUser.exe 192 1956 6 83 0 0 2011-10-10 17:04:41 UTC+0000
  143. 0x818233c8 reader_sl.exe 228 1956 2 26 0 0 2011-10-10 17:04:41 UTC+0000
  144. 0x815e7be0 wuauclt.exe 400 964 8 173 0 0 2011-10-10 17:04:46 UTC+0000
  145. 0x817a34b0 cmd.exe 544 1956 1 30 0 0 2011-10-10 17:06:42 UTC+0000
  146.  
  147. Explorer (PID:1956) with 18 threads stands out
  148.  
  149. What files are currently in the memory? Drivers and Windows objects, and do any of these stand out?
  150.  
  151. Double check of processes:
  152.  
  153. volatility -f 0zapftis.vmem psxview
  154. Volatility Foundation Volatility Framework 2.6
  155. Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
  156. ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
  157. 0x015a9020 winlogon.exe 632 True True True True True True True
  158. 0x018da020 services.exe 676 True True True True True True True
  159. 0x0156c5a0 alg.exe 1616 True True True True True True True
  160. 0x018d63d0 VMwareTray.exe 184 True True True True True True True
  161. 0x019757f0 svchost.exe 916 True True True True True True True
  162. 0x015c4020 lsass.exe 688 True True True True True True True
  163. 0x01972ca8 vmacthlp.exe 832 True True True True True True True
  164. 0x019a34b0 cmd.exe 544 True True True True True True True
  165. 0x0187e9d0 svchost.exe 848 True True True True True True True
  166. 0x017daca8 svchost.exe 1020 True True True True True True True
  167. 0x01954990 VMwareService.e 1444 True True True True True True True
  168. 0x018c6da0 svchost.exe 964 True True True True True True True
  169. 0x01a233c8 reader_sl.exe 228 True True True True True True True
  170. 0x017e7be0 wuauclt.exe 400 True True True True True True True
  171. 0x019937e0 spoolsv.exe 1260 True True True True True True True
  172. 0x015bcda0 explorer.exe 1956 True True True True True True True
  173. 0x017c4da0 wscntfy.exe 1920 True True True True True True True
  174. 0x01a0b478 VMwareUser.exe 192 True True True True True True True
  175. 0x015aeda0 svchost.exe 1148 True True True True True True True
  176. 0x01bcc830 System 4 True True True True False False False
  177. 0x01b45020 smss.exe 536 True True True True False False False
  178. 0x018c6020 csrss.exe 608 True True True True False True True
  179.  
  180. Process Tree:
  181.  
  182. volatility -f 0zapftis.vmem pstree
  183. Volatility Foundation Volatility Framework 2.6
  184. Name Pid PPid Thds Hnds Time
  185. -------------------------------------------------- ------ ------ ------ ------ ----
  186. 0x819cc830:System 4 0 55 162 1970-01-01 00:00:00 UTC+0000
  187. . 0x81945020:smss.exe 536 4 3 21 2011-10-10 17:03:56 UTC+0000
  188. .. 0x816c6020:csrss.exe 608 536 11 355 2011-10-10 17:03:58 UTC+0000
  189. .. 0x813a9020:winlogon.exe 632 536 24 533 2011-10-10 17:03:58 UTC+0000
  190. ... 0x816da020:services.exe 676 632 16 261 2011-10-10 17:03:58 UTC+0000
  191. .... 0x817757f0:svchost.exe 916 676 9 217 2011-10-10 17:03:59 UTC+0000
  192. .... 0x81772ca8:vmacthlp.exe 832 676 1 24 2011-10-10 17:03:59 UTC+0000
  193. .... 0x816c6da0:svchost.exe 964 676 63 1058 2011-10-10 17:03:59 UTC+0000
  194. ..... 0x815c4da0:wscntfy.exe 1920 964 1 27 2011-10-10 17:04:39 UTC+0000
  195. ..... 0x815e7be0:wuauclt.exe 400 964 8 173 2011-10-10 17:04:46 UTC+0000
  196. .... 0x8167e9d0:svchost.exe 848 676 20 194 2011-10-10 17:03:59 UTC+0000
  197. .... 0x81754990:VMwareService.e 1444 676 3 145 2011-10-10 17:04:00 UTC+0000
  198. .... 0x8136c5a0:alg.exe 1616 676 7 99 2011-10-10 17:04:01 UTC+0000
  199. .... 0x813aeda0:svchost.exe 1148 676 12 187 2011-10-10 17:04:00 UTC+0000
  200. .... 0x817937e0:spoolsv.exe 1260 676 13 140 2011-10-10 17:04:00 UTC+0000
  201. .... 0x815daca8:svchost.exe 1020 676 5 58 2011-10-10 17:03:59 UTC+0000
  202. ... 0x813c4020:lsass.exe 688 632 23 336 2011-10-10 17:03:58 UTC+0000
  203. 0x813bcda0:explorer.exe 1956 1884 18 322 2011-10-10 17:04:39 UTC+0000
  204. . 0x8180b478:VMwareUser.exe 192 1956 6 83 2011-10-10 17:04:41 UTC+0000
  205. . 0x817a34b0:cmd.exe 544 1956 1 30 2011-10-10 17:06:42 UTC+0000
  206. . 0x816d63d0:VMwareTray.exe 184 1956 1 28 2011-10-10 17:04:41 UTC+0000
  207. . 0x818233c8:reader_sl.exe 228 1956 2 26 2011-10-10 17:04:41 UTC+0000
  208.  
  209. We can see that cmd.exe is open so checking if any commands have been issued is important.
  210.  
  211. Checking the Interrupt Descriptor Table, which can show us hidden or suspicious memory segments
  212.  
  213.  
  214.  
  215.  
  216. volatility -f 0zapftis.vmem idt
  217. Volatility Foundation Volatility Framework 2.6
  218. CPU Index Selector Value Module Section
  219. ------ ------ ---------- ---------- -------------------- ------------
  220. 0 0 0x8 0x8053d36c ntoskrnl.exe .text
  221. 0 1 0x8 0x8053d4e4 ntoskrnl.exe .text
  222. 0 2 0x58 0x00000000 NOT USED
  223. 0 3 0x8 0x8053d8b4 ntoskrnl.exe .text
  224. 0 4 0x8 0x8053da34 ntoskrnl.exe .text
  225. 0 5 0x8 0x8053db90 ntoskrnl.exe .text
  226. 0 6 0x8 0x8053dd04 ntoskrnl.exe .text
  227. 0 7 0x8 0x8053e36c ntoskrnl.exe .text
  228. 0 8 0x50 0x00000000 NOT USED
  229. 0 9 0x8 0x8053e790 ntoskrnl.exe .text
  230. 0 A 0x8 0x8053e8b0 ntoskrnl.exe .text
  231. 0 B 0x8 0x8053e9f0 ntoskrnl.exe .text
  232. 0 C 0x8 0x8053ec4c ntoskrnl.exe .text
  233. 0 D 0x8 0x8053ef30 ntoskrnl.exe .text
  234. 0 E 0x8 0x8053f620 ntoskrnl.exe .text
  235. 0 F 0x8 0x8053f950 ntoskrnl.exe .text
  236. 0 10 0x8 0x8053fa70 ntoskrnl.exe .text
  237. 0 11 0x8 0x8053fba8 ntoskrnl.exe .text
  238. 0 12 0xa0 0x8053f950 ntoskrnl.exe .text
  239. 0 13 0x8 0x8053fd10 ntoskrnl.exe .text
  240. 0 14 0x8 0x8053f950 ntoskrnl.exe .text
  241. 0 15 0x8 0x8053f950 ntoskrnl.exe .text
  242. 0 16 0x8 0x8053f950 ntoskrnl.exe .text
  243. 0 17 0x8 0x8053f950 ntoskrnl.exe .text
  244. 0 18 0x8 0x8053f950 ntoskrnl.exe .text
  245. 0 19 0x8 0x8053f950 ntoskrnl.exe .text
  246. 0 1A 0x8 0x8053f950 ntoskrnl.exe .text
  247. 0 1B 0x8 0x8053f950 ntoskrnl.exe .text
  248. 0 1C 0x8 0x8053f950 ntoskrnl.exe .text
  249. 0 1D 0x8 0x8053f950 ntoskrnl.exe .text
  250. 0 1E 0x8 0x8053f950 ntoskrnl.exe .text
  251. 0 1F 0x8 0x806cffd0 hal.dll .text
  252. 0 20 0x8 0x00000000 NOT USED
  253. 0 21 0x8 0x00000000 NOT USED
  254. 0 22 0x8 0x00000000 NOT USED
  255. 0 23 0x8 0x00000000 NOT USED
  256. 0 24 0x8 0x00000000 NOT USED
  257. 0 25 0x8 0x00000000 NOT USED
  258. 0 26 0x8 0x00000000 NOT USED
  259. 0 27 0x8 0x00000000 NOT USED
  260. 0 28 0x8 0x00000000 NOT USED
  261. 0 29 0x8 0x00000000 NOT USED
  262. 0 2A 0x8 0x8053cbae ntoskrnl.exe .text
  263. 0 2B 0x8 0x8053ccb0 ntoskrnl.exe .text
  264. 0 2C 0x8 0x8053ce50 ntoskrnl.exe .text
  265. 0 2D 0x8 0x8053d790 ntoskrnl.exe .text
  266. 0 2E 0x8 0x8053c651 ntoskrnl.exe .text
  267. 0 2F 0x8 0x8053f950 ntoskrnl.exe .text
  268. 0 30 0x8 0x8053bd10 ntoskrnl.exe .text
  269. 0 31 0x8 0x8053bd1a ntoskrnl.exe .text
  270. 0 32 0x8 0x8053bd24 ntoskrnl.exe .text
  271. 0 33 0x8 0x8053bd2e ntoskrnl.exe .text
  272. 0 34 0x8 0x8053bd38 ntoskrnl.exe .text
  273. 0 35 0x8 0x8053bd42 ntoskrnl.exe .text
  274. 0 36 0x8 0x8053bd4c ntoskrnl.exe .text
  275. 0 37 0x8 0x806cf728 hal.dll .text
  276. 0 38 0x8 0x8053bd60 ntoskrnl.exe .text
  277. 0 39 0x8 0x8053bd6a ntoskrnl.exe .text
  278. 0 3A 0x8 0x8053bd74 ntoskrnl.exe .text
  279. 0 3B 0x8 0x8053bd7e ntoskrnl.exe .text
  280. 0 3C 0x8 0x8053bd88 ntoskrnl.exe .text
  281. 0 3D 0x8 0x806d0b70 hal.dll .text
  282. 0 3E 0x8 0x8053bd9c ntoskrnl.exe .text
  283. 0 3F 0x8 0x8053bda6 ntoskrnl.exe .text
  284. 0 40 0x8 0x8053bdb0 ntoskrnl.exe .text
  285. 0 41 0x8 0x806d09cc hal.dll .text
  286. 0 42 0x8 0x8053bdc4 ntoskrnl.exe .text
  287. 0 43 0x8 0x8053bdce ntoskrnl.exe .text
  288. 0 44 0x8 0x8053bdd8 ntoskrnl.exe .text
  289. 0 45 0x8 0x8053bde2 ntoskrnl.exe .text
  290. 0 46 0x8 0x8053bdec ntoskrnl.exe .text
  291. 0 47 0x8 0x8053bdf6 ntoskrnl.exe .text
  292. 0 48 0x8 0x8053be00 ntoskrnl.exe .text
  293. 0 49 0x8 0x8053be0a ntoskrnl.exe .text
  294. 0 4A 0x8 0x8053be14 ntoskrnl.exe .text
  295. 0 4B 0x8 0x8053be1e ntoskrnl.exe .text
  296. 0 4C 0x8 0x8053be28 ntoskrnl.exe .text
  297. 0 4D 0x8 0x8053be32 ntoskrnl.exe .text
  298. 0 4E 0x8 0x8053be3c ntoskrnl.exe .text
  299. 0 4F 0x8 0x8053be46 ntoskrnl.exe .text
  300. 0 50 0x8 0x806cf800 hal.dll .text
  301. 0 51 0x8 0x8053be5a ntoskrnl.exe .text
  302. 0 52 0x8 0x8053be64 ntoskrnl.exe .text
  303. 0 53 0x8 0x8053be6e ntoskrnl.exe .text
  304. 0 54 0x8 0x8053be78 ntoskrnl.exe .text
  305. 0 55 0x8 0x8053be82 ntoskrnl.exe .text
  306. 0 56 0x8 0x8053be8c ntoskrnl.exe .text
  307. 0 57 0x8 0x8053be96 ntoskrnl.exe .text
  308. 0 58 0x8 0x8053bea0 ntoskrnl.exe .text
  309. 0 59 0x8 0x8053beaa ntoskrnl.exe .text
  310. 0 5A 0x8 0x8053beb4 ntoskrnl.exe .text
  311. 0 5B 0x8 0x8053bebe ntoskrnl.exe .text
  312. 0 5C 0x8 0x8053bec8 ntoskrnl.exe .text
  313. 0 5D 0x8 0x8053bed2 ntoskrnl.exe .text
  314. 0 5E 0x8 0x8053bedc ntoskrnl.exe .text
  315. 0 5F 0x8 0x8053bee6 ntoskrnl.exe .text
  316. 0 60 0x8 0x8053bef0 ntoskrnl.exe .text
  317. 0 61 0x8 0x8053befa ntoskrnl.exe .text
  318. 0 62 0x8 0x815fc7e4 UNKNOWN
  319. 0 63 0x8 0x8147ddd4 UNKNOWN
  320. 0 64 0x8 0x8053bf18 ntoskrnl.exe .text
  321. 0 65 0x8 0x8053bf22 ntoskrnl.exe .text
  322. 0 66 0x8 0x8053bf2c ntoskrnl.exe .text
  323. 0 67 0x8 0x8053bf36 ntoskrnl.exe .text
  324. 0 68 0x8 0x8053bf40 ntoskrnl.exe .text
  325. 0 69 0x8 0x8053bf4a ntoskrnl.exe .text
  326. 0 6A 0x8 0x8053bf54 ntoskrnl.exe .text
  327. 0 6B 0x8 0x8053bf5e ntoskrnl.exe .text
  328. 0 6C 0x8 0x8053bf68 ntoskrnl.exe .text
  329. 0 6D 0x8 0x8053bf72 ntoskrnl.exe .text
  330. 0 6E 0x8 0x8053bf7c ntoskrnl.exe .text
  331. 0 6F 0x8 0x8053bf86 ntoskrnl.exe .text
  332. 0 70 0x8 0x8053bf90 ntoskrnl.exe .text
  333. 0 71 0x8 0x8053bf9a ntoskrnl.exe .text
  334. 0 72 0x8 0x8053bfa4 ntoskrnl.exe .text
  335. 0 73 0x8 0x815ec044 UNKNOWN
  336. 0 74 0x8 0x8053bfb8 ntoskrnl.exe .text
  337. 0 75 0x8 0x8053bfc2 ntoskrnl.exe .text
  338. 0 76 0x8 0x8053bfcc ntoskrnl.exe .text
  339. 0 77 0x8 0x8053bfd6 ntoskrnl.exe .text
  340. 0 78 0x8 0x8053bfe0 ntoskrnl.exe .text
  341. 0 79 0x8 0x8053bfea ntoskrnl.exe .text
  342. 0 7A 0x8 0x8053bff4 ntoskrnl.exe .text
  343. 0 7B 0x8 0x8053bffe ntoskrnl.exe .text
  344. 0 7C 0x8 0x8053c008 ntoskrnl.exe .text
  345. 0 7D 0x8 0x8053c012 ntoskrnl.exe .text
  346. 0 7E 0x8 0x8053c01c ntoskrnl.exe .text
  347. 0 7F 0x8 0x8053c026 ntoskrnl.exe .text
  348. 0 80 0x8 0x8053c030 ntoskrnl.exe .text
  349. 0 81 0x8 0x8053c03a ntoskrnl.exe .text
  350. 0 82 0x8 0x815fc334 UNKNOWN
  351. 0 83 0x8 0x817f4ccc UNKNOWN
  352. 0 84 0x8 0x8053c058 ntoskrnl.exe .text
  353. 0 85 0x8 0x8053c062 ntoskrnl.exe .text
  354. 0 86 0x8 0x8053c06c ntoskrnl.exe .text
  355. 0 87 0x8 0x8053c076 ntoskrnl.exe .text
  356. 0 88 0x8 0x8053c080 ntoskrnl.exe .text
  357. 0 89 0x8 0x8053c08a ntoskrnl.exe .text
  358. 0 8A 0x8 0x8053c094 ntoskrnl.exe .text
  359. 0 8B 0x8 0x8053c09e ntoskrnl.exe .text
  360. 0 8C 0x8 0x8053c0a8 ntoskrnl.exe .text
  361. 0 8D 0x8 0x8053c0b2 ntoskrnl.exe .text
  362. 0 8E 0x8 0x8053c0bc ntoskrnl.exe .text
  363. 0 8F 0x8 0x8053c0c6 ntoskrnl.exe .text
  364. 0 90 0x8 0x8053c0d0 ntoskrnl.exe .text
  365. 0 91 0x8 0x8053c0da ntoskrnl.exe .text
  366. 0 92 0x8 0x8147db64 UNKNOWN
  367. 0 93 0x8 0x81902044 UNKNOWN
  368. 0 94 0x8 0x8053c0f8 ntoskrnl.exe .text
  369. 0 95 0x8 0x8053c102 ntoskrnl.exe .text
  370. 0 96 0x8 0x8053c10c ntoskrnl.exe .text
  371. 0 97 0x8 0x8053c116 ntoskrnl.exe .text
  372. 0 98 0x8 0x8053c120 ntoskrnl.exe .text
  373. 0 99 0x8 0x8053c12a ntoskrnl.exe .text
  374. 0 9A 0x8 0x8053c134 ntoskrnl.exe .text
  375. 0 9B 0x8 0x8053c13e ntoskrnl.exe .text
  376. 0 9C 0x8 0x8053c148 ntoskrnl.exe .text
  377. 0 9D 0x8 0x8053c152 ntoskrnl.exe .text
  378. 0 9E 0x8 0x8053c15c ntoskrnl.exe .text
  379. 0 9F 0x8 0x8053c166 ntoskrnl.exe .text
  380. 0 A0 0x8 0x8053c170 ntoskrnl.exe .text
  381. 0 A1 0x8 0x8053c17a ntoskrnl.exe .text
  382. 0 A2 0x8 0x8053c184 ntoskrnl.exe .text
  383. 0 A3 0x8 0x8160784c UNKNOWN
  384. 0 A4 0x8 0x8053c198 ntoskrnl.exe .text
  385. 0 A5 0x8 0x8053c1a2 ntoskrnl.exe .text
  386. 0 A6 0x8 0x8053c1ac ntoskrnl.exe .text
  387. 0 A7 0x8 0x8053c1b6 ntoskrnl.exe .text
  388. 0 A8 0x8 0x8053c1c0 ntoskrnl.exe .text
  389. 0 A9 0x8 0x8053c1ca ntoskrnl.exe .text
  390. 0 AA 0x8 0x8053c1d4 ntoskrnl.exe .text
  391. 0 AB 0x8 0x8053c1de ntoskrnl.exe .text
  392. 0 AC 0x8 0x8053c1e8 ntoskrnl.exe .text
  393. 0 AD 0x8 0x8053c1f2 ntoskrnl.exe .text
  394. 0 AE 0x8 0x8053c1fc ntoskrnl.exe .text
  395. 0 AF 0x8 0x8053c206 ntoskrnl.exe .text
  396. 0 B0 0x8 0x8053c210 ntoskrnl.exe .text
  397. 0 B1 0x8 0x8194b6f4 UNKNOWN
  398. 0 B2 0x8 0x8190735c UNKNOWN
  399. 0 B3 0x8 0x8053c22e ntoskrnl.exe .text
  400. 0 B4 0x8 0x8161ab64 UNKNOWN
  401. 0 B5 0x8 0x8053c242 ntoskrnl.exe .text
  402. 0 B6 0x8 0x8053c24c ntoskrnl.exe .text
  403. 0 B7 0x8 0x8053c256 ntoskrnl.exe .text
  404. 0 B8 0x8 0x8053c260 ntoskrnl.exe .text
  405. 0 B9 0x8 0x8053c26a ntoskrnl.exe .text
  406. 0 BA 0x8 0x8053c274 ntoskrnl.exe .text
  407. 0 BB 0x8 0x8053c27e ntoskrnl.exe .text
  408. 0 BC 0x8 0x8053c288 ntoskrnl.exe .text
  409. 0 BD 0x8 0x8053c292 ntoskrnl.exe .text
  410. 0 BE 0x8 0x8053c29c ntoskrnl.exe .text
  411. 0 BF 0x8 0x8053c2a6 ntoskrnl.exe .text
  412. 0 C0 0x8 0x8053c2b0 ntoskrnl.exe .text
  413. 0 C1 0x8 0x806cf984 hal.dll .text
  414. 0 C2 0x8 0x8053c2c4 ntoskrnl.exe .text
  415. 0 C3 0x8 0x8053c2ce ntoskrnl.exe .text
  416. 0 C4 0x8 0x8053c2d8 ntoskrnl.exe .text
  417. 0 C5 0x8 0x8053c2e2 ntoskrnl.exe .text
  418. 0 C6 0x8 0x8053c2ec ntoskrnl.exe .text
  419. 0 C7 0x8 0x8053c2f6 ntoskrnl.exe .text
  420. 0 C8 0x8 0x8053c300 ntoskrnl.exe .text
  421. 0 C9 0x8 0x8053c30a ntoskrnl.exe .text
  422. 0 CA 0x8 0x8053c314 ntoskrnl.exe .text
  423. 0 CB 0x8 0x8053c31e ntoskrnl.exe .text
  424. 0 CC 0x8 0x8053c328 ntoskrnl.exe .text
  425. 0 CD 0x8 0x8053c332 ntoskrnl.exe .text
  426. 0 CE 0x8 0x8053c33c ntoskrnl.exe .text
  427. 0 CF 0x8 0x8053c346 ntoskrnl.exe .text
  428. 0 D0 0x8 0x8053c350 ntoskrnl.exe .text
  429. 0 D1 0x8 0x806ced34 hal.dll .text
  430. 0 D2 0x8 0x8053c364 ntoskrnl.exe .text
  431. 0 D3 0x8 0x8053c36e ntoskrnl.exe .text
  432. 0 D4 0x8 0x8053c378 ntoskrnl.exe .text
  433. 0 D5 0x8 0x8053c382 ntoskrnl.exe .text
  434. 0 D6 0x8 0x8053c38c ntoskrnl.exe .text
  435. 0 D7 0x8 0x8053c396 ntoskrnl.exe .text
  436. 0 D8 0x8 0x8053c3a0 ntoskrnl.exe .text
  437. 0 D9 0x8 0x8053c3aa ntoskrnl.exe .text
  438. 0 DA 0x8 0x8053c3b4 ntoskrnl.exe .text
  439. 0 DB 0x8 0x8053c3be ntoskrnl.exe .text
  440. 0 DC 0x8 0x8053c3c8 ntoskrnl.exe .text
  441. 0 DD 0x8 0x8053c3d2 ntoskrnl.exe .text
  442. 0 DE 0x8 0x8053c3dc ntoskrnl.exe .text
  443. 0 DF 0x8 0x8053c3e6 ntoskrnl.exe .text
  444. 0 E0 0x8 0x8053c3f0 ntoskrnl.exe .text
  445. 0 E1 0x8 0x806cff0c hal.dll .text
  446. 0 E2 0x8 0x8053c404 ntoskrnl.exe .text
  447. 0 E3 0x8 0x806cfc70 hal.dll .text
  448. 0 E4 0x8 0x8053c418 ntoskrnl.exe .text
  449. 0 E5 0x8 0x8053c422 ntoskrnl.exe .text
  450. 0 E6 0x8 0x8053c42c ntoskrnl.exe .text
  451. 0 E7 0x8 0x8053c436 ntoskrnl.exe .text
  452. 0 E8 0x8 0x8053c440 ntoskrnl.exe .text
  453. 0 E9 0x8 0x8053c44a ntoskrnl.exe .text
  454. 0 EA 0x8 0x8053c454 ntoskrnl.exe .text
  455. 0 EB 0x8 0x8053c45e ntoskrnl.exe .text
  456. 0 EC 0x8 0x8053c468 ntoskrnl.exe .text
  457. 0 ED 0x8 0x8053c472 ntoskrnl.exe .text
  458. 0 EE 0x8 0x8053c479 ntoskrnl.exe .text
  459. 0 EF 0x8 0x8053c480 ntoskrnl.exe .text
  460. 0 F0 0x8 0x8053c487 ntoskrnl.exe .text
  461. 0 F1 0x8 0x8053c48e ntoskrnl.exe .text
  462. 0 F2 0x8 0x8053c495 ntoskrnl.exe .text
  463. 0 F3 0x8 0x8053c49c ntoskrnl.exe .text
  464. 0 F4 0x8 0x8053c4a3 ntoskrnl.exe .text
  465. 0 F5 0x8 0x8053c4aa ntoskrnl.exe .text
  466. 0 F6 0x8 0x8053c4b1 ntoskrnl.exe .text
  467. 0 F7 0x8 0x8053c4b8 ntoskrnl.exe .text
  468. 0 F8 0x8 0x8053c4bf ntoskrnl.exe .text
  469. 0 F9 0x8 0x8053c4c6 ntoskrnl.exe .text
  470. 0 FA 0x8 0x8053c4cd ntoskrnl.exe .text
  471. 0 FB 0x8 0x8053c4d4 ntoskrnl.exe .text
  472. 0 FC 0x8 0x8053c4db ntoskrnl.exe .text
  473. 0 FD 0x8 0x806d0464 hal.dll .text
  474. 0 FE 0x8 0x806d0604 hal.dll .text
  475. 0 FF 0x8 0x8053c4f0 ntoskrnl.exe .text
  476.  
  477. And a check of the threads will be uploaded to pastbin due to text amount
  478.  
  479. Checking 1956
  480.  
  481. Checking for all DLL's in the memory. in relation to PID 1956
  482.  
  483. volatility -f 0zapftis.vmem dlllist
  484.  
  485. explorer.exe pid: 1956
  486. Command line : C:\WINDOWS\Explorer.EXE
  487. Service Pack 2
  488.  
  489. Base Size LoadCount LoadTime Path
  490. ---------- ---------- ---------- ------------------------------ ----
  491. 0x01000000 0xff000 0xffff C:\WINDOWS\Explorer.EXE
  492. 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll
  493. 0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll
  494. 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
  495. 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
  496. 0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll
  497. 0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll
  498. 0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll
  499. 0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll
  500. 0x7c9c0000 0x814000 0xffff C:\WINDOWS\system32\SHELL32.dll
  501. 0x774e0000 0x13c000 0xffff C:\WINDOWS\system32\ole32.dll
  502. 0x77120000 0x8c000 0xffff C:\WINDOWS\system32\OLEAUT32.dll
  503. 0x75f80000 0xfc000 0xffff C:\WINDOWS\system32\BROWSEUI.dll
  504. 0x77760000 0x16c000 0xffff C:\WINDOWS\system32\SHDOCVW.dll
  505. 0x77a80000 0x94000 0xffff C:\WINDOWS\system32\CRYPT32.dll
  506. 0x77b20000 0x12000 0xffff C:\WINDOWS\system32\MSASN1.dll
  507. 0x754d0000 0x80000 0xffff C:\WINDOWS\system32\CRYPTUI.dll
  508. 0x76c30000 0x2e000 0xffff C:\WINDOWS\system32\WINTRUST.dll
  509. 0x76c90000 0x28000 0xffff C:\WINDOWS\system32\IMAGEHLP.dll
  510. 0x5b860000 0x54000 0xffff C:\WINDOWS\system32\NETAPI32.dll
  511. 0x771b0000 0xa6000 0xffff C:\WINDOWS\system32\WININET.dll
  512. 0x76f60000 0x2c000 0xffff C:\WINDOWS\system32\WLDAP32.dll
  513. 0x77c00000 0x8000 0xffff C:\WINDOWS\system32\VERSION.dll
  514. 0x5ad70000 0x38000 0xffff C:\WINDOWS\system32\UxTheme.dll
  515. 0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll
  516. 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
  517. 0x76b40000 0x2d000 0x10 C:\WINDOWS\system32\WINMM.dll
  518. 0x77be0000 0x15000 0x3 C:\WINDOWS\system32\MSACM32.dll
  519. 0x769c0000 0xb3000 0x4 C:\WINDOWS\system32\USERENV.dll
  520. 0x10000000 0x59000 0x1 C:\WINDOWS\system32\mfc42ul.dll
  521. 0x71ab0000 0x17000 0xa C:\WINDOWS\system32\WS2_32.dll
  522. 0x71aa0000 0x8000 0x9 C:\WINDOWS\system32\WS2HELP.dll
  523. 0x71f60000 0x8000 0x1 C:\WINDOWS\system32\snmpapi.dll
  524. 0x773d0000 0x102000 0x11 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
  525. 0x5d090000 0x97000 0x1 C:\WINDOWS\system32\comctl32.dll
  526. 0x72d20000 0x9000 0x6 C:\WINDOWS\system32\wdmaud.drv
  527. 0x72d10000 0x8000 0x2 C:\WINDOWS\system32\msacm32.drv
  528. 0x77bd0000 0x7000 0x1 C:\WINDOWS\system32\midimap.dll
  529. 0x71a50000 0x3f000 0x2 C:\WINDOWS\system32\mswsock.dll
  530. 0x662b0000 0x58000 0x1 C:\WINDOWS\system32\hnetcfg.dll
  531. 0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
  532. 0x76fc0000 0x6000 0x1 C:\WINDOWS\system32\rasadhlp.dll
  533. 0x77b40000 0x22000 0x2 C:\WINDOWS\system32\appHelp.dll
  534. 0x76fd0000 0x7f000 0x2 C:\WINDOWS\system32\CLBCATQ.DLL
  535. 0x77050000 0xc5000 0x2 C:\WINDOWS\system32\COMRes.dll
  536. 0x77a20000 0x54000 0x2 C:\WINDOWS\System32\cscui.dll
  537. 0x76600000 0x1d000 0x2 C:\WINDOWS\System32\CSCDLL.dll
  538. 0x5ba60000 0x71000 0x1 C:\WINDOWS\system32\themeui.dll
  539. 0x77fe0000 0x11000 0x3 C:\WINDOWS\system32\Secur32.dll
  540. 0x76380000 0x5000 0x1 C:\WINDOWS\system32\MSIMG32.dll
  541. 0x20000000 0x2c5000 0x1 C:\WINDOWS\system32\xpsp2res.dll
  542. 0x71d40000 0x1c000 0x1 C:\WINDOWS\system32\actxprxy.dll
  543. 0x71bf0000 0x13000 0x1 C:\WINDOWS\system32\SAMLIB.dll
  544. 0x77920000 0xf3000 0x5 C:\WINDOWS\system32\SETUPAPI.dll
  545. 0x76400000 0x1a6000 0x1 C:\WINDOWS\system32\NETSHELL.dll
  546. 0x76e80000 0xe000 0x1 C:\WINDOWS\system32\rtutils.dll
  547. 0x76c00000 0x2e000 0x1 C:\WINDOWS\system32\credui.dll
  548. 0x76b20000 0x11000 0x1 C:\WINDOWS\system32\ATL.DLL
  549. 0x76d60000 0x19000 0x1 C:\WINDOWS\system32\iphlpapi.dll
  550. 0x77260000 0x9c000 0x2 C:\WINDOWS\system32\urlmon.dll
  551. 0x7d1e0000 0x2b2000 0x1 C:\WINDOWS\system32\msi.dll
  552. 0x76360000 0x10000 0x3 C:\WINDOWS\system32\WINSTA.dll
  553. 0x74b30000 0x46000 0x1 C:\WINDOWS\system32\webcheck.dll
  554. 0x71ad0000 0x9000 0x1 C:\WINDOWS\system32\WSOCK32.dll
  555. 0x76280000 0x21000 0x2 C:\WINDOWS\system32\stobject.dll
  556. 0x74af0000 0xa000 0x2 C:\WINDOWS\system32\BatMeter.dll
  557. 0x74ad0000 0x8000 0x4 C:\WINDOWS\system32\POWRPROF.dll
  558. 0x76f50000 0x8000 0x2 C:\WINDOWS\system32\WTSAPI32.dll
  559. 0x75e90000 0xb0000 0x1 C:\WINDOWS\system32\SXS.DLL
  560. ************************************************************************
  561.  
  562. Let us remember that dll's are pretty much an executable file, this is important to note.
  563.  
  564. Now this is interesting mfc42u.dll is a legit file, this though is not, yet it is running as a kernel object.
  565. 0x10000000 0x59000 0x1 C:\WINDOWS\system32\mfc42ul.dll
  566.  
  567. volatility -f 0zapftis.vmem filescan >> filescan.txt
  568.  
  569. 0x00000000015b8128 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\mfc42ul.dll
  570.  
  571. (Full text will be on pastebin)
  572.  
  573. I Googled each of these files that were loaded in memory so this is a time consuming job.
  574.  
  575. What networking connections and ports are present on the machine?
  576.  
  577. volatility -f 0zapftis.vmem connscan
  578. Volatility Foundation Volatility Framework 2.6
  579. Offset(P) Local Address Remote Address Pid
  580. ---------- ------------------------- ------------------------- ---
  581. 0x01a25a50 0.0.0.0:1026 172.16.98.1:6666 1956
  582.  
  583.  
  584.  
  585. Do any of these connections or ports used stand out? If so why?
  586.  
  587. The only connection is suspect A quick check on the port it could be IRC but also it's used for lots of malware
  588.  
  589. https://www.speedguide.net/port.php?port=6666
  590.  
  591.  
  592. If there is a connection what country does does this IP block belong to?
  593.  
  594. whois 172.16.98.1
  595.  
  596. #
  597. # ARIN WHOIS data and services are subject to the Terms of Use
  598. # available at: https://www.arin.net/whois_tou.html
  599. #
  600. # If you see inaccuracies in the results, please report at
  601. # https://www.arin.net/resources/whois_reporting/index.html
  602. #
  603.  
  604.  
  605. NetRange: 172.16.0.0 - 172.31.255.255
  606. CIDR: 172.16.0.0/12
  607. NetName: PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED
  608. NetHandle: NET-172-16-0-0-1
  609. Parent: NET172 (NET-172-0-0-0-0)
  610. NetType: IANA Special Use
  611. OriginAS:
  612. Organization: Internet Assigned Numbers Authority (IANA)
  613. RegDate: 1994-03-15
  614. Updated: 2013-08-30
  615. Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
  616. Comment:
  617. Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers
  618. Comment:
  619. Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
  620. Comment: http://datatracker.ietf.org/doc/rfc1918
  621. Ref: https://whois.arin.net/rest/net/NET-172-16-0-0-1
  622.  
  623.  
  624. OrgName: Internet Assigned Numbers Authority
  625. OrgId: IANA
  626. Address: 12025 Waterfront Drive
  627. Address: Suite 300
  628. City: Los Angeles
  629. StateProv: CA
  630. PostalCode: 90292
  631. Country: US
  632. RegDate:
  633. Updated: 2012-08-31
  634. Ref: https://whois.arin.net/rest/org/IANA
  635.  
  636.  
  637. OrgTechHandle: IANA-IP-ARIN
  638. OrgTechName: ICANN
  639. OrgTechPhone: +1-310-301-5820
  640. OrgTechEmail: [email protected]
  641. OrgTechRef: https://whois.arin.net/rest/poc/IANA-IP-ARIN
  642.  
  643. OrgAbuseHandle: IANA-IP-ARIN
  644. OrgAbuseName: ICANN
  645. OrgAbusePhone: +1-310-301-5820
  646. OrgAbuseEmail: [email protected]
  647. OrgAbuseRef: https://whois.arin.net/rest/poc/IANA-IP-ARIN
  648.  
  649.  
  650. #
  651. # ARIN WHOIS data and services are subject to the Terms of Use
  652. # available at: https://www.arin.net/whois_tou.html
  653. #
  654. # If you see inaccuracies in the results, please report at
  655. # https://www.arin.net/resources/whois_reporting/index.html
  656. #
  657.  
  658. Unknown it is a private address block, it couldn't help in attribution.
  659.  
  660.  
  661. Malware Questions:
  662.  
  663. Is there malware present on the machine?
  664.  
  665. Yes, there is malware a trojan present on the machine.
  666.  
  667. We already suspect that PID 1956 might be the process perhaps with child processes/threads which are hiding the malware, so we will have to investigate further.
  668.  
  669. Step 1 : Create a dump of the process so we can use foremost to dump the files :
  670.  
  671. volatility -f 0zapftis.vmem -p 1956 memdump --dump-dir ./procdump/
  672. Volatility Foundation Volatility Framework 2.6
  673. ************************************************************************
  674. Writing explorer.exe [ 1956] to 1956.dmp
  675.  
  676. foremost -t exe -i 1956.dmp
  677. Processing: 1956.dmp
  678. |*|
  679.  
  680. This also allows dumping of dll's which are executable files. (Remember that we know where the malware is connecting to the address which we did a whois on 172.16.98.1. Also we have an idea of the name of the file in question )
  681.  
  682. grep -r -i mfc42ul --files-with-matches
  683. 00009616.dll
  684. 00010320.dll
  685.  
  686. sha256sum 00009616.dll
  687. 5c69ae5bb9b1217c5c45112e42b1d0bd752003ba9234a2611d629e4a1fd113f2 00009616.dll
  688.  
  689. VirusTotal Scan:
  690.  
  691. https://www.virustotal.com/#/file/5c69ae5bb9b1217c5c45112e42b1d0bd752003ba9234a2611d629e4a1fd113f2/detection
  692.  
  693. sha256sum 00010320.dll
  694. 1e50deb2a2dea33b51c0083fac98a3a0195e478060385faabbea98cae7573578 00010320.dll
  695.  
  696. VirusTotal Scan:
  697.  
  698. https://www.virustotal.com/#/file/1e50deb2a2dea33b51c0083fac98a3a0195e478060385faabbea98cae7573578/detection
  699.  
  700. Using yara to pinpoint the file we suspect, being that the malware in question is rather old yara rules that are stock have a tough time detecting, but we know the file we suspect and at the end we dump the files in question as a .dmp which of course we can use foremost to carve out files.
  701.  
  702. volatility -f 0zapftis.vmem yarascan --yara-rules="mfc42ul" -p 1956 -D yara_dump
  703. Volatility Foundation Volatility Framework 2.6
  704. Rule: r1
  705. Owner: Process explorer.exe Pid 1956
  706. 0x0086f75c 6d 66 63 34 32 75 6c 2e 64 6c 6c 30 32 00 00 00 mfc42ul.dll02...
  707. 0x0086f76c 40 06 37 00 00 00 00 00 78 01 37 00 00 00 00 00 @.7.....x.7.....
  708. 0x0086f77c a8 3a 37 00 18 4b 37 00 00 00 00 00 78 01 37 00 .:7..K7.....x.7.
  709. 0x0086f78c 00 00 00 00 00 00 00 00 00 00 00 00 40 06 37 00 [email protected].
  710. 0x0086f79c 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 ................
  711. 0x0086f7ac 00 00 00 00 40 4b 37 00 78 01 37 00 f8 4a 37 00 [email protected].
  712. 0x0086f7bc 00 00 00 00 c8 4a 37 00 00 00 00 00 40 06 37 00 [email protected].
  713. 0x0086f7cc 78 01 37 00 08 00 00 00 20 4b 37 00 00 00 00 00 x.7......K7.....
  714. 0x0086f7dc 70 4b 37 00 78 01 37 00 78 01 37 00 20 4b 37 00 pK7.x.7.x.7..K7.
  715. 0x0086f7ec 78 01 37 00 00 00 00 00 00 00 00 00 00 00 00 00 x.7.............
  716. 0x0086f7fc 08 00 00 00 70 3a 37 00 48 4b 37 00 07 00 00 00 ....p:7.HK7.....
  717. 0x0086f80c 78 01 37 00 00 00 00 00 60 4b 37 00 9d 02 00 00 x.7.....`K7.....
  718. 0x0086f81c e8 f8 86 00 a5 02 00 00 d8 07 37 00 78 01 37 00 ..........7.x.7.
  719. 0x0086f82c 08 00 00 00 78 4b 37 00 68 3a 37 00 04 f9 86 00 ....xK7.h:7.....
  720. 0x0086f83c 78 01 37 00 78 01 37 00 48 4b 37 00 30 cc 04 10 x.7.x.7.HK7.0...
  721. 0x0086f84c 70 3a 37 00 00 00 00 00 4c f6 86 00 78 01 37 00 p:7.....L...x.7.
  722. Rule: r1
  723. Owner: Process explorer.exe Pid 1956
  724. 0x1004c824 6d 66 63 34 32 75 6c 2e 64 6c 6c 00 50 65 6e 64 mfc42ul.dll.Pend
  725. 0x1004c834 69 6e 67 46 69 6c 65 52 65 6e 61 6d 65 4f 70 65 ingFileRenameOpe
  726. 0x1004c844 72 61 74 69 6f 6e 73 00 53 59 53 54 45 4d 5c 43 rations.SYSTEM\C
  727. 0x1004c854 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 urrentControlSet
  728. 0x1004c864 5c 43 6f 6e 74 72 6f 6c 5c 53 65 73 73 69 6f 6e \Control\Session
  729. 0x1004c874 20 4d 61 6e 61 67 65 72 00 00 00 00 49 45 46 72 .Manager....IEFr
  730. 0x1004c884 61 6d 65 00 66 69 6c 65 3a 2f 2f 2f 00 00 00 00 ame.file:///....
  731. 0x1004c894 7c 00 00 00 50 72 69 6e 74 57 69 6e 64 6f 77 00 |...PrintWindow.
  732. 0x1004c8a4 74 53 6b 4c 6f 63 61 6c 56 69 64 65 6f 43 6f 6e tSkLocalVideoCon
  733. 0x1004c8b4 74 72 6f 6c 00 00 00 00 47 45 54 20 43 41 4c 4c trol....GET.CALL
  734. 0x1004c8c4 20 25 64 20 50 53 54 4e 5f 4e 55 4d 42 45 52 00 .%d.PSTN_NUMBER.
  735. 0x1004c8d4 47 45 54 20 43 41 4c 4c 20 25 64 20 50 41 52 54 GET.CALL.%d.PART
  736. 0x1004c8e4 4e 45 52 5f 44 49 53 50 4e 41 4d 45 00 00 00 00 NER_DISPNAME....
  737. 0x1004c8f4 47 45 54 20 43 41 4c 4c 20 25 64 20 50 41 52 54 GET.CALL.%d.PART
  738. 0x1004c904 4e 45 52 5f 48 41 4e 44 4c 45 00 00 47 45 54 20 NER_HANDLE..GET.
  739. 0x1004c914 43 41 4c 4c 20 25 64 20 54 59 50 45 00 00 00 00 CALL.%d.TYPE....
  740. Rule: r1
  741. Owner: Process explorer.exe Pid 1956
  742. 0x1004ca49 6d 66 63 34 32 75 6c 2e 64 6c 6c 00 00 00 00 41 mfc42ul.dll....A
  743. 0x1004ca59 50 50 44 41 54 41 00 77 69 6e 73 79 73 33 32 2e PPDATA.winsys32.
  744. 0x1004ca69 73 79 73 00 00 00 00 20 00 00 00 77 62 00 00 25 sys........wb..%
  745. 0x1004ca79 73 7e 74 6d 70 25 30 38 78 7e 2e 65 78 65 00 5c s~tmp%08x~.exe.\
  746. 0x1004ca89 52 65 67 69 73 74 72 79 5c 4d 41 43 48 49 4e 45 Registry\MACHINE
  747. 0x1004ca99 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 \SOFTWARE\Micros
  748. 0x1004caa9 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 oft\Windows.NT\C
  749. 0x1004cab9 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 57 69 urrentVersion\Wi
  750. 0x1004cac9 6e 64 6f 77 73 00 00 41 70 70 49 6e 69 74 5f 44 ndows..AppInit_D
  751. 0x1004cad9 4c 4c 73 00 00 00 00 53 4f 46 54 57 41 52 45 5c LLs....SOFTWARE\
  752. 0x1004cae9 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 Microsoft\Window
  753. 0x1004caf9 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 s.NT\CurrentVers
  754. 0x1004cb09 69 6f 6e 5c 57 69 6e 64 6f 77 73 00 00 00 00 77 ion\Windows....w
  755. 0x1004cb19 69 6e 73 79 73 33 32 00 00 00 00 7e 00 00 00 5c insys32....~...\
  756. 0x1004cb29 00 00 00 53 65 53 68 75 74 64 6f 77 6e 50 72 69 ...SeShutdownPri
  757. 0x1004cb39 76 69 6c 65 67 65 00 25 64 20 25 64 20 25 64 20 vilege.%d.%d.%d.
  758. Rule: r1
  759. Owner: Process explorer.exe Pid 1956
  760. 0x5cb81b80 6d 66 63 34 32 75 6c 2e 64 6c 6c 00 00 00 00 00 mfc42ul.dll.....
  761. 0x5cb81b90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  762. 0x5cb81ba0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  763. 0x5cb81bb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  764. 0x5cb81bc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  765. 0x5cb81bd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  766. 0x5cb81be0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  767. 0x5cb81bf0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  768. 0x5cb81c00 01 00 00 00 00 00 ab 71 00 70 01 00 57 53 32 5f .......q.p..WS2_
  769. 0x5cb81c10 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
  770. 0x5cb81c20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  771. 0x5cb81c30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  772. 0x5cb81c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  773. 0x5cb81c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  774. 0x5cb81c60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  775. 0x5cb81c70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  776.  
  777.  
  778. Sha256sum of files:
  779.  
  780. 5d89a2c34425ffbb1b7f1ed4020d0bbb7ad67b2e1dcce9428813cd567a06c9ed process.0x813bcda0.0x1004c824.dmp
  781. 3e7c25a513b1d095404f9f55d1f1321496afb70d9cc0577a47010aac00b461e5 process.0x813bcda0.0x1004ca49.dmp
  782. 5b6e0fb3bb35746e8f821457ae93729c3faef6f191fdeb0e03daf453d03053ca process.0x813bcda0.0x5cb81b80.dmp
  783. f174490bd94aa83477d766754c88f66b2f4a5917eed42ef014a86bbcbed25f1e process.0x813bcda0.0x86f75c.dmp
  784.  
  785. I checked the sha256sum of these files as well on VT no results were found, but they will be uploaded to VT.
  786.  
  787. https://www.virustotal.com/#/file/5b6e0fb3bb35746e8f821457ae93729c3faef6f191fdeb0e03daf453d03053ca/detection
  788. https://www.virustotal.com/#/file/f174490bd94aa83477d766754c88f66b2f4a5917eed42ef014a86bbcbed25f1e/detection
  789. https://www.virustotal.com/#/file/5d89a2c34425ffbb1b7f1ed4020d0bbb7ad67b2e1dcce9428813cd567a06c9ed/detection
  790. https://www.virustotal.com/#/file/3e7c25a513b1d095404f9f55d1f1321496afb70d9cc0577a47010aac00b461e5/detection
  791.  
  792. Now the results of this scan was interesting I fully expected to find malware, yet none was found, perhaps the file type not sure.
  793.  
  794. If there is malware dump the file and get the sha256 and identify the malware, also what has the malware changed to the system?
  795.  
  796. sha256sum 00009616.dll
  797. 5c69ae5bb9b1217c5c45112e42b1d0bd752003ba9234a2611d629e4a1fd113f2 00009616.dll
  798.  
  799. sha256sum 00010320.dll
  800. 1e50deb2a2dea33b51c0083fac98a3a0195e478060385faabbea98cae7573578 00010320.dll
  801.  
  802. The malware created a new service and added registry entries, after investigation conducted during the question below.
  803.  
  804. Have any commands been issued in a shell? If so what are these commands?
  805.  
  806. 2.6
  807. **************************************************
  808. CommandProcess: csrss.exe Pid: 608
  809. CommandHistory: 0x11132d8 Application: cmd.exe Flags: Allocated, Reset
  810. CommandCount: 2 LastAdded: 1 LastDisplayed: 1
  811. FirstCommand: 0 CommandCountMax: 50
  812. ProcessHandle: 0x4c4
  813. Cmd #0 @ 0x4e1eb8: sc query malwar
  814. Cmd #1 @ 0x11135e8: sc query malware
  815.  
  816.  
  817. What methods of persistence are used in this malware?
  818.  
  819. Appears that “sc” command was issued in a cli, which is used for services control.
  820.  
  821. https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe
  822.  
  823. We also check the services :
  824.  
  825. volatility -f 0zapftis.vmem svcscan >> svcscan.txt
  826. Volatility Foundation Volatility Framework 2.6
  827. Offset: 0x6f5440
  828. Order: 97
  829. Start: SERVICE_SYSTEM_START
  830. Process ID: -
  831. Service Name: malware
  832. Display Name: malware2
  833. Service Type: SERVICE_KERNEL_DRIVER
  834. Service State: SERVICE_RUNNING
  835. Binary Path: \Driver\malware
  836.  
  837. We can see that from cmdscan, we know to look for "malware" as a keyword to make our work quicker.
  838.  
  839. We also need to check our registry:
  840.  
  841. https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/
  842.  
  843. volatility -f 0zapftis.vmem hivelist
  844. Volatility Foundation Volatility Framework 2.6
  845. Virtual Physical Name
  846. ---------- ---------- ----
  847. 0xe1bf6b60 0x0af3cb60 \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  848. 0xe1bb2b60 0x0accab60 \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
  849. 0xe1a4db60 0x08b7cb60 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  850. 0xe1991b60 0x07d9ab60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
  851. 0xe1844458 0x07741458 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
  852. 0xe183e008 0x076b8008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
  853. 0xe1544b60 0x05c63b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
  854. 0xe154db60 0x05c6fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
  855. 0xe154d008 0x05c6f008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
  856. 0xe1544008 0x05c63008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
  857. 0xe13b5a40 0x02463a40 [no name]
  858. 0xe1018388 0x020bf388 \Device\HarddiskVolume1\WINDOWS\system32\config\system
  859. 0xe1008b60 0x020c3b60 [no name]
  860.  
  861. So first we will check common malware persistence areas in the registry a lot of this is trial and error, yet we do know that “sc.exe" was run in the cmdscan, so we need to look at this as well and remember that “malware” was the service name :
  862.  
  863. (Be ready to parse through a ton of registry keys here, you can cheat a bit and get info on this particular malware, but you still have to find the right address space to get the key.)
  864.  
  865.  
  866. volatility printkey -f 0zapftis.vmem -o 0xe1544b60 -K 'Microsoft\Windows NT\CurrentVersion\Windows'
  867. Volatility Foundation Volatility Framework 2.6
  868. Legend: (S) = Stable (V) = Volatile
  869.  
  870. ----------------------------
  871. Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
  872. Key name: Windows (S)
  873. Last updated: 2011-10-10 16:56:35 UTC+0000
  874.  
  875. Subkeys:
  876.  
  877. Values:
  878. REG_SZ AppInit_DLLs : (S) mfc42ul.dll
  879. REG_SZ DeviceNotSelectedTimeout : (S) 15
  880. REG_DWORD GDIProcessHandleQuota : (S) 10000
  881. REG_SZ Spooler : (S) yes
  882. REG_SZ swapdisk : (S)
  883. REG_SZ TransmissionRetryTimeout : (S) 90
  884. REG_DWORD USERProcessHandleQuota : (S) 10000
  885.  
  886. Looks like we have found an entry for mfc42ul.dll
  887.  
  888. volatility printkey -f 0zapftis.vmem -o 0xe1018388 -K 'ControlSet001\Services\malware'
  889. Volatility Foundation Volatility Framework 2.6
  890. Legend: (S) = Stable (V) = Volatile
  891.  
  892. ----------------------------
  893. Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
  894. Key name: malware (S)
  895. Last updated: 2011-10-10 17:03:55 UTC+0000
  896.  
  897. Subkeys:
  898. (S) Security
  899. (V) Enum
  900.  
  901. Values:
  902. REG_DWORD Type : (S) 1
  903. REG_EXPAND_SZ ImagePath : (S) \??\C:\WINDOWS\system32\drivers\winsys32.sys
  904. REG_SZ DisplayName : (S) malware2
  905.  
  906. After creating a timeline it appears as though the earliest entry for malware showing up is :
  907.  
  908. 2009-04-07 14:39:10 UTC+0000|[PE HEADER (dll)]| mfc42ul.dll| Process: VMwareTray.exe/PID: 184/PPID: 1956/Process POffset: 0x018d63d0/DLL Base: 0x00390000
  909. -|[PE DEBUG]| mfc42ul.dll| Process: VMwareTray.exe/PID: 184/PPID: 1956/Process POffset: 0x018d63d0/DLL Base: 0x00390000
  910.  
  911.  
  912. Attribution:
  913.  
  914. What country could be responsible? Make sure to post relevant sources to support your conclusion.
  915.  
  916. Germany
  917.  
  918. https://www.dw.com/en/hacking-for-the-government-germany-opens-zitis-cyber-surveillance-agency/a-40511027
  919. https://www.symantec.com/connect/blogs/backdoorr2d2-long-arm-law
  920. https://www.digitaltrends.com/web/german-officials-admit-to-using-r2d2-trojan-to-spy-on-citizens/
  921.  
  922.  
  923. Conclusion: Although time consuming we were able to properly identify, the suspected malware, and after carving the file we were able to further inspect the malware which we promptly submitted to VirusTotal, which confirmed our suspicions. We were able to build up a set of IOCs (Indicators of Compromise) with our hash value, IP that this trojan was connecting to, and lastly registry entries, all of which can be used to help users to eradicate this nation state malware. In addition we were able to provide evidence which supports our conclusions for each question in the challenge. In the end attribution is not a sure thing and is mainly guess work, based upon what actors used what malware previously.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!