daily pastebin goal
11%
SHARE
TWEET

Malware

ray0yan Feb 20th, 2014 230 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ------|  Malware Memory Forensic
  2. Jika merujuk pada buku Malware Analyst’s Cookbook, "Memory forensics refers
  3. to finding and extracting forensic artifacts from a computer’s physical memory,
  4. otherwise known as RAM". Informasi yang bisa diperoleh dari memory sudah
  5. dijelaskan oleh patusacyber pada echo ezine[1].
  6. Dari temuan-temuan informasi yang didapat selanjutnya akan menjadi bahan anlisis.
  7. Dalam tulisan ini tidak ada proses akuisisi memorynya karena saya menggunakan sample memory
  8. yang terinfeksi trojan yang diunduh dari internet[2] dan Saya menggunakan tool Volatilty[3].
  9. Pertama mulailah dengan apa yang kamu ketahui. Seperti trojan-trojan lainya, tentu akan
  10. melakukan hubungan dengan server c&c.
  11.  
  12. b33ns@b33ns:~$ export VOLATILITY_PROFILE=WinXPSP2x86
  13. b33ns@b33ns:~$ export VOLATILITY_LOCATION=~/sample/volatile/spyeye.vmem
  14. b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
  15. 15dd403be9021bdb711091e946a3ba64  /home/b33ns/sample/volatile/spyeye.vmem
  16.  
  17. b33ns@b33ns:~$ vol.py connscan
  18. Volatility Foundation Volatility Framework 2.3.1
  19. Offset(P)  Local Address             Remote Address            Pid
  20. ---------- ------------------------- ------------------------- ---
  21. 0x01eacc00 192.168.16.129:1039       65.55.185.26:443          1068
  22. 0x01fd3170 192.168.16.129:1040       207.46.21.58:80           1068
  23.  
  24. 207.46.21.58 adalah alamat server yang mengontrol trojan.
  25. Kita cari tahu proses id 1068 milik siapa
  26.  
  27. b33ns@b33ns:~$ vol.py pslist -p 1068
  28. Volatility Foundation Volatility Framework 2.3.1
  29. Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
  30. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
  31. 0x822a0758 svchost.exe            1068    704     58     1256      0      0 2010-11-11 22:02:17 UTC+0000  
  32.  
  33. nah ternyata milik svchost.exe, svchost.exe jelas sudah terinfeksi karena
  34. tidak seharusnya svchost melakukan koneksi keluar. Ok, sekarang fokus kita di svchost.exe
  35.  
  36. b33ns@b33ns:~$ vol.py apihooks -p 1068
  37. [skip]
  38. Hook mode: Usermode
  39. Hook type: Inline/Trampoline
  40. Process: 1068 (svchost.exe)
  41. Victim module: USER32.dll (0x7e410000 - 0x7e4a1000)
  42. Function: USER32.dll!TranslateMessage at 0x7e418bf6
  43. Hook address: 0xea53fc6
  44. Hooking module: <unknown>
  45.  
  46. Disassembly(0):
  47. 0x7e418bf6 e9cbb36390       JMP 0xea53fc6
  48. [skip]
  49.  
  50. b33ns@b33ns:~$ vol.py volshell
  51. Volatility Foundation Volatility Framework 2.3.1
  52. Current context: process System, pid=4, ppid=0 DTB=0x319000
  53. Welcome to volshell! Current memory image is:
  54. file:///home/b33ns/sample/volatile/spyeye.vmem
  55. To get help, type 'hh()'
  56. >>> cc(pid=1068)
  57. Current context: process svchost.exe, pid=1068, ppid=704 DTB=0xa940120
  58. >>> dis(0x7e418bf6, length=32)
  59. 0x7e418bf6 e9cbb36390                       JMP 0xea53fc6
  60. 0x7e418bfb 56                               PUSH ESI
  61. 0x7e418bfc 8b7508                           MOV ESI, [EBP+0x8]
  62. 0x7e418bff 66817e08e500                     CMP WORD [ESI+0x8], 0xe5
  63. 0x7e418c05 0f84667e0200                     JZ 0x7e440a71
  64. 0x7e418c0b 6a00                             PUSH 0x0
  65. 0x7e418c0d 56                               PUSH ESI
  66. 0x7e418c0e e806feffff                       CALL 0x7e418a19
  67. 0x7e418c13 5e                               POP ESI
  68. 0x7e418c14 5d                               POP EBP
  69. 0x7e418c15 c2                               DB 0xc2
  70. >>> db(0xea50000, length=256)
  71. 0x0ea50000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
  72. 0x0ea50010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
  73. 0x0ea50020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
  74. 0x0ea50030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................
  75. 0x0ea50040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68   ........!..L.!Th
  76. 0x0ea50050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f   is.program.canno
  77. 0x0ea50060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20   t.be.run.in.DOS.
  78. 0x0ea50070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00   mode....$.......
  79. 0x0ea50080  aa fd bf f4 ee 9c d1 a7 ee 9c d1 a7 ee 9c d1 a7   ................
  80. 0x0ea50090  2d 93 8e a7 e6 9c d1 a7 ee 9c d1 a7 ef 9c d1 a7   -...............
  81. 0x0ea500a0  c9 5a ac a7 e9 9c d1 a7 c9 5a aa a7 ec 9c d1 a7   .Z.......Z......
  82. 0x0ea500b0  c9 5a bc a7 d3 9c d1 a7 2d 93 8c a7 fe 9c d1 a7   .Z......-.......
  83. 0x0ea500c0  ee 9c d0 a7 1e 9c d1 a7 b7 bf c2 a7 ed 9c d1 a7   ................
  84. 0x0ea500d0  c9 5a af a7 ef 9c d1 a7 c9 5a bf a7 df 9c d1 a7   .Z.......Z......
  85. 0x0ea500e0  c9 5a ad a7 ef 9c d1 a7 c9 5a a9 a7 ef 9c d1 a7   .Z.......Z......
  86. 0x0ea500f0  52 69 63 68 ee 9c d1 a7 00 00 00 00 00 00 00 00   Rich............
  87.  
  88. kita dump aja untuk memudahkan untuk proses analisis selanjutnya
  89. b33ns@b33ns:~$ mkdir vaddump && vol.py vaddump -p 1068 -D vaddump
  90. [skip]
  91. b33ns@b33ns:~$ cd vaddump && ls -l | grep 0ea50000(masih ingat hex ini kan, lihat atas)
  92. -rw-rw-r-- 1 b33ns b33ns   188416 Feb 18 18:23 svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp
  93.  
  94. kita cari lagi informasi yang menarik
  95. b33ns@b33ns:~$ strings vaddump/svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp > strings_svchost.txt
  96. b33ns@b33ns:~$ cat strings_svchost.txt
  97. [skip]
  98. SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  99. [skip]
  100.  
  101. b33ns@b33ns:~$ vol.py printkey -K "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
  102. [skip]
  103. Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
  104. Key name: Run (S)
  105. Last updated: 2011-01-06 14:36:52 UTC+0000
  106.  
  107. Subkeys:
  108.  
  109. Values:
  110. REG_SZ        cleansweep.exe  : (S) C:\cleansweep.exe\cleansweep.exe
  111. [skip]
  112.  
  113. nah ketahuan lokasi nongkrongnya....
  114. Dan ketika dieksekusi akan membuat registry key agar trojan aktif ketika startup
  115. kita cari tahu proses id cleansweep.exe
  116.  
  117. b33ns@b33ns:~$ vol.py pslist | grep cleansweep.exe
  118. Volatility Foundation Volatility Framework 2.3.1
  119. Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
  120. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
  121.  
  122. 0x82226b48 cleansweep.exe         2268   1008      0 --------      0      0 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000
  123.  
  124. Trojan dieksekusi pada 2011-01-06 14:36:52 UTC+0000
  125. biar lebih yakin kita lihat mft record
  126. b33ns@b33ns:~$ vol.py mftparser > mftparser.txt
  127. b33ns@b33ns:~$ cat mftparser.txt | grep cleansweep.exe
  128. Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
  129. ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
  130.  
  131. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe
  132. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe
  133. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\CLEANS~1.EXE
  134. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\cleansweep.exe
  135. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\config.bin
  136. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\config.bin
  137. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\CLEANS~1.EXE
  138. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\cleansweep.exe
  139.  
  140. Jika dikaitkan dengam temuan sebelumnya, trojan berada di C:\cleansweep.exe lengkap dengan file konfigurasinya
  141. lalu bagaimana spyeye bisa berada tereksekusi di komputer victim?, sengaja di taruh & sengaja dieksekusi sama victim :D
  142. Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
  143. ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
  144. 2011-01-06 14:36:04 UTC+0000 2010-10-04 17:17:25 UTC+0000   2010-10-04 17:17:25 UTC+0000   2011-01-06 14:36:04 UTC+0000   Documents and Settings\Administrator\Desktop\spyeye.zip
  145.  
  146. b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
  147. 15dd403be9021bdb711091e946a3ba64  /home/b33ns/sample/volatile/spyeye.vmem
  148.  
  149.  
  150.  
  151. ------|  Refrensi
  152. [1]http://ezine.echo.or.id/issue28/007.txt
  153. [2]http://code.google.com/p/volatility/wiki/MemorySamples
  154. [3]http://code.google.com/p/volatility
  155. -
  156. -
  157. -
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top