After completing Cridex Malware analysis decided to take up jackcr difr challenge for further learning . I will continue to use Volatility Open Source Framework for this analysis .Also, you can read, Cridex Malware analysis here
Challenge
The challenge consist of 4 memory dumps and one packet capture. Two memory dumps from user machines , 1 memory dump from IIS server and 1 from Domain Controller. The challenge confirms that a connection was made from 1 user machine to a bad ip over port 80 and is then followed by questions which we will answer in this post
We will start with the impacted machine ENG-USTXHOU-148
We will start with executing imageinfo command to get details.
C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search…
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012–11–27 01:57:28 UTC+0000
Image local date and time : 2012–11–26 19:57:28 -0600
Since we know that this system is making a connection with a bad ip lets execute connscan plugin which will show all connections
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
0x01f60850 0.0.0.0:0 1.0.0.0:0 36569092
0x01ffa850 172.16.150.20:1291 58.64.132.141:80 1024
0x0201f850 172.16.150.20:1292 172.16.150.10:445 4
0x02084e68 172.16.150.20:1281 172.16.150.10:389 628
0x020f8988 172.16.150.20:2862 172.16.150.10:135 696
0x02201008 172.16.150.20:1280 172.16.150.10:389 628
0x18615850 172.16.150.20:1292 172.16.150.10:445 4
0x189e8850 172.16.150.20:1291 58.64.132.141:80 1024
0x18a97008 172.16.150.20:1280 172.16.150.10:389 628
0x18b8e850 0.0.0.0:0 1.0.0.0:0 36569092
0x18dce988 172.16.150.20:2862 172.16.150.10:135 696
Immediately we can see 2 connections to 58.64.132.141over port 80.
The connections are coming from Process with PID 1024
Next lets use Yarascan plugin to get all memory references of 58.64.132.141
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 yarascan -Y “58.64.132.141”
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process svchost.exe Pid 1024
0x0014ded4 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 00 00 00 58.64.132.141…
0x0014dee4 35 00 38 00 2e 00 36 00 34 00 2e 00 31 00 33 00 5.8…6.4…1.3.
0x0014def4 32 00 2e 00 31 00 34 00 31 00 00 00 04 00 00 00 2…1.4.1…….
0x0014df04 01 00 00 00 0d 00 00 00 13 00 00 00 0d ff ff ff …………….
0x0014df14 ff 5e 00 00 80 00 5f 5f 4e 41 4d 45 53 50 41 43 .^….__NAMESPAC
0x0014df24 45 00 00 4e 61 6d 65 00 08 00 00 00 00 00 00 00 E..Name………
0x0014df34 00 00 01 00 00 00 1c 00 00 00 0a 00 00 80 03 08 …………….
0x0014df44 00 00 00 3d 00 00 00 01 00 00 80 13 0b 00 00 00 …=…………
0x0014df54 ff ff 00 73 74 72 69 6e 67 00 00 00 00 00 00 00 …string…….
0x0014df64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0x0014df74 00 00 00 2a 00 00 00 00 00 00 00 00 00 0d 00 00 …*…………
0x0014df84 00 04 00 00 00 01 13 00 00 80 00 5f 5f 4e 41 4d ………..__NAM
0x0014df94 45 53 50 41 43 45 00 00 55 73 65 72 00 00 00 00 ESPACE..User….
0x0014dfa4 00 00 00 00 00 00 00 00 00 00 00 00 27 00 29 00 …………’.).
0x0014dfb4 33 01 08 00 58 00 4a 03 99 ad de 99 00 80 00 00 3…X.J………
0x0014dfc4 01 00 00 00 7b 00 00 00 00 00 00 00 00 00 00 00 ….{………..
Rule: r1
Owner: Process svchost.exe Pid 1024
0x003641f8 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 3a 38 30 58.64.132.141:80
0x00364208 00 00 00 00 01 00 00 00 04 00 04 00 97 01 0f 00 …………….
0x00364218 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 00 38 30 58.64.132.141.80
0x00364228 00 00 00 00 00 00 00 00 04 00 04 00 93 01 0f 00 …………….
0x00364238 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 3a 38 30 58.64.132.141:80
0x00364248 00 00 00 00 10 f7 c5 77 04 00 04 00 9f 01 0f 00 …….w……..
0x00364258 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 00 38 30 58.64.132.141.80
0x00364268 00 00 00 00 00 00 00 00 02 00 04 00 00 00 00 00 …………….
.
.
.
rule: r1
Owner: Process msimn.exe Pid 1984
0x0016ea6c 35 38 2e 36 34 2e 31 33 32 2e 31 34 31 5d 29 20 58.64.132.141]).
0x0016ea7c 62 79 20 75 62 75 6e 74 75 2d 72 6f 75 74 65 72 by.ubuntu-router
0x0016ea8c 20 28 38 2e 31 34 2e 33 2f 38 2e 31 34 2e 33 2f .(8.14.3/8.14.3/
0x0016ea9c 44 65 62 69 61 6e 2d 39 2e 32 75 62 75 6e 74 75 Debian-9.2ubuntu
0x0016eaac 31 29 20 77 69 74 68 20 53 4d 54 50 20 69 64 20 1).with.SMTP.id.
0x0016eabc 71 41 51 4b 30 36 43 6f 30 30 35 38 34 32 3b 20 qAQK06Co005842;.
0x0016eacc 4d 6f 6e 2c 20 32 36 20 4e 6f 76 20 32 30 31 32 Mon,.26.Nov.2012
0x0016eadc 20 31 35 3a 30 30 3a 30 37 20 2d 30 35 30 30 00 .15:00:07.-0500.
0x0016eaec 00 00 00 00 0c b0 01 00 08 b2 1e 76 04 00 00 00 ...........v....
0x0016eafc 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
0x0016eb0c 95 00 00 00 9d 00 00 00 4c 01 00 00 00 00 00 00 ........L.......
0x0016eb1c 00 00 00 00 00 00 00 00 00 00 00 00 65 04 b4 ea ............e...
0x0016eb2c 00 01 10 ff 01 00 00 00 00 00 00 00 5c eb 16 00 ............\...
0x0016eb3c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )...............
0x0016eb4c 09 00 00 00 5c eb 16 00 2a 00 00 00 aa 00 00 00 ....\...*.......
0x0016eb5c 3c 46 43 45 31 43 33 36 43 37 42 42 43 34 36 41 <FCE1C36C7BBC46A
Yarascan showed to processes 1024 and 1984 having above ip. If we take a closer look at msim.exe we can see smtp id. Looks like phishing email was sent to the user with malicious link.
To confirm above hypothesis lets take a look at browser history. To do this we will use iehistory plugin
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 284 explorer.exe
Cache type “DEST” at 0xdcb69
Last modified: 2012–11–26 17:01:53 UTC+0000
Last accessed: 2012–11–26 23:01:54 UTC+0000
URL: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
From the above output we can see user downloading Symantec-1.43–1.exe
Now, lets take a look at process tree. For this we will use pstree plugin
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0x823c8830:System 4 0 51 271 1970–01–01 00:00:00 UTC+0000
. 0x821841c8:smss.exe 356 4 3 19 2012–11–26 22:03:28 UTC+0000
.. 0x82189da0:winlogon.exe 628 356 18 653 2012–11–26 22:03:29 UTC+0000
… 0x82194650:services.exe 680 628 15 243 2012–11–26 22:03:30 UTC+0000
…. 0x820b3da0:svchost.exe 1024 680 76 1645 2012–11–26 22:03:32 UTC+0000
….. 0x82045da0:wuauclt.exe 1628 1024 3 142 2012–11–26 22:04:43 UTC+0000
….. 0x82049690:wc.exe 364 1024 1 27 2012–11–27 01:30:00 UTC+0000
…. 0x8203c020:alg.exe 1888 680 6 105 2012–11–26 22:03:35 UTC+0000
…. 0x821a62e0:svchost.exe 1068 680 5 81 2012–11–26 22:03:32 UTC+0000
…. 0x822e9700:spoolsv.exe 1348 680 10 105 2012–11–26 22:03:34 UTC+0000
…. 0x82192b10:svchost.exe 940 680 9 258 2012–11–26 22:03:31 UTC+0000
…. 0x821a3c10:svchost.exe 1116 680 14 248 2012–11–26 22:03:33 UTC+0000
…. 0x8219e2c8:svchost.exe 852 680 14 187 2012–11–26 22:03:31 UTC+0000
… 0x82244020:lsass.exe 692 628 22 407 2012–11–26 22:03:30 UTC+0000
.. 0x821b0020:csrss.exe 604 356 12 351 2012–11–26 22:03:29 UTC+0000
0x8204f020:explorer.exe 284 244 9 372 2012–11–26 22:03:58 UTC+0000
. 0x82226650:msmsgs.exe 548 284 3 204 2012–11–26 22:04:03 UTC+0000
. 0x822d0828:cmd.exe 1796 284 1 33 2012–11–27 01:56:21 UTC+0000
.. 0x820b13b8:mdd.exe 244 1796 1 24 2012–11–27 01:57:28 UTC+0000
. 0x821feda0:msimn.exe 1984 284 7 359 2012–11–26 22:06:33 UTC+0000
. 0x822408d0:ctfmon.exe 556 284 1 75 2012–11–26 22:04:03 UTC+0000
Next we use cmdline plugin to see which commands were executed
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 356
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 604
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 628
Command line : winlogon.exe
************************************************************************
services.exe pid: 680
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 692
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid: 852
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 940
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1068
Command line : C:\WINDOWS\System32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1116
Command line : C:\WINDOWS\System32\svchost.exe -k LocalService
************************************************************************
spoolsv.exe pid: 1348
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
alg.exe pid: 1888
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
explorer.exe pid: 284
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
msmsgs.exe pid: 548
Command line : “C:\Program Files\Messenger\msmsgs.exe” /background
************************************************************************
ctfmon.exe pid: 556
Command line : “C:\WINDOWS\system32\ctfmon.exe”
************************************************************************
wuauclt.exe pid: 1628
Command line : “C:\WINDOWS\system32\wuauclt.exe”
************************************************************************
msimn.exe pid: 1984
Command line : “C:\Program Files\Outlook Express\msimn.exe”
************************************************************************
wc.exe pid: 364
Command line : wc.exe -e -o h.out
************************************************************************
cmd.exe pid: 1796
Command line : “C:\WINDOWS\system32\cmd.exe”
************************************************************************
mdd.exe pid: 244
Command line : mdd.exe -o callb-memdump.bin
Lets take memory dump of process 1024
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin --profile=WinXPSP2x86 memdump -p 1024 --dump-dir C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing svchost.exe [ 1024] to 1024.dmp
Analysis of dump file provides some very interesting information:
- We can see it making connection to bad ip
- We can see it is trying to establish connection with Connecting to 172.16.223.47…
Starting PsExec service on 172.16.223.47…
3. We can confirm callb and sysbackup credentials are compromised
4. User received email containing link http://58.64.132.8/download/Symantec-1.43-1.exe
Convinced that process 1024.exe is the culprit, lets take a process dump and do some hybrid analysis.
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 procdump -p 1024 — dump-dir C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\
After generating the .exe file, it was not flagged by the AV on my system nor VirusTotal showed this as infected.
To further dig into the it lets take a look at dll files that are getting loaded
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\ENG-USTXHOU-148\memdump.bin — profile=WinXPSP2x86 dlllist -p 1024
Volatility Foundation Volatility Framework 2.6
************************************************************************
svchost.exe pid: 1024
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
Base Size LoadCount Path
— — — — — — — — — — — — — — — — —
0x01000000 0x6000 0xffff C:\WINDOWS\System32\svchost.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x5cb70000 0x26000 0x1 C:\WINDOWS\System32\ShimEng.dll
0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL
0x7e410000 0x91000 0x403 C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0x23e C:\WINDOWS\system32\GDI32.dll
0x76b40000 0x2d000 0x20 C:\WINDOWS\System32\WINMM.dll
0x774e0000 0x13d000 0xea C:\WINDOWS\system32\ole32.dll
0x77c10000 0x58000 0x435 C:\WINDOWS\system32\msvcrt.dll
0x77120000 0x8b000 0x97 C:\WINDOWS\system32\OLEAUT32.dll
0x77be0000 0x15000 0x1 C:\WINDOWS\System32\MSACM32.dll
0x77c00000 0x8000 0x20 C:\WINDOWS\system32\VERSION.dll
0x7c9c0000 0x817000 0x16 C:\WINDOWS\system32\SHELL32.dll
0x77f60000 0x76000 0x6f C:\WINDOWS\system32\SHLWAPI.dll
0x769c0000 0xb4000 0x18 C:\WINDOWS\system32\USERENV.dll
0x5ad70000 0x38000 0x4 C:\WINDOWS\System32\UxTheme.dll
0x76390000 0x1d000 0x3 C:\WINDOWS\system32\IMM32.DLL
0x773d0000 0x103000 0x9 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 0x9a000 0x9 C:\WINDOWS\system32\comctl32.dll
0x77690000 0x21000 0x1 C:\WINDOWS\System32\NTMARTA.DLL
0x71bf0000 0x13000 0x17 C:\WINDOWS\System32\SAMLIB.dll
0x76f60000 0x2c000 0x23 C:\WINDOWS\system32\WLDAP32.dll
0x005b0000 0x2c5000 0x4 C:\WINDOWS\System32\xpsp2res.dll
0x776e0000 0x23000 0x3 c:\windows\system32\shsvcs.dll
0x76360000 0x10000 0x19 C:\WINDOWS\System32\WINSTA.dll
0x5b860000 0x55000 0x90 C:\WINDOWS\System32\NETAPI32.dll
0x7d4b0000 0x22000 0x5 c:\windows\system32\dhcpcsvc.dll
0x76f20000 0x27000 0x16 c:\windows\system32\DNSAPI.dll
0x71ab0000 0x17000 0x8b c:\windows\system32\WS2_32.dll
0x71aa0000 0x8000 0x54 c:\windows\system32\WS2HELP.dll
0x76d60000 0x19000 0x15 c:\windows\system32\iphlpapi.dll
0x68000000 0x36000 0x1 C:\WINDOWS\System32\rsaenh.dll
0x7db10000 0x8c000 0x2 c:\windows\system32\wzcsvc.dll
0x76e80000 0xe000 0x5f c:\windows\system32\rtutils.dll
0x76d30000 0x4000 0x4 c:\windows\system32\WMI.dll
0x77a80000 0x95000 0x36 c:\windows\system32\CRYPT32.dll
0x77b20000 0x12000 0x2e c:\windows\system32\MSASN1.dll
0x72810000 0xb000 0x3 c:\windows\system32\EapolQec.dll
0x76b20000 0x11000 0x29 c:\windows\system32\ATL.DLL
0x726c0000 0x16000 0x5 c:\windows\system32\QUtil.dll
0x76080000 0x65000 0x23 c:\windows\system32\MSVCP60.dll
0x478c0000 0xa000 0xc c:\windows\system32\dot3api.dll
0x76f50000 0x8000 0x15 c:\windows\system32\WTSAPI32.dll
0x606b0000 0x10d000 0x4 c:\windows\system32\ESENT.dll
0x76fd0000 0x7f000 0x5 C:\WINDOWS\System32\CLBCATQ.DLL
0x77050000 0xc5000 0x11 C:\WINDOWS\System32\COMRes.dll
0x76b70000 0x27000 0x7 C:\WINDOWS\System32\rastls.dll
0x754d0000 0x80000 0x8 C:\WINDOWS\System32\CRYPTUI.dll
0x63000000 0xe6000 0xa C:\WINDOWS\system32\WININET.dll
0x00db0000 0x9000 0xa C:\WINDOWS\system32\Normaliz.dll
0x1a400000 0x132000 0xa C:\WINDOWS\system32\urlmon.dll
0x5dca0000 0x1e8000 0x14 C:\WINDOWS\system32\iertutil.dll
0x76c30000 0x2e000 0xc C:\WINDOWS\System32\WINTRUST.dll
0x76c90000 0x28000 0xc C:\WINDOWS\system32\IMAGEHLP.dll
0x76d40000 0x18000 0xd C:\WINDOWS\System32\MPRAPI.dll
0x77cc0000 0x32000 0xe C:\WINDOWS\System32\ACTIVEDS.dll
0x76e10000 0x25000 0xf C:\WINDOWS\System32\adsldpc.dll
0x77920000 0xf3000 0x1a C:\WINDOWS\System32\SETUPAPI.dll
0x76ee0000 0x3c000 0x16 C:\WINDOWS\System32\RASAPI32.dll
0x76e90000 0x12000 0x1d C:\WINDOWS\System32\rasman.dll
0x76eb0000 0x2f000 0x1a C:\WINDOWS\System32\TAPI32.dll
0x767f0000 0x27000 0x7 C:\WINDOWS\System32\SCHANNEL.dll
0x723d0000 0x1c000 0x7 C:\WINDOWS\System32\WinSCard.dll
0x76bf0000 0xb000 0xf C:\WINDOWS\System32\PSAPI.DLL
0x76bd0000 0x16000 0x6 C:\WINDOWS\System32\raschap.dll
0x77c70000 0x24000 0x1 C:\WINDOWS\system32\msv1_0.dll
0x77300000 0x33000 0x1 c:\windows\system32\schedsvc.dll
0x767a0000 0x13000 0x8 c:\windows\system32\NTDSAPI.dll
0x74f50000 0x5000 0x1 C:\WINDOWS\System32\MSIDLE.DLL
0x708b0000 0xd000 0x1 c:\windows\system32\audiosrv.dll
0x76e40000 0x23000 0x1 c:\windows\system32\wkssvc.dll
0x76ce0000 0x12000 0x1 c:\windows\system32\cryptsvc.dll
0x77b90000 0x32000 0x1 c:\windows\system32\certcli.dll
0x74f90000 0x9000 0x1 c:\windows\system32\dmserver.dll
0x74f80000 0x9000 0x1 c:\windows\system32\ersvc.dll
0x77710000 0x42000 0x3 c:\windows\system32\es.dll
0x74f40000 0xc000 0x1 c:\windows\pchealth\helpctr\binaries\pchsvc.dll
0x75090000 0x1a000 0x1 c:\windows\system32\srvsvc.dll
0x77d00000 0x33000 0x1 c:\windows\system32\netman.dll
0x76400000 0x1a5000 0x5 c:\windows\system32\netshell.dll
0x76c00000 0x2e000 0x5 c:\windows\system32\credui.dll
0x736d0000 0x6000 0x5 c:\windows\system32\dot3dlg.dll
0x01c60000 0x28000 0x5 c:\windows\system32\OneX.DLL
0x745b0000 0x22000 0x5 c:\windows\system32\eappcfg.dll
0x01c90000 0xe000 0x5 c:\windows\system32\eappprxy.dll
0x73030000 0x10000 0x1 c:\windows\system32\WZCSAPI.DLL
0x662b0000 0x58000 0x6 C:\WINDOWS\System32\HNETCFG.DLL
0x50000000 0x5000 0x1 c:\windows\system32\wuauserv.dll
0x59490000 0x28000 0x1 c:\windows\system32\wbem\wmisvc.dll
0x753e0000 0x6d000 0x1 C:\WINDOWS\system32\VSSAPI.DLL
0x50040000 0x119000 0x1 C:\WINDOWS\system32\wuaueng.dll
0x65000000 0x2e000 0x1 C:\WINDOWS\System32\ADVPACK.dll
0x75150000 0x13000 0x1 C:\WINDOWS\System32\Cabinet.dll
0x600a0000 0xb000 0x1 C:\WINDOWS\System32\mspatcha.dll
0x76bb0000 0x5000 0x1 C:\WINDOWS\System32\sfc.dll
0x76c60000 0x2a000 0x2 C:\WINDOWS\System32\sfc_os.dll
0x76780000 0x9000 0x1 C:\WINDOWS\System32\SHFOLDER.dll
0x4d4f0000 0x59000 0x2 C:\WINDOWS\System32\WINHTTP.dll
0x73000000 0x26000 0x1 C:\WINDOWS\System32\WINSPOOL.DRV
0x767c0000 0x2c000 0x3 c:\windows\system32\w32time.dll
0x75070000 0x19000 0x1 c:\windows\system32\trkwks.dll
0x751a0000 0x2e000 0x1 c:\windows\system32\srsvc.dll
0x74ad0000 0x8000 0x1 c:\windows\system32\POWRPROF.dll
0x722d0000 0xd000 0x5 c:\windows\system32\sens.dll
0x73d20000 0x8000 0x1 c:\windows\system32\seclogon.dll
0x76da0000 0x16000 0x1 c:\windows\system32\browser.dll
0x71a50000 0x3f000 0x8 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
0x4c0a0000 0x17000 0x1 c:\windows\system32\wscsvc.dll
0x7d1e0000 0x2bc000 0x1 c:\windows\system32\msi.dll
0x7e720000 0xb0000 0x1 C:\WINDOWS\System32\SXS.DLL
0x76620000 0x13c000 0x3 C:\WINDOWS\system32\comsvcs.dll
0x75130000 0x14000 0x3 C:\WINDOWS\system32\colbact.DLL
0x750f0000 0x13000 0x3 C:\WINDOWS\system32\MTXCLU.DLL
0x71ad0000 0x9000 0x3 C:\WINDOWS\system32\WSOCK32.dll
0x76d10000 0x12000 0x6 C:\WINDOWS\System32\CLUSAPI.DLL
0x750b0000 0x12000 0x1 C:\WINDOWS\System32\RESUTILS.DLL
0x76fb0000 0x8000 0x1 C:\WINDOWS\System32\winrnr.dll
0x66460000 0x55000 0x1 c:\windows\system32\ipnathlp.dll
0x776c0000 0x12000 0x2 c:\windows\system32\AUTHZ.dll
0x76fc0000 0x6000 0x1 C:\WINDOWS\System32\rasadhlp.dll
0x75290000 0x37000 0xf C:\WINDOWS\System32\wbem\wbemcomn.dll
0x762c0000 0x85000 0x1 C:\WINDOWS\System32\Wbem\wbemcore.dll
0x75310000 0x3f000 0x4 C:\WINDOWS\System32\Wbem\esscli.dll
0x75690000 0x76000 0x8 C:\WINDOWS\System32\Wbem\FastProx.dll
0x75020000 0x1b000 0x1 C:\WINDOWS\System32\wbem\wmiutils.dll
0x75200000 0x2f000 0x1 C:\WINDOWS\System32\wbem\repdrvfs.dll
0x597f0000 0x6d000 0x1 C:\WINDOWS\System32\wbem\wmiprvsd.dll
0x5f770000 0xc000 0x2 C:\WINDOWS\system32\NCObjAPI.DLL
0x75390000 0x46000 0x1 C:\WINDOWS\System32\wbem\wbemess.dll
0x755f0000 0x9a000 0x4 C:\WINDOWS\System32\netcfgx.dll
0x71c80000 0x7000 0x2 C:\WINDOWS\System32\NETRAP.dll
0x76de0000 0x24000 0x1 C:\WINDOWS\System32\upnp.dll
0x74f00000 0xc000 0x1 C:\WINDOWS\System32\SSDPAPI.dll
0x7df30000 0x32000 0x4 C:\WINDOWS\System32\rasmans.dll
0x74370000 0xb000 0x4 C:\WINDOWS\System32\WINIPSEC.DLL
0x733e0000 0x40000 0x1 c:\windows\system32\tapisrv.dll
0x75880000 0x11000 0x2 C:\WINDOWS\System32\rastapi.dll
0x57cc0000 0x36000 0x1 C:\WINDOWS\System32\unimdm.tsp
0x72000000 0x7000 0x1 C:\WINDOWS\System32\uniplat.dll
0x57d40000 0xb000 0x1 C:\WINDOWS\System32\kmddsp.tsp
0x57d20000 0x10000 0x1 C:\WINDOWS\System32\ndptsp.tsp
0x57d50000 0x8000 0x1 C:\WINDOWS\System32\ipconf.tsp
0x57d70000 0x46000 0x1 C:\WINDOWS\System32\h323.tsp
0x57d60000 0xa000 0x1 C:\WINDOWS\System32\hidphone.tsp
0x688f0000 0x9000 0x1 C:\WINDOWS\System32\HID.DLL
0x72240000 0x37000 0x2 C:\WINDOWS\System32\rasppp.dll
0x724b0000 0x6000 0x2 C:\WINDOWS\System32\ntlsapi.dll
0x71cf0000 0x4c000 0x1 C:\WINDOWS\system32\kerberos.dll
0x76790000 0xc000 0x1 C:\WINDOWS\System32\cryptdll.dll
0x72ae0000 0x13000 0x2 C:\WINDOWS\System32\RASQEC.DLL
0x768d0000 0xa4000 0x1 C:\WINDOWS\System32\RASDLG.dll
0x77b40000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll
0x50640000 0xc000 0x1 C:\WINDOWS\system32\wups.dll
0x5f740000 0xe000 0x1 C:\WINDOWS\System32\wbem\ncprov.dll
0x10000000 0x1c000 0x1 c:\windows\system32\6to4ex.dll
0x73b80000 0x12000 0x1 c:\windows\system32\AVICAP32.dll
0x75a70000 0x21000 0x2 c:\windows\system32\MSVFW32.dll
0x74ed0000 0xe000 0x1 C:\WINDOWS\System32\wbem\wbemsvc.dll
0x71b20000 0x12000 0x1 C:\WINDOWS\system32\MPR.dll
0x75f60000 0x7000 0x1 C:\WINDOWS\System32\drprov.dll
0x71c10000 0xe000 0x1 C:\WINDOWS\System32\ntlanman.dll
0x71cd0000 0x17000 0x2 C:\WINDOWS\System32\NETUI0.dll
0x71c90000 0x40000 0x1 C:\WINDOWS\System32\NETUI1.dll
0x75f70000 0xa000 0x1 C:\WINDOWS\System32\davclnt.dll
0x73d30000 0x17000 0x1 C:\WINDOWS\System32\wbem\wbemcons.dll
C:\volatility>
Below ddl looks suspicious :
0x10000000 0x1c000 0x1 c:\windows\system32\6to4ex.dll
Lets dump dlls from the process.
Bingo as soon as dlls were extracted suspicious dll was quarantined by Anti Virus confirming our suspicion
Now lets take a look at FLD-SARIYADH-43 machine dump
Since, now we know the nature of the attack we , lets review connections
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\FLD-SARIYADH-43\memdump.bin — profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
0x01fb0d48 172.16.223.187:2109 172.16.150.10:389 640
0x02023638 172.16.223.187:1265 58.64.132.141:80 1032
0x02035ae8 172.16.223.187:1259 172.16.150.10:445 4
0x02080930 172.16.223.187:1261 172.16.150.10:135 1032
0x020859d0 172.16.223.187:1210 172.16.223.47:445 4
0x020f0d38 172.16.223.187:2179 172.16.150.10:1025 696
0x0230d448 172.16.223.187:1241 172.16.150.10:389 632
0x0770fd48 172.16.223.187:2109 172.16.150.10:389 640
0x0836a638 172.16.223.187:1265 58.64.132.141:80 1032
0x084c7930 172.16.223.187:1261 172.16.150.10:135 1032
0x084ec9d0 172.16.223.187:1210 172.16.223.47:445 4
0x08594448 172.16.223.187:1241 172.16.150.10:389 632
0x09b5cae8 172.16.223.187:1259 172.16.150.10:445 4
0x0ac37d38 172.16.223.187:2179 172.16.150.10:1025 696
0x16066d48 172.16.223.187:2109 172.16.150.10:389 640
0x164d3638 172.16.223.187:1265 58.64.132.141:80 1032
0x16610930 172.16.223.187:1261 172.16.150.10:135 1032
0x16c559d0 172.16.223.187:1210 172.16.223.47:445 4
0x1869d448 172.16.223.187:1241 172.16.150.10:389 632
0x197a5ae8 172.16.223.187:1259 172.16.150.10:445 4
0x1a32ad38 172.16.223.187:2179 172.16.150.10:1025 696
0x1f209d48 172.16.223.187:2109 172.16.150.10:389 640
Immediately, we can see that process 1032 is making connection with bad ip.
Lets take a dll dump now
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\FLD-SARIYADH-43\memdump.bin — profile=WinXPSP2x86 dlldump -p 1032 — dump-dir C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\FLD-SARIYADH-43\
Volatility Foundation Volatility Framework 2.6
Process(V) Name Module Base Module Name Result
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0x8228fda0 svchost.exe 0x001000000 svchost.exe OK: module.1032.228fda0.1000000.dll
0x8228fda0 svchost.exe 0x07c900000 ntdll.dll OK: module.1032.228fda0.7c900000.dll
0x8228fda0 svchost.exe 0x077b90000 certcli.dll OK: module.1032.228fda0.77b90000.dll
0x8228fda0 svchost.exe 0x076d30000 WMI.dll OK: module.1032.228fda0.76d30000.dll
0x8228fda0 svchost.exe 0x077f60000 SHLWAPI.dll OK: module.1032.228fda0.77f60000.dll
0x8228fda0 svchost.exe 0x073b80000 AVICAP32.dll OK: module.1032.228fda0.73b80000.dll
0x8228fda0 svchost.exe 0x050000000 wuauserv.dll OK: module.1032.228fda0.50000000.dll
0x8228fda0 svchost.exe 0x071c80000 NETRAP.dll OK: module.1032.228fda0.71c80000.dll
0x8228fda0 svchost.exe 0x077fe0000 Secur32.dll OK: module.1032.228fda0.77fe0000.dll
0x8228fda0 svchost.exe 0x0755f0000 netcfgx.dll OK: module.1032.228fda0.755f0000.dll
0x8228fda0 svchost.exe 0x077c00000 VERSION.dll OK: module.1032.228fda0.77c00000.dll
0x8228fda0 svchost.exe 0x01a400000 urlmon.dll OK: module.1032.228fda0.1a400000.dll
0x8228fda0 svchost.exe 0x0773d0000 comctl32.dll OK: module.1032.228fda0.773d0000.dll
0x8228fda0 svchost.exe 0x071a50000 mswsock.dll OK: module.1032.228fda0.71a50000.dll
0x8228fda0 svchost.exe 0x071ad0000 WSOCK32.dll OK: module.1032.228fda0.71ad0000.dll
0x8228fda0 svchost.exe 0x001c80000 OneX.DLL OK: module.1032.228fda0.1c80000.dll
0x8228fda0 svchost.exe 0x072000000 uniplat.dll OK: module.1032.228fda0.72000000.dll
0x8228fda0 svchost.exe 0x075290000 wbemcomn.dll OK: module.1032.228fda0.75290000.dll
0x8228fda0 svchost.exe 0x076eb0000 TAPI32.dll OK: module.1032.228fda0.76eb0000.dll
0x8228fda0 svchost.exe 0x074ad0000 POWRPROF.dll OK: module.1032.228fda0.74ad0000.dll
0x8228fda0 svchost.exe 0x077d00000 netman.dll OK: module.1032.228fda0.77d00000.dll
0x8228fda0 svchost.exe 0x073000000 WINSPOOL.DRV OK: module.1032.228fda0.73000000.dll
0x8228fda0 svchost.exe 0x075310000 esscli.dll OK: module.1032.228fda0.75310000.dll
0x8228fda0 svchost.exe 0x077920000 SETUPAPI.dll OK: module.1032.228fda0.77920000.dll
0x8228fda0 svchost.exe 0x07df30000 rasmans.dll OK: module.1032.228fda0.7df30000.dll
0x8228fda0 svchost.exe 0x071b20000 MPR.dll OK: module.1032.228fda0.71b20000.dll
0x8228fda0 svchost.exe 0x05f770000 NCObjAPI.DLL OK: module.1032.228fda0.5f770000.dll
0x8228fda0 svchost.exe 0x076390000 IMM32.DLL OK: module.1032.228fda0.76390000.dll
0x8228fda0 svchost.exe 0x076fb0000 winrnr.dll OK: module.1032.228fda0.76fb0000.dll
0x8228fda0 svchost.exe 0x077c10000 msvcrt.dll OK: module.1032.228fda0.77c10000.dll
0x8228fda0 svchost.exe 0x076bd0000 raschap.dll OK: module.1032.228fda0.76bd0000.dll
0x8228fda0 svchost.exe 0x07d1e0000 msi.dll OK: module.1032.228fda0.7d1e0000.dll
0x8228fda0 svchost.exe 0x0767f0000 SCHANNEL.dll OK: module.1032.228fda0.767f0000.dll
0x8228fda0 svchost.exe 0x07e410000 USER32.dll OK: module.1032.228fda0.7e410000.dll
0x8228fda0 svchost.exe 0x076e10000 adsldpc.dll OK: module.1032.228fda0.76e10000.dll
0x8228fda0 svchost.exe 0x073030000 WZCSAPI.DLL OK: module.1032.228fda0.73030000.dll
0x8228fda0 svchost.exe 0x050640000 wups.dll OK: module.1032.228fda0.50640000.dll
0x8228fda0 svchost.exe 0x057d60000 hidphone.tsp OK: module.1032.228fda0.57d60000.dll
0x8228fda0 svchost.exe 0x076e80000 rtutils.dll OK: module.1032.228fda0.76e80000.dll
0x8228fda0 svchost.exe 0x059490000 wmisvc.dll OK: module.1032.228fda0.59490000.dll
0x8228fda0 svchost.exe 0x071aa0000 WS2HELP.dll OK: module.1032.228fda0.71aa0000.dll
0x8228fda0 svchost.exe 0x0750b0000 RESUTILS.DLL OK: module.1032.228fda0.750b0000.dll
0x8228fda0 svchost.exe 0x0726c0000 QUtil.dll OK: module.1032.228fda0.726c0000.dll
0x8228fda0 svchost.exe 0x0688f0000 HID.DLL OK: module.1032.228fda0.688f0000.dll
0x8228fda0 svchost.exe 0x074f00000 SSDPAPI.dll OK: module.1032.228fda0.74f00000.dll
0x8228fda0 svchost.exe 0x075390000 wbemess.dll OK: module.1032.228fda0.75390000.dll
0x8228fda0 svchost.exe 0x076b20000 ATL.DLL OK: module.1032.228fda0.76b20000.dll
0x8228fda0 svchost.exe 0x075130000 colbact.DLL OK: module.1032.228fda0.75130000.dll
0x8228fda0 svchost.exe 0x05f740000 ncprov.dll OK: module.1032.228fda0.5f740000.dll
0x8228fda0 svchost.exe 0x057d50000 ipconf.tsp OK: module.1032.228fda0.57d50000.dll
0x8228fda0 svchost.exe 0x076360000 WINSTA.dll OK: module.1032.228fda0.76360000.dll
0x8228fda0 svchost.exe 0x074f80000 ersvc.dll OK: module.1032.228fda0.74f80000.dll
0x8228fda0 svchost.exe 0x077b40000 Apphelp.dll OK: module.1032.228fda0.77b40000.dll
0x8228fda0 svchost.exe 0x0767c0000 w32time.dll OK: module.1032.228fda0.767c0000.dll
0x8228fda0 svchost.exe 0x0753e0000 VSSAPI.DLL OK: module.1032.228fda0.753e0000.dll
0x8228fda0 svchost.exe 0x068000000 rsaenh.dll OK: module.1032.228fda0.68000000.dll
0x8228fda0 svchost.exe 0x001610000 eappprxy.dll OK: module.1032.228fda0.1610000.dll
0x8228fda0 svchost.exe 0x0767a0000 NTDSAPI.dll OK: module.1032.228fda0.767a0000.dll
0x8228fda0 svchost.exe 0x0745b0000 eappcfg.dll OK: module.1032.228fda0.745b0000.dll
0x8228fda0 svchost.exe 0x0754d0000 CRYPTUI.dll OK: module.1032.228fda0.754d0000.dll
0x8228fda0 svchost.exe 0x066460000 ipnathlp.dll OK: module.1032.228fda0.66460000.dll
0x8228fda0 svchost.exe 0x06fbd0000 catsrv.dll OK: module.1032.228fda0.6fbd0000.dll
0x8228fda0 svchost.exe 0x072080000 xactsrv.dll OK: module.1032.228fda0.72080000.dll
0x8228fda0 svchost.exe 0x076080000 MSVCP60.dll OK: module.1032.228fda0.76080000.dll
0x8228fda0 svchost.exe 0x075a70000 MSVFW32.dll OK: module.1032.228fda0.75a70000.dll
0x8228fda0 svchost.exe 0x077690000 NTMARTA.DLL OK: module.1032.228fda0.77690000.dll
0x8228fda0 svchost.exe 0x05dca0000 iertutil.dll OK: module.1032.228fda0.5dca0000.dll
0x8228fda0 svchost.exe 0x04c0a0000 wscsvc.dll OK: module.1032.228fda0.4c0a0000.dll
0x8228fda0 svchost.exe 0x0662b0000 HNETCFG.DLL OK: module.1032.228fda0.662b0000.dll
0x8228fda0 svchost.exe 0x0478c0000 dot3api.dll OK: module.1032.228fda0.478c0000.dll
0x8228fda0 svchost.exe 0x074ed0000 wbemsvc.dll OK: module.1032.228fda0.74ed0000.dll
0x8228fda0 svchost.exe 0x0774e0000 ole32.dll OK: module.1032.228fda0.774e0000.dll
0x8228fda0 svchost.exe 0x075690000 FastProx.dll OK: module.1032.228fda0.75690000.dll
0x8228fda0 svchost.exe 0x077710000 es.dll OK: module.1032.228fda0.77710000.dll
0x8228fda0 svchost.exe 0x073d20000 seclogon.dll OK: module.1032.228fda0.73d20000.dll
0x8228fda0 svchost.exe 0x074f50000 MSIDLE.DLL OK: module.1032.228fda0.74f50000.dll
0x8228fda0 svchost.exe 0x05cb70000 ShimEng.dll OK: module.1032.228fda0.5cb70000.dll
0x8228fda0 svchost.exe 0x076790000 cryptdll.dll OK: module.1032.228fda0.76790000.dll
0x8228fda0 svchost.exe 0x076da0000 browser.dll OK: module.1032.228fda0.76da0000.dll
0x8228fda0 svchost.exe 0x0769c0000 USERENV.dll OK: module.1032.228fda0.769c0000.dll
0x8228fda0 svchost.exe 0x076fd0000 CLBCATQ.DLL OK: module.1032.228fda0.76fd0000.dll
0x8228fda0 svchost.exe 0x076bf0000 PSAPI.DLL OK: module.1032.228fda0.76bf0000.dll
0x8228fda0 svchost.exe 0x075200000 repdrvfs.dll OK: module.1032.228fda0.75200000.dll
0x8228fda0 svchost.exe 0x072810000 EapolQec.dll OK: module.1032.228fda0.72810000.dll
0x8228fda0 svchost.exe 0x0005b0000 xpsp2res.dll OK: module.1032.228fda0.5b0000.dll
0x8228fda0 svchost.exe 0x077050000 COMRes.dll OK: module.1032.228fda0.77050000.dll
0x8228fda0 svchost.exe 0x077c70000 msv1_0.dll OK: module.1032.228fda0.77c70000.dll
0x8228fda0 svchost.exe 0x06fb10000 catsrvut.dll OK: module.1032.228fda0.6fb10000.dll
0x8228fda0 svchost.exe 0x07d4b0000 dhcpcsvc.dll OK: module.1032.228fda0.7d4b0000.dll
0x8228fda0 svchost.exe 0x075090000 srvsvc.dll OK: module.1032.228fda0.75090000.dll
0x8228fda0 svchost.exe 0x0776e0000 shsvcs.dll OK: module.1032.228fda0.776e0000.dll
0x8228fda0 svchost.exe 0x071cf0000 kerberos.dll OK: module.1032.228fda0.71cf0000.dll
0x8228fda0 svchost.exe 0x077300000 schedsvc.dll OK: module.1032.228fda0.77300000.dll
0x8228fda0 svchost.exe 0x076f20000 DNSAPI.dll OK: module.1032.228fda0.76f20000.dll
0x8228fda0 svchost.exe 0x076b40000 WINMM.dll OK: module.1032.228fda0.76b40000.dll
0x8228fda0 svchost.exe 0x075150000 Cabinet.dll OK: module.1032.228fda0.75150000.dll
0x8228fda0 svchost.exe 0x057d70000 h323.tsp OK: module.1032.228fda0.57d70000.dll
0x8228fda0 svchost.exe 0x061990000 MfcSubs.dll OK: module.1032.228fda0.61990000.dll
0x8228fda0 svchost.exe 0x076b70000 rastls.dll OK: module.1032.228fda0.76b70000.dll
0x8228fda0 svchost.exe 0x0733e0000 tapisrv.dll OK: module.1032.228fda0.733e0000.dll
0x8228fda0 svchost.exe 0x076400000 netshell.dll OK: module.1032.228fda0.76400000.dll
0x8228fda0 svchost.exe 0x074f40000 pchsvc.dll OK: module.1032.228fda0.74f40000.dll
0x8228fda0 svchost.exe 0x075020000 wmiutils.dll OK: module.1032.228fda0.75020000.dll
0x8228fda0 svchost.exe 0x05b860000 NETAPI32.dll OK: module.1032.228fda0.5b860000.dll
0x8228fda0 svchost.exe 0x077e70000 RPCRT4.dll OK: module.1032.228fda0.77e70000.dll
0x8228fda0 svchost.exe 0x071a90000 wshtcpip.dll OK: module.1032.228fda0.71a90000.dll
0x8228fda0 svchost.exe 0x0600a0000 mspatcha.dll OK: module.1032.228fda0.600a0000.dll
0x8228fda0 svchost.exe 0x0606b0000 ESENT.dll OK: module.1032.228fda0.606b0000.dll
0x8228fda0 svchost.exe 0x077cc0000 ACTIVEDS.dll OK: module.1032.228fda0.77cc0000.dll
0x8228fda0 svchost.exe 0x0722d0000 sens.dll OK: module.1032.228fda0.722d0000.dll
0x8228fda0 svchost.exe 0x063000000 WININET.dll OK: module.1032.228fda0.63000000.dll
0x8228fda0 svchost.exe 0x07db10000 wzcsvc.dll OK: module.1032.228fda0.7db10000.dll
0x8228fda0 svchost.exe 0x077120000 OLEAUT32.dll OK: module.1032.228fda0.77120000.dll
0x8228fda0 svchost.exe 0x076d40000 MPRAPI.dll OK: module.1032.228fda0.76d40000.dll
0x8228fda0 svchost.exe 0x057d40000 kmddsp.tsp OK: module.1032.228fda0.57d40000.dll
0x8228fda0 svchost.exe 0x073d30000 wbemcons.dll OK: module.1032.228fda0.73d30000.dll
0x8228fda0 svchost.exe 0x076f50000 WTSAPI32.dll OK: module.1032.228fda0.76f50000.dll
0x8228fda0 svchost.exe 0x0751a0000 srsvc.dll OK: module.1032.228fda0.751a0000.dll
0x8228fda0 svchost.exe 0x0723d0000 WinSCard.dll OK: module.1032.228fda0.723d0000.dll
0x8228fda0 svchost.exe 0x0597f0000 wmiprvsd.dll OK: module.1032.228fda0.597f0000.dll
0x8228fda0 svchost.exe 0x065000000 ADVPACK.dll OK: module.1032.228fda0.65000000.dll
0x8228fda0 svchost.exe 0x071bf0000 SAMLIB.dll OK: module.1032.228fda0.71bf0000.dll
0x8228fda0 svchost.exe 0x077dd0000 ADVAPI32.dll OK: module.1032.228fda0.77dd0000.dll
0x8228fda0 svchost.exe 0x076e40000 wkssvc.dll OK: module.1032.228fda0.76e40000.dll
0x8228fda0 svchost.exe 0x075070000 trkwks.dll OK: module.1032.228fda0.75070000.dll
0x8228fda0 svchost.exe 0x076c90000 IMAGEHLP.dll OK: module.1032.228fda0.76c90000.dll
0x8228fda0 svchost.exe 0x0708b0000 audiosrv.dll OK: module.1032.228fda0.708b0000.dll
0x8228fda0 svchost.exe 0x010000000 6to4ex.dll OK: module.1032.228fda0.10000000.dll
0x8228fda0 svchost.exe 0x0014d0000 Normaliz.dll OK: module.1032.228fda0.14d0000.dll
0x8228fda0 svchost.exe 0x05d090000 comctl32.dll OK: module.1032.228fda0.5d090000.dll
0x8228fda0 svchost.exe 0x072ae0000 RASQEC.DLL OK: module.1032.228fda0.72ae0000.dll
0x8228fda0 svchost.exe 0x0750f0000 MTXCLU.DLL OK: module.1032.228fda0.750f0000.dll
0x8228fda0 svchost.exe 0x076d10000 CLUSAPI.DLL OK: module.1032.228fda0.76d10000.dll
0x8228fda0 svchost.exe 0x057cc0000 unimdm.tsp OK: module.1032.228fda0.57cc0000.dll
0x8228fda0 svchost.exe 0x076780000 SHFOLDER.dll OK: module.1032.228fda0.76780000.dll
0x8228fda0 svchost.exe 0x076fc0000 rasadhlp.dll OK: module.1032.228fda0.76fc0000.dll
0x8228fda0 svchost.exe 0x0724b0000 ntlsapi.dll OK: module.1032.228fda0.724b0000.dll
0x8228fda0 svchost.exe 0x076f60000 WLDAP32.dll OK: module.1032.228fda0.76f60000.dll
0x8228fda0 svchost.exe 0x07c800000 kernel32.dll OK: module.1032.228fda0.7c800000.dll
0x8228fda0 svchost.exe 0x057d20000 ndptsp.tsp OK: module.1032.228fda0.57d20000.dll
0x8228fda0 svchost.exe 0x077be0000 MSACM32.dll OK: module.1032.228fda0.77be0000.dll
0x8228fda0 svchost.exe 0x050040000 wuaueng.dll OK: module.1032.228fda0.50040000.dll
0x8228fda0 svchost.exe 0x076c60000 sfc_os.dll OK: module.1032.228fda0.76c60000.dll
0x8228fda0 svchost.exe 0x06f880000 AcGenral.DLL OK: module.1032.228fda0.6f880000.dll
0x8228fda0 svchost.exe 0x076e90000 rasman.dll OK: module.1032.228fda0.76e90000.dll
0x8228fda0 svchost.exe 0x071ab0000 WS2_32.dll OK: module.1032.228fda0.71ab0000.dll
0x8228fda0 svchost.exe 0x075880000 rastapi.dll OK: module.1032.228fda0.75880000.dll
0x8228fda0 svchost.exe 0x0736d0000 dot3dlg.dll OK: module.1032.228fda0.736d0000.dll
0x8228fda0 svchost.exe 0x076ce0000 cryptsvc.dll OK: module.1032.228fda0.76ce0000.dll
0x8228fda0 svchost.exe 0x0776c0000 AUTHZ.dll OK: module.1032.228fda0.776c0000.dll
0x8228fda0 svchost.exe 0x077f10000 GDI32.dll OK: module.1032.228fda0.77f10000.dll
0x8228fda0 svchost.exe 0x076d60000 iphlpapi.dll OK: module.1032.228fda0.76d60000.dll
0x8228fda0 svchost.exe 0x074370000 WINIPSEC.DLL OK: module.1032.228fda0.74370000.dll
0x8228fda0 svchost.exe 0x074f90000 dmserver.dll OK: module.1032.228fda0.74f90000.dll
0x8228fda0 svchost.exe 0x076bb0000 sfc.dll OK: module.1032.228fda0.76bb0000.dll
0x8228fda0 svchost.exe 0x076de0000 upnp.dll OK: module.1032.228fda0.76de0000.dll
0x8228fda0 svchost.exe 0x05ad70000 UxTheme.dll OK: module.1032.228fda0.5ad70000.dll
0x8228fda0 svchost.exe 0x076620000 comsvcs.dll OK: module.1032.228fda0.76620000.dll
0x8228fda0 svchost.exe 0x076c30000 WINTRUST.dll OK: module.1032.228fda0.76c30000.dll
0x8228fda0 svchost.exe 0x072240000 rasppp.dll OK: module.1032.228fda0.72240000.dll
0x8228fda0 svchost.exe 0x07e720000 SXS.DLL OK: module.1032.228fda0.7e720000.dll
0x8228fda0 svchost.exe 0x077a80000 CRYPT32.dll OK: module.1032.228fda0.77a80000.dll
0x8228fda0 svchost.exe 0x07c9c0000 SHELL32.dll OK: module.1032.228fda0.7c9c0000.dll
0x8228fda0 svchost.exe 0x0762c0000 wbemcore.dll OK: module.1032.228fda0.762c0000.dll
0x8228fda0 svchost.exe 0x0768d0000 RASDLG.dll OK: module.1032.228fda0.768d0000.dll
0x8228fda0 svchost.exe 0x076ee0000 RASAPI32.dll OK: module.1032.228fda0.76ee0000.dll
0x8228fda0 svchost.exe 0x076c00000 credui.dll OK: module.1032.228fda0.76c00000.dll
0x8228fda0 svchost.exe 0x04d4f0000 WINHTTP.dll OK: module.1032.228fda0.4d4f0000.dll
0x8228fda0 svchost.exe 0x077b20000 MSASN1.dll OK: module.1032.228fda0.77b20000.dll
We can see below confirming that this system too is infected
0x8228fda0 svchost.exe 0x010000000 6to4ex.dll
Lets take a look at download history
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\FLD-SARIYADH-43\memdump.bin — profile=WinXPSP2x86 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 296 explorer.exe
Cache type “DEST” at 0xdc661
Last modified: 2012–11–27 03:17:56 UTC+0000
Last accessed: 2012–11–27 00:17:58 UTC+0000
URL: amirs@http://58.64.132.8/download/Symantec-1.43-1.exe
On analyzing memory dump of 1032 process we can see it is trying to run batch files on domain controller but was not successful in it.
Local time (GMT-06:00) at \\DC-USTXHOU is 11/26/2012 7:27 PM
The command completed successfully.
8 ‹Põ²ÿÿÿÿ & ÷Åw ÷Åw ™ .exe ?×75ÌÍ netuse.dll Ö( ÿŠfp5ÌÍ ps.exe xÓ _À’5ÌÍ ra.exe * …!ï5ÌÍ sl.exe P e¿’ 5ÌÍ system2.bat E ˜ùK:ÌÍ system3.bat 8 Âå”c:ÌÍ system4.bat ƒ pâ<ÌÍ wc.exe . c✠5ÌÍ 4 º MkÃ0 †ïüíÖÀZg©›ÆFWè ‡väÒ‹â(Yb — 8YÉ¿Ÿ›u0¦ƒ„Ä£W¯²å
¾ÂY”S‡0É”.ÌÕ²¥‚t§°¶°*TgÚ ¦0‘p²G — Â[âðÚ\j…p Ù·ª”°¦V£†½¬ŒÓ¬ÆîGÒÞÁ™4Mà{–`ZAiZ¨¨¾Ì|Ï÷–ê³ÒgØ7[ œ˜ÜvëZ¨ÍÙh°druÂnD@gÒQ×m(;Øåg ñ½Â4¨tú«á{›ímå£$Œ‹’“ ‘ˆB¶ üiÁD„2¾·;þ$p^rÁÊ0ÇxÎ1aÄeE˜ÄgñHþ3m{)Ͳ¯ëäí7*Æ?ÓSö¾{Ûg‡Ó•ò^= îš|^ ‘ 4 f ecting to 172.16.223.47…
Starting PsExec service on 172.16.223.47…
Connecting with PsExec service on 172.16.223.47…
Copying c:\windows\system1.bat to 172.16.223.47…
Starting c:\windows\system1.bat on 172.16.223.47…
system1.bat exited on 172.16.223.47 with error code 1.
Also, we can see that Windows credentials editor was used for dumping NTLM and below accounts were compromised
amirs\PETRO-MARKET
NETWORK SERVICE\PETRO-MARKET
FLD-SARIYADH-43$\PETRO-MARKET
Files were copied under C:\WINDOWS\webui
11/27/2012 04:19 AM <DIR> .
11/27/2012 04:19 AM <DIR> ..
11/27/2012 03:20 AM 303,104 gs.exe
11/27/2012 03:23 AM 10,454 netuse.dll
11/27/2012 03:20 AM 381,816 ps.exe
11/27/2012 03:20 AM 403,968 ra.exe
11/27/2012 03:20 AM 20,480 sl.exe
11/27/2012 03:56 AM 69 system2.bat
11/27/2012 03:59 AM 56 system3.bat
11/27/2012 04:11 AM 131 system4.bat
11/27/2012 04:19 AM 88 system5.bat
11/27/2012 03:20 AM 208,384 wc.exe
10 File(s) 1,328,550 bytes
2 Dir(s) 6,992,097,280 bytes free
IIS-SARIYADH-03
Lets take a look at processes that were running on this machine
C:\volatility>volatility.exe -f C:\Users\Administrator\Downloads\jackcr-dfir-challenge\jackcr-challenge\IIS-SARIYADH-03\memdump.bin — profile=Win2003SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0x822b07a8 System 4 0 60 434 — — — 0
0x82103020 smss.exe 404 4 3 17 — — — 0 2012–11–26 22:04:57 UTC+0000
0x820ecd88 csrss.exe 452 404 11 388 0 0 2012–11–26 22:04:58 UTC+0000
0x82003d88 winlogon.exe 484 404 17 514 0 0 2012–11–26 22:05:00 UTC+0000
0x81ff9b08 services.exe 528 484 16 289 0 0 2012–11–26 22:05:01 UTC+0000
0x81ff45c8 lsass.exe 540 484 36 487 0 0 2012–11–26 22:05:01 UTC+0000
0x81fe9d88 svchost.exe 768 528 10 184 0 0 2012–11–26 22:05:03 UTC+0000
0x81fb9cd8 svchost.exe 848 528 8 126 0 0 2012–11–26 22:05:03 UTC+0000
0x81fbc020 svchost.exe 868 528 5 78 0 0 2012–11–26 22:05:03 UTC+0000
0x81fb3668 svchost.exe 900 528 45 807 0 0 2012–11–26 22:05:03 UTC+0000
0x81f9c498 spoolsv.exe 1084 528 8 103 0 0 2012–11–26 22:05:19 UTC+0000
0x81f92020 msdtc.exe 1112 528 19 163 0 0 2012–11–26 22:05:19 UTC+0000
0x81f84888 svchost.exe 1260 528 2 52 0 0 2012–11–26 22:05:27 UTC+0000
0x81f7ac78 inetinfo.exe 1312 528 8 151 0 0 2012–11–26 22:05:27 UTC+0000
0x81f82ad8 svchost.exe 1344 528 2 33 0 0 2012–11–26 22:05:27 UTC+0000
0x81f77388 wins.exe 1388 528 19 196 0 0 2012–11–26 22:05:27 UTC+0000
0x81c94d88 dfssvc.exe 1608 528 9 70 0 0 2012–11–26 22:05:31 UTC+0000
0x81f6a9d0 svchost.exe 1656 528 15 138 0 0 2012–11–26 22:05:31 UTC+0000
0x81c39608 explorer.exe 1928 1896 9 277 0 0 2012–11–26 22:05:47 UTC+0000
0x81c0c200 svchost.exe 256 528 15 120 0 0 2012–11–26 22:06:05 UTC+0000
0x81bff828 wuauclt.exe 860 900 5 69 0 0 2012–11–26 22:06:44 UTC+0000
0x81bfc268 wmiprvse.exe 1080 768 4 136 0 0 2012–11–26 22:06:44 UTC+0000
0x81f7f2b0 PSEXESVC.EXE 268 528 4 85 0 0 2012–11–27 00:05:49 UTC+0000
0x81c3f020 cmd.exe 756 1928 1 22 0 0 2012–11–27 01:50:29 UTC+0000
0x81f8d020 mdd.exe 508 756 1 25 0 0 2012–11–27 01:52:37 UTC+0000
Yarascan results showed no traces of bad ip or Gh0st string in the memory, though below process suggests that commands were executed against this machine and data was extracted sucessfully.
PSEXESVC.EXE 268 528 4 85 0 0 2012–11–27 00:05:49
Putting it all Together
We can conclude that a phishing attack was carried out via email and users on machines ENG-USTXHOU-148 and FLD-SARIYADH-43 downloaded Symantec-1.43–1.exe which later injected svchost.exe with malicious dll 6to4ex.dl.
After this it created a folder under C:\WINDOWS\webui. Next malware used windows credential manager to compromise credentials and them attempted lateral movement towards DC-USTXHOU and IIS-SARIYADH-03.
It mapped Z drive to IIS-SARIYADH-03 and executed number of commands
Though, both the machines were not infected but we can safely say that number of commands were executed against IIS-SARIYADH-03 and data was extracted.