Introduction

This is the first post of multi part series in which we will walk through basics of volatile Memory analysis with Volatility. Though some knowledge of Windows Internal is desirable but I will try to cover things as we progress. In this post, we will start with analyzing Coreflood Trojan with basic command and will gradually move to more advanced concepts.

What is Coreflood Trojan?

Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems “approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses.”[1] It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.

Wikipedia

Now that we know about Coreflood we will need a memory dump to start analysis. You can download the .vmem file from below link

How to setup Volatility ?

For quick setup of Volatility Framework and to get a quick hands on tutorial ,please follow below article

Forensic Analysis for beginners using Volatility Framework

To start the investigation we need to find the profile of the system from which memory dump was collected. This profile decide which data structures, algorithms, and symbols Volatility Framework will use. To find the profile, we will use Imageinfo plugin, which will provide which provide a high-level summary of the memory sample

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem imageinfo


Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\dumps\coreflood.vmem)
                      PAE type : PAE
                           DTB : 0x319000L
                          KDBG : 0x80544ce0L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2010-08-15 18:24:00 UTC+0000
     Image local date and time : 2010-08-15 14:24:00 -0400

Next lets list out the processes that are running on the machine. For this we will use pslist plugin.

Before moving ahead lets take a look at how pslist plugin works

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 pslist > C:\dumps\coreflood\pslist.txt

Note that we are using –profile=WinXPSP3x86 from imageinfo output and redirecting the output to pslist.txt. By redirecting output to a text file, we can refer to the output without running the plugin again.

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x810b1660   System                    4      0     58      183 ------      0                                                              

0xff2ab020 smss.exe                544      4      3       21 ------      0 2010-08-                                

0xff1ecda0 csrss.exe               608    544     10      369      0      0 2010-08-                                

0xff1ec978 winlogon.exe            632    544     20      518      0      0 2010-08-                                 

0xff247020 services.exe            676    632     16      269      0      0 2010-08-                              

0xff255020 lsass.exe               688    632     19      344      0      0 2010-08-                              

0xff218230 vmacthlp.exe            844    676      1       24      0      0 2010-08-                              

0x80ff88d8 svchost.exe             856    676     17      199      0      0 2010-08-                                

0xff217560 svchost.exe             936    676     10      272      0      0 2010-08-                               

0x80fbf910 svchost.exe            1028    676     71     1341      0      0 2010-08-                                

0xff22d558 svchost.exe            1088    676      5       80      0      0 2010-08-                               

0xff203b80 svchost.exe            1148    676     14      208      0      0 2010-08-                                

0xff1d7da0 spoolsv.exe            1432    676     13      135      0      0 2010-08-                                

0xff1b8b28 vmtoolsd.exe           1668    676      5      221      0      0 2010-08-                               

0xff1fdc88 VMUpgradeHelper        1788    676      4      100      0      0 2010-08-                            

0xff143b28 TPAutoConnSvc.e        1968    676      5      100      0      0 2010-08-                                

0xff25a7e0 alg.exe                 216    676      6      105      0      0 2010-08-                                 

0xff364310 wscntfy.exe             888   1028      1       27      0      0 2010-08-                                 

0xff38b5f8 TPAutoConnect.e        1084   1968      1       61      0      0 2010-08-                               

0xff3865d0 explorer.exe           1724   1708     12      341      0      0 2010-08-                                

0xff3667e8 VMwareTray.exe          432   1724      1       49      0      0 2010-08-                                

0xff374980 VMwareUser.exe          452   1724      6      189      0      0 2010-08-                                 

0x80f94588 wuauclt.exe             468   1028      4      134      0      0 2010-08-                                

0xff3ad1a8 IEXPLORE.EXE           2044   1724     10      366      0      0 2010-08-                                 

0x80fdc368 logon.scr               124    632      1       15      0      0 2010-08-                                

0xff125020 cmd.exe                1136   1668      0 --------      0      0 2010-08- 

Just looking at process list can give some immediate clues worthy of further investigation. From above list we can note following points :

Lets take a look at process tree by running pstree plugin

pstree takes the output from pslist and formats it in a tree view, so we can easily see parent and child relationships

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem –profile=WinXPSP3x86 pstree > C:\dumps\coreflood\pstree.txt

Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x810b1660:System                                      4      0     58    183 1970-
. 0xff2ab020:smss.exe                                 544      4      3     21 2010-
.. 0xff1ec978:winlogon.exe                            632    544     20    518 2010-0
... 0xff255020:lsass.exe                              688    632     19    344 2010-
... 0xff247020:services.exe                           676    632     16    269 2010-
.... 0xff1b8b28:vmtoolsd.exe                         1668    676      5    221 2010-
..... 0xff125020:cmd.exe                             1136   1668      0 ------ 2010-
.... 0x80ff88d8:svchost.exe                           856    676     17    199 2010-
.... 0xff1d7da0:spoolsv.exe                          1432    676     13    135 2010-
.... 0x80fbf910:svchost.exe                          1028    676     71   1341 2010-
..... 0x80f94588:wuauclt.exe                          468   1028      4    134 2010-
..... 0xff364310:wscntfy.exe                          888   1028      1     27 2010-
.... 0xff217560:svchost.exe                           936    676     10    272 2010-
.... 0xff143b28:TPAutoConnSvc.e                      1968    676      5    100 2010-
..... 0xff38b5f8:TPAutoConnect.e                     1084   1968      1     61 2010-
.... 0xff22d558:svchost.exe                          1088    676      5     80 2010-
.... 0xff218230:vmacthlp.exe                          844    676      1     24 2010-
.... 0xff25a7e0:alg.exe                               216    676      6    105 2010-
.... 0xff203b80:svchost.exe                          1148    676     14    208 2010-
.... 0xff1fdc88:VMUpgradeHelper                      1788    676      4    100 2010-
... 0x80fdc368:logon.scr                              124    632      1     15 2010-
.. 0xff1ecda0:csrss.exe                               608    544     10    369 2010-
 0xff3865d0:explorer.exe                             1724   1708     12    341 2010-
. 0xff3667e8:VMwareTray.exe                           432   1724      1     49 2010-
. 0xff374980:VMwareUser.exe                           452   1724      6    189 2010-
. 0xff3ad1a8:IEXPLORE.EXE                            2044   1724     10    366 2010-

From above output we can say

Next we will take a look at cmdscan and consoles plugin

CMDSCAN Plugin

Consoles Plugin

looks for the console for information ( _CONSOLE_INFORMATION). In doing so, it has access to the screen buffers that

contain all lines of input and output that fit within the current width and height of the console window.

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 608
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448

output of consoles plugin

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 consoles
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0x4e23b0 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
Title: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
AttachedProcess: TPAutoConnect.e Pid: 1084 Handle: 0x448
----
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448
----
Screen 0x4e2ab0 X:80 Y:25
Dump:
TPAutoConnect User Agent, Copyright (c) 1999-2009 ThinPrint AG, 7.17.512.1
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0xf78958 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: ??ystemRoot%\system32\cmd.exe
Title:

Next we will check Network activity on the host. Most of the trojans communicate with Command and Control server and analysis network activity on the host can give important clues.

We will start will Connscan plugin

To find _TCPT_OBJECT structures using pool tag scanning, use the connscan command. This can find artifacts from previous connections that have since been terminated, in addition to the active ones.

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 connscan > C:\dumps\coreflood\connscan.txt

Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x00eda590 172.16.176.143:1058       65.54.81.209:80           2044
0x01079e70 172.16.176.143:1082       209.234.234.16:80         2044
0x0107c888 172.16.176.143:1059       4.23.40.126:80            2044
0x0108fcd8 172.16.176.143:1072       65.55.15.124:80           2044
0x010fa448 172.16.176.143:1065       65.55.253.21:80           2044
0x02214988 172.16.176.143:1092       65.54.81.14:80            2044
0x026c68a8 172.16.176.143:1074       65.55.15.243:80           2044
0x02ae4bb0 172.16.176.143:1073       65.55.15.123:80           2044
0x048b25f0 172.16.176.143:1085       65.55.149.119:80          2044
0x04a045f8 172.16.176.143:1057       65.54.81.49:80            2044
0x04a04e70 172.16.176.143:1095       69.43.160.145:80          2044
0x04a4a4a0 172.16.176.143:1084       12.120.180.24:80          2044
0x04be2558 172.16.176.143:1079       65.54.81.22:80            2044
0x05536e70 172.16.176.143:1090       65.54.81.14:80            2044
0x05802340 172.16.176.143:1062       65.55.18.18:80            2044
0x05c9e200 172.16.176.143:1067       65.54.81.14:80            2044
0x05deea30 172.16.176.143:1068       65.54.81.14:80            2044
0x06015ab0 172.16.176.143:1053       207.46.170.10:80          2044
0x0605f208 172.16.176.143:1086       202.89.231.60:80          2044
0x06125538 172.16.176.143:1083       65.54.81.79:80            2044
0x0623a438 172.16.176.143:1066       96.6.41.210:80            2044
0x06450720 172.16.176.143:1077       65.55.149.121:80          2044
0x064509f0 172.16.176.143:1063       64.4.18.73:80             2044
0x06497a68 172.16.176.143:1075       65.55.15.124:80           2044
0x067bd218 172.16.176.143:1070       65.54.81.209:80           2044
0x07c17be0 172.16.176.143:1060       65.55.239.161:80          2044

Next we will take a look at the output of sockets plugin

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 sockets > C:\dumps\coreflood\sockets.txt

Offset(V)       PID   Port  Proto Protocol        Address         Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x80fd1008        4      0     47 GRE             0.0.0.0         2010-08-11 06:08:00 
0xff158c00     2044   1052     17 UDP             127.0.0.1       2010-08-15 18:11:19 
0xff258008      688    500     17 UDP             0.0.0.0         2010-08-11 06:06:35 
0xff2984a0     1088   1078     17 UDP             0.0.0.0         2010-08-15 18:11:23 
0xff367008        4    445      6 TCP             0.0.0.0         2010-08-11 06:06:17 
0x80ffc128      936    135      6 TCP             0.0.0.0         2010-08-11 06:06:24 
0xff225b70      688      0    255 Reserved        0.0.0.0         2010-08-11 06:06:35 
0xff254008     1028    123     17 UDP             127.0.0.1       2010-08-15 18:24:00 
0x80fce930     1088   1025     17 UDP             0.0.0.0         2010-08-11 06:06:38 
0xff127d28      216   1026      6 TCP             127.0.0.1       2010-08-11 06:06:39 
0xff3a97a0     1088   1061     17 UDP             0.0.0.0         2010-08-15 18:11:21 
0xff12b580     1148   1900     17 UDP             127.0.0.1       2010-08-15 18:24:00 
0xff1b8250      688   4500     17 UDP             0.0.0.0         2010-08-11 06:06:35 
0xff382e98        4   1033      6 TCP             0.0.0.0         2010-08-11 06:08:00 
0x80fbdc40        4    445     17 UDP             0.0.0.0         2010-08-11 06:06:17 

To sum up, we have executed and analyzed all the basic Volatility plugins and till now we do not have any clue of malicious activity on the host. cmd.exe and iexplore.exe, the processes that can under scanner by default , are not looking suspicious by basic analysis and now we have to dig deeper to find out . Before using more sophisticated plugins, I as a matter of habit always analyze environment variables set on the host.

To display env variables that are being used by processes we will execute envars plugin. This plugin will list out all the environment variables . T

C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 envars > C:\dumps\coreflood\envars.txt

Here, will just put the intersting parts of the output

...
....
...
2044 IEXPLORE.EXE         0x00010000 ALLUSERSPROFILE                C:\Documents and Settings\All Users
    2044 IEXPLORE.EXE         0x00010000 APPDATA                        C:\Documents and Settings\Administrator\Application Data
    2044 IEXPLORE.EXE         0x00010000 CLIENTNAME                     Console
    2044 IEXPLORE.EXE         0x00010000 CommonProgramFiles             C:\Program Files\Common Files
    2044 IEXPLORE.EXE         0x00010000 COMPUTERNAME                   BILLY-DB5B96DD3
    2044 IEXPLORE.EXE         0x00010000 ComSpec                        C:\WINDOWS\system32\cmd.exe
    2044 IEXPLORE.EXE         0x00010000 FP_NO_HOST_CHECK               NO
    2044 IEXPLORE.EXE         0x00010000 GIEVMXDVLMISML                 EWONSYG
    2044 IEXPLORE.EXE         0x00010000 HOMEDRIVE                      C:
    2044 IEXPLORE.EXE         0x00010000 HOMEPATH                       \Documents and Settings\Administrator
    2044 IEXPLORE.EXE         0x00010000 LOGONSERVER                    \\BILLY-DB5B96DD3
    2044 IEXPLORE.EXE         0x00010000 NUMBER_OF_PROCESSORS           1
    2044 IEXPLORE.EXE         0x00010000 OS                             Windows_NT
    2044 IEXPLORE.EXE         0x00010000 Path                           C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    2044 IEXPLORE.EXE         0x00010000 PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    2044 IEXPLORE.EXE         0x00010000 PROCESSOR_ARCHITECTURE         x86
    2044 IEXPLORE.EXE         0x00010000 PROCESSOR_IDENTIFIER           x86 Family 6 Model 23 Stepping 10, GenuineIntel
    2044 IEXPLORE.EXE         0x00010000 PROCESSOR_LEVEL                6
    2044 IEXPLORE.EXE         0x00010000 PROCESSOR_REVISION             170a
    2044 IEXPLORE.EXE         0x00010000 ProgramFiles                   C:\Program Files
    2044 IEXPLORE.EXE         0x00010000 SESSIONNAME                    Console
    2044 IEXPLORE.EXE         0x00010000 SystemDrive                    C:
    2044 IEXPLORE.EXE         0x00010000 SystemRoot                     C:\WINDOWS
    2044 IEXPLORE.EXE         0x00010000 TEMP                           C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    2044 IEXPLORE.EXE         0x00010000 TMP                            C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    2044 IEXPLORE.EXE         0x00010000 USERDOMAIN                     BILLY-DB5B96DD3
    2044 IEXPLORE.EXE         0x00010000 USERNAME                       Administrator
    2044 IEXPLORE.EXE         0x00010000 USERPROFILE                    C:\Documents and Settings\Administrator
    2044 IEXPLORE.EXE         0x00010000 windir                         C:\WINDOWS
     124 logon.scr            0x00010000 ALLUSERSPROFILE                C:\Documents and Settings\All Users
     124 logon.scr            0x00010000 CommonProgramFiles             C:\Program Files\Common Files
     124 logon.scr            0x00010000 COMPUTERNAME                   BILLY-DB5B96DD3
     124 logon.scr            0x00010000 ComSpec                        C:\WINDOWS\system32\cmd.exe
     124 logon.scr            0x00010000 FP_NO_HOST_CHECK               NO
2044 IEXPLORE.EXE         0x00010000   GIEVMXDVLMISML                 EWONSYG

If you take a close look at above line we observe that pid 2044 is using a very strangely named environment variable with a even more stranger value. A quick google search , did not reveal anything and this is the first clue that something suspicious is going on with pid 2044 , IEXPLORE.EXE and going ahead we should focus our investigation on this process.

Conclusion

To conclude the first part of the series we used basic volatility commands :

We finally got a clue with envars plugin which suggested that iexplore.exe process could be compromised and in the next post we will take a closer look into it

14 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *