Introduction
This is the second post of a multi part series . In the previous post we have analyzed Coreflood Trojan with some basic commands suited for beginner level volatile memory analysis using Volatility Framework. In this post we will walk through more advanced concepts of volatile Memory analysis with Volatility. Please make sure before proceeding you have read Part 1. You can find Part 1 at below link :
Before we proceed lets do a quick recap of steps and analysis that we did :
- pslist to list out all the processes running on the host
- pstree to check hierarchy of processes
- cmdscan to list commands executed by cmd.exe
- consoles to print screen outputs
- connscan to list connections
- sockets to list open/closed sockets
- envars to list environment variables used by processes
We finally got a clue with envars plugin which suggested that iexplore.exe process could be compromised.
What is special about GIEVMXDVLMISML environment variable and why it was created?
To avoid re-infecting a system or process, malwares usually mark there presence on a system either by creating a global mutex or in the case of CoreFlood trojan a environment variable. This environment variable tells the malware that the process is already infected and should not be re-infected.
Now that we understand the logic behind the environment variable, lets take a closer look at iexplore.exe process.
We will start by taking a closer look at dlllist loaded by pid 2044. To achieve this we will use Volatility dlllist plugin
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem -profile=WinXPSP3x86 dlllist -p 2044 > C:\dumps\coreflood\dlllist.txt
************************************************************************
IEXPLORE.EXE pid: 2044
Command line : "C:\Program Files\Internet Explorer\iexplore.exe"
Service Pack 2
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0x19000 0xffff C:\Program Files\Internet Explorer\iexplore.exe
0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll
0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77760000 0x16e000 0xffff C:\WINDOWS\system32\SHDOCVW.dll
0x77a80000 0x94000 0xffff C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 0x12000 0xffff C:\WINDOWS\system32\MSASN1.dll
0x754d0000 0x80000 0xffff C:\WINDOWS\system32\CRYPTUI.dll
0x76c30000 0x2e000 0xffff C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 0x28000 0xffff C:\WINDOWS\system32\IMAGEHLP.dll
0x77120000 0x8c000 0xffff C:\WINDOWS\system32\OLEAUT32.dll
0x774e0000 0x13c000 0xffff C:\WINDOWS\system32\ole32.dll
0x5b860000 0x54000 0xffff C:\WINDOWS\system32\NETAPI32.dll
0x771b0000 0xa6000 0xffff C:\WINDOWS\system32\WININET.dll
0x76f60000 0x2c000 0xffff C:\WINDOWS\system32\WLDAP32.dll
0x77c00000 0x8000 0xffff C:\WINDOWS\system32\VERSION.dll
0x773d0000 0x102000 0xc C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x7c9c0000 0x814000 0xf C:\WINDOWS\system32\SHELL32.dll
0x5d090000 0x97000 0x4 C:\WINDOWS\system32\comctl32.dll
0x5ad70000 0x38000 0x6 C:\WINDOWS\system32\uxtheme.dll
0x75f80000 0xfd000 0x2 C:\WINDOWS\system32\BROWSEUI.dll
0x20000000 0x12000 0x1 C:\WINDOWS\system32\browselc.dll
0x77b40000 0x22000 0x1 C:\WINDOWS\system32\appHelp.dll
0x76fd0000 0x7f000 0x2 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 0xc5000 0x2 C:\WINDOWS\system32\COMRes.dll
0x77fe0000 0x11000 0x3 C:\WINDOWS\system32\Secur32.dll
0x77260000 0xa0000 0x9 C:\WINDOWS\system32\urlmon.dll
0x77a20000 0x54000 0x1 C:\WINDOWS\System32\cscui.dll
0x76600000 0x1d000 0x1 C:\WINDOWS\System32\CSCDLL.dll
0x77920000 0xf3000 0x1 C:\WINDOWS\system32\SETUPAPI.dll
0x71ab0000 0x17000 0x2e C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 0x31 C:\WINDOWS\system32\WS2HELP.dll
0x71a50000 0x3f000 0x5 C:\WINDOWS\System32\mswsock.dll
0x76f20000 0x27000 0x2 C:\WINDOWS\system32\DNSAPI.dll
0x76fb0000 0x8000 0x1 C:\WINDOWS\System32\winrnr.dll
0x76eb0000 0x2f000 0x2 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 0xe000 0x3 C:\WINDOWS\system32\rtutils.dll
0x76b40000 0x2d000 0xe C:\WINDOWS\system32\WINMM.dll
0x76ee0000 0x3c000 0x2 C:\WINDOWS\system32\RASAPI32.DLL
0x76e90000 0x12000 0x3 C:\WINDOWS\system32\rasman.dll
0x76fc0000 0x6000 0x1 C:\WINDOWS\system32\rasadhlp.dll
0x662b0000 0x58000 0x1 C:\WINDOWS\system32\hnetcfg.dll
0x77c70000 0x23000 0x1 C:\WINDOWS\system32\msv1_0.dll
0x76d60000 0x19000 0x1 C:\WINDOWS\system32\iphlpapi.dll
0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
0x722b0000 0x5000 0x1 C:\WINDOWS\system32\sensapi.dll
0x769c0000 0xb3000 0x1 C:\WINDOWS\system32\USERENV.dll
0x01270000 0x88000 0x2 C:\WINDOWS\system32\shdoclc.dll
0x01340000 0x2c5000 0x3 C:\WINDOWS\system32\xpsp2res.dll
0x75cf0000 0x91000 0x4 C:\WINDOWS\system32\mlang.dll
0x71ad0000 0x9000 0x1 C:\WINDOWS\system32\wsock32.dll
0x75e90000 0xb0000 0x1 C:\WINDOWS\system32\SXS.DLL
0x7dc30000 0x2ee000 0x2 C:\WINDOWS\system32\mshtml.dll
0x746c0000 0x27000 0x2 C:\WINDOWS\system32\msls31.dll
0x746f0000 0x2a000 0x1 C:\WINDOWS\system32\msimtf.dll
0x74720000 0x4b000 0x1 C:\WINDOWS\system32\MSCTF.dll
0x76390000 0x1d000 0x2 C:\WINDOWS\system32\IMM32.DLL
0x75c50000 0x6e000 0x1 C:\WINDOWS\system32\jscript.dll
0x74c80000 0x2c000 0x1 C:\WINDOWS\system32\oleacc.dll
0x76080000 0x65000 0x1 C:\WINDOWS\system32\MSVCP60.dll
0x66880000 0xc000 0x2 C:\WINDOWS\system32\ImgUtil.dll
0x5e310000 0xc000 0x1 C:\WINDOWS\system32\pngfilt.dll
0x72d20000 0x9000 0x6 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 0x8000 0x2 C:\WINDOWS\system32\msacm32.drv
0x77be0000 0x15000 0x2 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 0x7000 0x1 C:\WINDOWS\system32\midimap.dll
0x66e50000 0x40000 0x1 C:\WINDOWS\system32\iepeers.dll
0x73000000 0x26000 0x1 C:\WINDOWS\system32\WINSPOOL.DRV
0x76200000 0x71000 0x1 C:\WINDOWS\system32\mshtmled.dll
0x74980000 0x130000 0x1 C:\WINDOWS\system32\msxml3.dll
0x4d4f0000 0x58000 0x1 C:\WINDOWS\system32\WINHTTP.dll
From the above output we can say :
- All dlls are getting loaded from C:\WINDOWS\system32
- prima-facie nothing suspicions is observed
Next we will dump all thr dlls in iexplore.exe and see if our AV engine picks up anything
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem -profile=WinXPSP3x86 dlldump -p 2044 — dump-dir C:\dumps\coreflood\dll
Above command dumped all the dlls listed in dllist to the disk but system AV did not flag any dlls.
Now is the time to bring out big guns and take a deeper look
The first pulgin that we will use to dig deeper is malfind .This plugin is used for finding remote code injections in the process
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem -profile=WinXPSP3x86 malfind -p 2044 > C:\dumps\coreflood\malfind.txt
Process: IEXPLORE.EXE Pid: 2044 Address: 0x7ff80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 45, PrivateMemory: 1, Protection: 6
0x7ff80000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x7ff80010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x7ff80020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x7ff80030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x7ff80000 0000 ADD [EAX], AL
0x7ff80002 0000 ADD [EAX], AL
0x7ff80004 0000 ADD [EAX], AL
0x7ff80006 0000 ADD [EAX], AL
0x7ff80008 0000 ADD [EAX], AL
0x7ff8000a 0000 ADD [EAX], AL
0x7ff8000c 0000 ADD [EAX], AL
0x7ff8000e 0000 ADD [EAX], AL
0x7ff80010 0000 ADD [EAX], AL
0x7ff80012 0000 ADD [EAX], AL
0x7ff80014 0000 ADD [EAX], AL
0x7ff80016 0000 ADD [EAX], AL
0x7ff80018 0000 ADD [EAX], AL
0x7ff8001a 0000 ADD [EAX], AL
0x7ff8001c 0000 ADD [EAX], AL
0x7ff8001e 0000 ADD [EAX], AL
0x7ff80020 0000 ADD [EAX], AL
0x7ff80022 0000 ADD [EAX], AL
0x7ff80024 0000 ADD [EAX], AL
0x7ff80026 0000 ADD [EAX], AL
0x7ff80028 0000 ADD [EAX], AL
0x7ff8002a 0000 ADD [EAX], AL
0x7ff8002c 0000 ADD [EAX], AL
0x7ff8002e 0000 ADD [EAX], AL
0x7ff80030 0000 ADD [EAX], AL
0x7ff80032 0000 ADD [EAX], AL
0x7ff80034 0000 ADD [EAX], AL
0x7ff80036 0000 ADD [EAX], AL
0x7ff80038 0000 ADD [EAX], AL
0x7ff8003a 0000 ADD [EAX], AL
0x7ff8003c 0000 ADD [EAX], AL
0x7ff8003e 0000 ADD [EAX], AL
Lets pause for a moment and analyze the above output by malfind plugin
- malfind flagged offset 0x7ff80000
- process is using PAGE_EXECUTE_READWRITE protection which makes it susceptible to code injections
- Usually, when a dll is injected into memory it shows MZ as PE header but in this case we can only see 0s. looks like there was a deliberate attempt to clean out the PE header making it difficult to investigate and reconstruct binaries
Next, To take closer look at the code that is being executed at 0x7ff80000 we will use volshell plugin. By using this plugin we can easy navigate to the memory offset in the process and disassemble code
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem -profile=WinXPSP3x86 volshell -p 2044
Volatility Foundation Volatility Framework 2.6
Current context: IEXPLORE.EXE @ 0xff3ad1a8, pid=2044, ppid=1724 DTB=0x6cc0320
Welcome to volshell! Current memory image is:
file:///C:/dumps/coreflood.vmem
To get help, type 'hh()'
>>> dis(0x7ff80000)
>>>The above output basically suggests that no code is being executed at 0x7ff80000 and this could be a false positive. Before giving up on this lead, lets disassemble the second page
>>> dis(0x7ff81000)
0x7ff81000 81ec20010000 SUB ESP, 0x120
0x7ff81006 53 PUSH EBX
0x7ff81007 8b9c2430010000 MOV EBX, [ESP+0x130]
0x7ff8100e 8bc3 MOV EAX, EBX
0x7ff81010 2404 AND AL, 0x4
0x7ff81012 55 PUSH EBP
0x7ff81013 f6d8 NEG AL
0x7ff81015 56 PUSH ESI
0x7ff81016 57 PUSH EDI
0x7ff81017 8bbc2434010000 MOV EDI, [ESP+0x134]
0x7ff8101e 6805010000 PUSH DWORD 0x105
0x7ff81023 8d4c242c LEA ECX, [ESP+0x2c]
0x7ff81027 51 PUSH ECX
0x7ff81028 1bc0 SBB EAX, EAX
0x7ff8102a 25270c0000 AND EAX, 0xc27
0x7ff8102f 33f6 XOR ESI, ESI
0x7ff81031 8bef MOV EBP, EDI
0x7ff81033 89442418 MOV [ESP+0x18], EAX
0x7ff81037 8974241c MOV [ESP+0x1c], ESI
0x7ff8103b ff15b0e1f97f CALL DWORD [0x7ff9e1b0]
0x7ff81041 3d05010000 CMP EAX, 0x105
0x7ff81046 7378 JAE 0x7ff810c0
0x7ff81048 b25c MOV DL, 0x5c
0x7ff8104a 38542428 CMP [ESP+0x28], DL
0x7ff8104e 7533 JNZ 0x7ff81083
0x7ff81050 38542429 CMP [ESP+0x29], DL
0x7ff81054 752d JNZ 0x7ff81083
0x7ff81056 b902000000 MOV ECX, 0x2
0x7ff8105b 3bc1 CMP EAX, ECX
0x7ff8105d 7e0e JLE 0x7ff8106d
0x7ff8105f 90 NOP
0x7ff81060 38540c28 CMP [ESP+ECX+0x28], DL
0x7ff81064 7407 JZ 0x7ff8106d
0x7ff81066 83c101 ADD ECX, 0x1
0x7ff81069 3bc8 CMP ECX, EAX
0x7ff8106b 7cf3 JL 0x7ff81060
0x7ff8106d 83c101 ADD ECX, 0x1
0x7ff81070 3bc8 CMP ECX, EAX
0x7ff81072 7d29 JGE 0x7ff8109d
0x7ff81074 38540c28 CMP [ESP+ECX+0x28], DL
0x7ff81078 7423 JZ 0x7ff8109d
0x7ff8107a 83c101 ADD ECX, 0x1
0x7ff8107d 3bc8 CMP ECX, EAX
0x7ff8107f 7c DB 0x7cBingo, we have code getting executed at second page.
Next we will use vadinfo plugin to get more information. Since the output of this plugin is pretty verbose will only post the relevant part
VAD node @ 0xff1fb390 Start 0x7ff80000 End 0x7ffadfff Tag VadS
Flags: CommitCharge: 45, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE- 45 number of pages were committed
- Protection PAGE_EXECUTE_READWRITE
- Memory Tag VadS and is not backed by any file on the disk
- base address : 0x7ff80000
For further investigation we will use impscan volatility plugin and try to list out the modules called by the injected code at 0x7ff80000
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 impscan -p 2044 -b 0x7ff80000 > C:\dumps\coreflood\impscan.txt
IAT Call Module Function
---------- ---------- -------------------- --------
0x7ff9e000 0x77dd77b3 ADVAPI32.dll SetSecurityDescriptorDacl
0x7ff9e004 0x77dfd4c9 ADVAPI32.dll GetUserNameA
0x7ff9e008 0x77dd6bf0 ADVAPI32.dll RegCloseKey
0x7ff9e00c 0x77ddeaf4 ADVAPI32.dll RegCreateKeyExA
0x7ff9e010 0x77dfc123 ADVAPI32.dll RegDeleteKeyA
0x7ff9e014 0x77ddede5 ADVAPI32.dll RegDeleteValueA
0x7ff9e018 0x77ddd966 ADVAPI32.dll RegNotifyChangeKeyValue
0x7ff9e01c 0x77dd761b ADVAPI32.dll RegOpenKeyExA
0x7ff9e020 0x77dd7883 ADVAPI32.dll RegQueryValueExA
0x7ff9e024 0x77ddebe7 ADVAPI32.dll RegSetValueExA
0x7ff9e028 0x77dfc534 ADVAPI32.dll AdjustTokenPrivileges
0x7ff9e02c 0x77e34c3f ADVAPI32.dll InitiateSystemShutdownA
0x7ff9e030 0x77dfd11b ADVAPI32.dll LookupPrivilegeValueA
0x7ff9e034 0x77dd7753 ADVAPI32.dll OpenProcessToken
0x7ff9e038 0x77dfc8c1 ADVAPI32.dll RegEnumKeyExA
0x7ff9e03c 0x77dd778e ADVAPI32.dll InitializeSecurityDescriptor
0x7ff9e044 0x7c809c28 kernel32.dll SetEvent
0x7ff9e048 0x7c81082f kernel32.dll CreateThread
0x7ff9e04c 0x7c80aa66 kernel32.dll FreeLibrary
0x7ff9e050 0x7c801d77 kernel32.dll LoadLibraryA
0x7ff9e054 0x7c809750 kernel32.dll TlsGetValue
0x7ff9e058 0x7c809bf5 kernel32.dll TlsSetValue
0x7ff9e05c 0x7c80e016 kernel32.dll DuplicateHandle
0x7ff9e060 0x7c809919 kernel32.dll GetCurrentThread
0x7ff9e064 0x7c80e00d kernel32.dll GetCurrentProcess
0x7ff9e068 0x7c9105d4 kernel32.dll HeapAlloc
0x7ff9e06c 0x7c91043d kernel32.dll HeapFree
0x7ff9e070 0x7c80aa49 kernel32.dll GetProcessHeap
0x7ff9e074 0x7c810082 kernel32.dll GlobalUnlock
0x7ff9e078 0x7c810119 kernel32.dll GlobalLock
0x7ff9e07c 0x7c839166 kernel32.dll GlobalSize
0x7ff9e080 0x7c80b929 kernel32.dll lstrcmpiA
0x7ff9e084 0x7c80a823 kernel32.dll lstrcmpiW
0x7ff9e088 0x7c80c6e0 kernel32.dll lstrlenA
0x7ff9e08c 0x7c80b357 kernel32.dll GetModuleFileNameA
0x7ff9e090 0x7c80a0c7 kernel32.dll WideCharToMultiByte
0x7ff9e094 0x7c80ac28 kernel32.dll GetProcAddress
0x7ff9e098 0x7c80b529 kernel32.dll GetModuleHandleA
0x7ff9e09c 0x7c801ad0 kernel32.dll VirtualProtect
0x7ff9e0a0 0x7c86405d kernel32.dll Module32Next
0x7ff9e0a4 0x7c863ed8 kernel32.dll Module32First
0x7ff9e0a8 0x7c8647b7 kernel32.dll CreateToolhelp32Snapshot
0x7ff9e0ac 0x7c809b14 kernel32.dll VirtualFree
0x7ff9e0b0 0x7c809a81 kernel32.dll VirtualAlloc
0x7ff9e0b4 0x7c80e63c kernel32.dll GetModuleHandleW
0x7ff9e0b8 0x7c812b0f kernel32.dll TlsAlloc
0x7ff9e0bc 0x7c812c8d kernel32.dll GetCommandLineA
0x7ff9e0c0 0x7c80b7fc kernel32.dll UnmapViewOfFile
0x7ff9e0c4 0x7c8226a9 kernel32.dll SetEnvironmentVariableA
0x7ff9e0c8 0x7c81486a kernel32.dll GetEnvironmentVariableA
0x7ff9e0cc 0x7c80b78d kernel32.dll MapViewOfFile
0x7ff9e0d0 0x7c910331 kernel32.dll GetLastError
0x7ff9e0d4 0x7c80180e kernel32.dll ReadFile
0x7ff9e0d8 0x7c810c8f kernel32.dll GetFileSize
0x7ff9e0dc 0x7c8092ac kernel32.dll GetTickCount
0x7ff9e0e0 0x7c809eb3 kernel32.dll IsBadReadPtr
0x7ff9e0e4 0x7c802530 kernel32.dll WaitForSingleObject
0x7ff9e0e8 0x7c809a39 kernel32.dll lstrlenW
0x7ff9e0ec 0x7c81e85c kernel32.dll DeleteFileA
0x7ff9e0f0 0x7c80efd7 kernel32.dll FindClose
0x7ff9e0f4 0x7c813559 kernel32.dll FindFirstFileA
0x7ff9e0f8 0x7c839019 kernel32.dll FindNextFileA
0x7ff9e0fc 0x7c80176b kernel32.dll GetSystemTime
0x7ff9e100 0x7c8221cf kernel32.dll GetTempPathA
0x7ff9e104 0x7c8394ae kernel32.dll GetTimeZoneInformation
0x7ff9e108 0x7c8114ab kernel32.dll GetVersion
0x7ff9e10c 0x7c822294 kernel32.dll MoveFileA
0x7ff9e110 0x7c85d2a3 kernel32.dll MoveFileExA
0x7ff9e114 0x7c81f850 kernel32.dll SetEndOfFile
0x7ff9e118 0x7c81fb44 kernel32.dll SetFileAttributesA
0x7ff9e11c 0x7c810da6 kernel32.dll SetFilePointer
0x7ff9e120 0x7c81f955 kernel32.dll SetFileTime
0x7ff9e124 0x7c810d34 kernel32.dll SystemTimeToFileTime
0x7ff9e128 0x7c810f9f kernel32.dll WriteFile
0x7ff9e12c 0x7c825f62 kernel32.dll FormatMessageA
0x7ff9e130 0x7c811069 kernel32.dll GetFileType
0x7ff9e134 0x7c812929 kernel32.dll HeapCreate
0x7ff9e138 0x7c9179fd kernel32.dll HeapReAlloc
0x7ff9e13c 0x7c9109ed kernel32.dll HeapSize
0x7ff9e140 0x7c80d47e kernel32.dll GetLocaleInfoA
0x7ff9e144 0x7c81dd9a kernel32.dll CreatePipe
0x7ff9e148 0x7c802367 kernel32.dll CreateProcessA
0x7ff9e14c 0x7c81aae7 kernel32.dll GetExitCodeProcess
0x7ff9e150 0x7c85f6ef kernel32.dll PeekNamedPipe
0x7ff9e154 0x7c81e92a kernel32.dll ResumeThread
0x7ff9e158 0x7c81cacb kernel32.dll TerminateThread
0x7ff9e15c 0x7c80e9ec kernel32.dll FileTimeToSystemTime
0x7ff9e160 0x7c827421 kernel32.dll GetDiskFreeSpaceExA
0x7ff9e164 0x7c822cfb kernel32.dll GetDriveTypeA
0x7ff9e168 0x7c81f8e2 kernel32.dll GetFileTime
0x7ff9e16c 0x7c80c9c1 kernel32.dll GetLocalTime
0x7ff9e170 0x7c81e3b9 kernel32.dll GetLogicalDrives
0x7ff9e174 0x7c82293b kernel32.dll GetWindowsDirectoryA
0x7ff9e178 0x7c809cad kernel32.dll MultiByteToWideChar
0x7ff9e17c 0x7c809c4c kernel32.dll ResetEvent
0x7ff9e180 0x7c809c6e kernel32.dll WaitForMultipleObjects
0x7ff9e184 0x7c8024a7 kernel32.dll ReleaseMutex
0x7ff9e188 0x7c809737 kernel32.dll GetCurrentThreadId
0x7ff9e18c 0x7c802442 kernel32.dll Sleep
0x7ff9e190 0x7c81ee79 kernel32.dll lstrcmpA
0x7ff9e194 0x7c81e079 kernel32.dll OpenProcess
0x7ff9e198 0x7c801e16 kernel32.dll TerminateProcess
0x7ff9e19c 0x7c809b77 kernel32.dll CloseHandle
0x7ff9e1a0 0x7c80946c kernel32.dll CreateFileMappingA
0x7ff9e1a4 0x7c801a24 kernel32.dll CreateFileA
0x7ff9e1a8 0x7c81e4bd kernel32.dll CreateEventA
0x7ff9e1ac 0x7c80eb3f kernel32.dll CreateMutexA
0x7ff9e1b0 0x7c814c63 kernel32.dll GetSystemDirectoryA
0x7ff9e1b4 0x7c827052 kernel32.dll GetVolumeInformationA
0x7ff9e1b8 0x7c80aa97 kernel32.dll SetErrorMode
0x7ff9e1bc 0x7c80994e kernel32.dll GetCurrentProcessId
0x7ff9e1c4 0x77124850 OLEAUT32.dll SysFreeString
0x7ff9e1c8 0x7712504f OLEAUT32.dll SafeArrayGetUBound
0x7ff9e1cc 0x7712509b OLEAUT32.dll SafeArrayGetLBound
0x7ff9e1d0 0x77125010 OLEAUT32.dll SafeArrayAccessData
0x7ff9e1d4 0x77124bc2 OLEAUT32.dll SysAllocString
0x7ff9e1d8 0x7712503f OLEAUT32.dll SafeArrayUnaccessData
0x7ff9e1e0 0x77d4b7db USER32.dll IsWindow
0x7ff9e1e4 0x77d4b5d7 USER32.dll GetParent
0x7ff9e1e8 0x77d6f82e USER32.dll GetWindowTextA
0x7ff9e1ec 0x77d6f8dd USER32.dll CharToOemBuffA
0x7ff9e1f0 0x77d4a2de USER32.dll wsprintfA
0x7ff9e1f4 0x77d6ed31 USER32.dll OemToCharBuffA
0x7ff9e1f8 0x77d89e6d USER32.dll ExitWindowsEx
0x7ff9e1fc 0x77d49519 USER32.dll GetLastInputInfo
0x7ff9e200 0x77d4b57c USER32.dll GetWindowRect
0x7ff9e204 0x77d4bd8e USER32.dll IsWindowVisible
0x7ff9e208 0x77d4ff21 USER32.dll SendMessageTimeoutA
0x7ff9e20c 0x77d4d4de USER32.dll ShowWindow
0x7ff9e210 0x77d4dc5a USER32.dll SetWindowTextA
0x7ff9e214 0x77d4b556 USER32.dll GetClientRect
0x7ff9e218 0x77d4ded3 USER32.dll SetWindowLongA
0x7ff9e21c 0x77d4d515 USER32.dll MoveWindow
0x7ff9e220 0x77d50554 USER32.dll SystemParametersInfoA
0x7ff9e224 0x77d4947c USER32.dll GetWindowLongA
0x7ff9e228 0x77d6e438 USER32.dll UnregisterClassA
0x7ff9e22c 0x77d4e666 USER32.dll DestroyWindow
0x7ff9e230 0x77d4df6b USER32.dll DefWindowProcA
0x7ff9e234 0x77d5190b USER32.dll CreateWindowExA
0x7ff9e238 0x77d7ffbe USER32.dll MapVirtualKeyW
0x7ff9e23c 0x77d4df1e USER32.dll GetActiveWindow
0x7ff9e240 0x77d4ef35 USER32.dll GetKeyboardState
0x7ff9e244 0x77d9628a USER32.dll ToUnicode
0x7ff9e248 0x77d4ed6e USER32.dll CallNextHookEx
0x7ff9e24c 0x77d49851 USER32.dll GetThreadDesktop
0x7ff9e250 0x77d6ebb0 USER32.dll PostThreadMessageA
0x7ff9e254 0x77d4d935 USER32.dll EnumWindows
0x7ff9e258 0x77d702b2 USER32.dll SetWindowsHookExA
0x7ff9e25c 0x77d6f29f USER32.dll UnhookWindowsHookEx
0x7ff9e260 0x77d4db62 USER32.dll PostMessageA
0x7ff9e264 0x77d4e5ba USER32.dll EnumChildWindows
0x7ff9e268 0x77d4e032 USER32.dll GetClassNameA
0x7ff9e26c 0x77d48a58 USER32.dll GetWindowThreadProcessId
0x7ff9e270 0x77d48bce USER32.dll TranslateMessage
0x7ff9e274 0x77d52316 USER32.dll RegisterClassA
0x7ff9e278 0x77d6edeb USER32.dll PostQuitMessage
0x7ff9e27c 0x77d4cefd USER32.dll PeekMessageA
0x7ff9e280 0x77d4bc8e USER32.dll MsgWaitForMultipleObjects
0x7ff9e284 0x77d4e8fa USER32.dll LoadCursorA
0x7ff9e288 0x77d4bcbd USER32.dll DispatchMessageA
0x7ff9e290 0x71ab94dc WS2_32.dll WSAGetLastError
0x7ff9e294 0x71ab664d WS2_32.dll WSAStartup
0x7ff9e298 0x71ac1028 WS2_32.dll accept
0x7ff9e29c 0x71ab9639 WS2_32.dll closesocket
0x7ff9e2a0 0x71ac0bde WS2_32.dll shutdown
0x7ff9e2a4 0x71ac0979 WS2_32.dll WSAAsyncSelect
0x7ff9e2a8 0x71ab406a WS2_32.dll connect
0x7ff9e2ac 0x71ab615a WS2_32.dll recv
0x7ff9e2b0 0x71ab428a WS2_32.dll send
0x7ff9e2b4 0x71ab3e00 WS2_32.dll bind
0x7ff9e2b8 0x71ab4519 WS2_32.dll ioctlsocket
0x7ff9e2bc 0x71ab88d3 WS2_32.dll listen
0x7ff9e2c0 0x71ab951e WS2_32.dll getsockname
0x7ff9e2c4 0x71ab50c8 WS2_32.dll gethostname
0x7ff9e2c8 0x71ab4428 WS2_32.dll WSACleanup
0x7ff9e2cc 0x71abe32f WS2_32.dll WSACancelAsyncRequest
0x7ff9e2d0 0x71abe985 WS2_32.dll WSAAsyncGetHostByName
0x7ff9e2d4 0x71abea2b WS2_32.dll WSAAsyncGetHostByAddr
0x7ff9e2d8 0x71ab3f41 WS2_32.dll inet_ntoa
0x7ff9e2dc 0x71ab2bf4 WS2_32.dll inet_addr
0x7ff9e2e0 0x71ab3b91 WS2_32.dll socket
0x7ff9e2e8 0x774f974a ole32.dll CreateStreamOnHGlobal
0x7ff9e2ec 0x774f2cfa ole32.dll StringFromGUID2
0x7ff9e2f0 0x77529539 ole32.dll OleUninitialize
0x7ff9e2f4 0x77526009 ole32.dll CoCreateInstance
0x7ff9e2f8 0x7752949b ole32.dll OleInitialize
0x7ff9e2fc 0x77530f97 ole32.dll GetHGlobalFromStream
Lets take a closer look at the some modules :
- LoadLibraryA : Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
- FreeLibrary Frees the loaded dynamic-link library (DLL) module and, if necessary, decrements its reference count. When the reference count reaches zero, the module is unloaded from the address space of the calling process and the handle is no longer valid.
- CreateThread Creates a thread to execute within the virtual address space of the calling process.
- Also, we see number of functions related to registry and we should analyze the registry settings.
Now, that we are sure that kernel32 was hooked and used for executing malicious code. Next we we will use vardump plugin to dump the code at offset 0x7ff80000
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem -profile=WinXPSP3x86 vaddump -p 2044 -b 0x7ff80000 --dump-dir C:\dumps\coreflood\dll
Volatility Foundation Volatility Framework 2.6
Pid Process Start End Result
---------- -------------------- ---------- ---------- ------
2044 IEXPLORE.EXE 0x7ff80000 0x7ffadfff C:\dumps\coreflood\dll\IEXPLORE.EXE.485d1a8.0x7ff80000-0x7ffadfff.dmpNext we will extract strings from above file and further analyze it
String extraction
Few interesting points from strings extract :
- can see comsbap.dll file in the extract below
C:\WINDOWS\system32\comsbap.dIl
SetEvent
CreateThread
FreeLibrary
LoadLibraryA2. Malware uses http connection to communicate with C&C servers
HTTPP
Request of %a for %s has been failed
http://CONNECT Host: Connection: close
Proxy-Connection: close
HTTP/1.0 503 Connection failed
HTTP/1.0 200 Connection established
SOCKS
EXEC3. Need to do registry forensics to find out more about the malware
Unregistering object %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
RegisteredOrganization
\???*.dll
*32.dll
Software\Classes\CLSID\InprocServer32
ThreadingModel
Apartment
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\WindowsConclusion
To conclude this post , we started with a strange looking environment variable and from there systematically investigated the clues. During investigation it was revealed that kerne32.dll was hooked and injected with malicious code. We used vaddump plugin to dump the malicious code and will try to recreate PE header to get more information on the binary side. During string extraction strong evidence was encountered that malicious dll path is hidden in the registry setting. Also we were able to conclude that coreflood trojan uses http connections to communicate with outside servers and a simple packet capture can help in finding more about the payload.
14 Responses