Introduction
This is the first post of multi part series in which we will walk through basics of volatile Memory analysis with Volatility. Though some knowledge of Windows Internal is desirable but I will try to cover things as we progress. In this post, we will start with analyzing Coreflood Trojan with basic command and will gradually move to more advanced concepts.
What is Coreflood Trojan?
Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems “approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses.”[1] It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.
Wikipedia
Now that we know about Coreflood we will need a memory dump to start analysis. You can download the .vmem file from below link
How to setup Volatility ?
For quick setup of Volatility Framework and to get a quick hands on tutorial ,please follow below article
To start the investigation we need to find the profile of the system from which memory dump was collected. This profile decide which data structures, algorithms, and symbols Volatility Framework will use. To find the profile, we will use Imageinfo plugin, which will provide which provide a high-level summary of the memory sample
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\dumps\coreflood.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80544ce0L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-08-15 18:24:00 UTC+0000
Image local date and time : 2010-08-15 14:24:00 -0400
Next lets list out the processes that are running on the machine. For this we will use pslist plugin.
Before moving ahead lets take a look at how pslist plugin works
- Windows internally uses The _EPROCESS structure to describe a process. To put it simply every process running on the system will have its corresponding _EPROCESS object in the kernel.
- _EPROCESS structure contains a _LIST_ENTRY structure called ActiveProcessLinks
- The _LIST_ENTRY structure contains two pointers : forward link that points to the _LIST_ENTRY of the next _EPROCESS structure, and the backward link that points to the _LIST_ENTRY of the previous _EPROCESS structure
- Together, these items create a chain of process objects, also called a doubly linked list
- pslist finds and walks the doubly linked list of processes and prints a summary of the data.
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 pslist > C:\dumps\coreflood\pslist.txtNote that we are using –profile=WinXPSP3x86 from imageinfo output and redirecting the output to pslist.txt. By redirecting output to a text file, we can refer to the output without running the plugin again.
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x810b1660 System 4 0 58 183 ------ 0
0xff2ab020 smss.exe 544 4 3 21 ------ 0 2010-08-
0xff1ecda0 csrss.exe 608 544 10 369 0 0 2010-08-
0xff1ec978 winlogon.exe 632 544 20 518 0 0 2010-08-
0xff247020 services.exe 676 632 16 269 0 0 2010-08-
0xff255020 lsass.exe 688 632 19 344 0 0 2010-08-
0xff218230 vmacthlp.exe 844 676 1 24 0 0 2010-08-
0x80ff88d8 svchost.exe 856 676 17 199 0 0 2010-08-
0xff217560 svchost.exe 936 676 10 272 0 0 2010-08-
0x80fbf910 svchost.exe 1028 676 71 1341 0 0 2010-08-
0xff22d558 svchost.exe 1088 676 5 80 0 0 2010-08-
0xff203b80 svchost.exe 1148 676 14 208 0 0 2010-08-
0xff1d7da0 spoolsv.exe 1432 676 13 135 0 0 2010-08-
0xff1b8b28 vmtoolsd.exe 1668 676 5 221 0 0 2010-08-
0xff1fdc88 VMUpgradeHelper 1788 676 4 100 0 0 2010-08-
0xff143b28 TPAutoConnSvc.e 1968 676 5 100 0 0 2010-08-
0xff25a7e0 alg.exe 216 676 6 105 0 0 2010-08-
0xff364310 wscntfy.exe 888 1028 1 27 0 0 2010-08-
0xff38b5f8 TPAutoConnect.e 1084 1968 1 61 0 0 2010-08-
0xff3865d0 explorer.exe 1724 1708 12 341 0 0 2010-08-
0xff3667e8 VMwareTray.exe 432 1724 1 49 0 0 2010-08-
0xff374980 VMwareUser.exe 452 1724 6 189 0 0 2010-08-
0x80f94588 wuauclt.exe 468 1028 4 134 0 0 2010-08-
0xff3ad1a8 IEXPLORE.EXE 2044 1724 10 366 0 0 2010-08-
0x80fdc368 logon.scr 124 632 1 15 0 0 2010-08-
0xff125020 cmd.exe 1136 1668 0 -------- 0 0 2010-08-
Just looking at process list can give some immediate clues worthy of further investigation. From above list we can note following points :
- One instance of IExplore.exe is running
- All svchost.exe processes have same parent process
- cmd.exe is also running and we need to further investigate what it is doing.
- All processes including critical ones are running with session 0
Lets take a look at process tree by running pstree plugin
pstree takes the output from pslist and formats it in a tree view, so we can easily see parent and child relationships
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem –profile=WinXPSP3x86 pstree > C:\dumps\coreflood\pstree.txt
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x810b1660:System 4 0 58 183 1970-
. 0xff2ab020:smss.exe 544 4 3 21 2010-
.. 0xff1ec978:winlogon.exe 632 544 20 518 2010-0
... 0xff255020:lsass.exe 688 632 19 344 2010-
... 0xff247020:services.exe 676 632 16 269 2010-
.... 0xff1b8b28:vmtoolsd.exe 1668 676 5 221 2010-
..... 0xff125020:cmd.exe 1136 1668 0 ------ 2010-
.... 0x80ff88d8:svchost.exe 856 676 17 199 2010-
.... 0xff1d7da0:spoolsv.exe 1432 676 13 135 2010-
.... 0x80fbf910:svchost.exe 1028 676 71 1341 2010-
..... 0x80f94588:wuauclt.exe 468 1028 4 134 2010-
..... 0xff364310:wscntfy.exe 888 1028 1 27 2010-
.... 0xff217560:svchost.exe 936 676 10 272 2010-
.... 0xff143b28:TPAutoConnSvc.e 1968 676 5 100 2010-
..... 0xff38b5f8:TPAutoConnect.e 1084 1968 1 61 2010-
.... 0xff22d558:svchost.exe 1088 676 5 80 2010-
.... 0xff218230:vmacthlp.exe 844 676 1 24 2010-
.... 0xff25a7e0:alg.exe 216 676 6 105 2010-
.... 0xff203b80:svchost.exe 1148 676 14 208 2010-
.... 0xff1fdc88:VMUpgradeHelper 1788 676 4 100 2010-
... 0x80fdc368:logon.scr 124 632 1 15 2010-
.. 0xff1ecda0:csrss.exe 608 544 10 369 2010-
0xff3865d0:explorer.exe 1724 1708 12 341 2010-
. 0xff3667e8:VMwareTray.exe 432 1724 1 49 2010-
. 0xff374980:VMwareUser.exe 452 1724 6 189 2010-
. 0xff3ad1a8:IEXPLORE.EXE 2044 1724 10 366 2010-
From above output we can say
- explorer.exe is the parent process of IEXPLORE.EXE
- pid of IEXPLORE.EXE is 2044
- As of now nothing suspicious is observed
Next we will take a look at cmdscan and consoles plugin
CMDSCAN Plugin
- cmdscan plugin finds commands executed by cmd.exe shells, even after the process has exited
- cmd.exe commands are processed by csrss.exe or conhost.exe, depending on the target platform. In other words cmd acts like a client in client-server architecture and most of the commands are kept in the process memory
- To dig deeper, winsrv.dll running inside CSRSS was responsible for record keeping in older windows versions
Consoles Plugin
looks for the console for information ( _CONSOLE_INFORMATION). In doing so, it has access to the screen buffers that
contain all lines of input and output that fit within the current width and height of the console window.
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 608
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448
output of consoles plugin
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 consoles
Volatility Foundation Volatility Framework 2.6
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0x4e23b0 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
Title: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
AttachedProcess: TPAutoConnect.e Pid: 1084 Handle: 0x448
----
CommandHistory: 0xf786f8 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x448
----
Screen 0x4e2ab0 X:80 Y:25
Dump:
TPAutoConnect User Agent, Copyright (c) 1999-2009 ThinPrint AG, 7.17.512.1
**************************************************
ConsoleProcess: csrss.exe Pid: 608
Console: 0xf78958 CommandHistorySize: 50
HistoryBufferCount: 2 HistoryBufferMax: 4
OriginalTitle: ??ystemRoot%\system32\cmd.exe
Title:- No malicious activity observed
Next we will check Network activity on the host. Most of the trojans communicate with Command and Control server and analysis network activity on the host can give important clues.
We will start will Connscan plugin
To find _TCPT_OBJECT structures using pool tag scanning, use the connscan command. This can find artifacts from previous connections that have since been terminated, in addition to the active ones.
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 connscan > C:\dumps\coreflood\connscan.txt
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x00eda590 172.16.176.143:1058 65.54.81.209:80 2044
0x01079e70 172.16.176.143:1082 209.234.234.16:80 2044
0x0107c888 172.16.176.143:1059 4.23.40.126:80 2044
0x0108fcd8 172.16.176.143:1072 65.55.15.124:80 2044
0x010fa448 172.16.176.143:1065 65.55.253.21:80 2044
0x02214988 172.16.176.143:1092 65.54.81.14:80 2044
0x026c68a8 172.16.176.143:1074 65.55.15.243:80 2044
0x02ae4bb0 172.16.176.143:1073 65.55.15.123:80 2044
0x048b25f0 172.16.176.143:1085 65.55.149.119:80 2044
0x04a045f8 172.16.176.143:1057 65.54.81.49:80 2044
0x04a04e70 172.16.176.143:1095 69.43.160.145:80 2044
0x04a4a4a0 172.16.176.143:1084 12.120.180.24:80 2044
0x04be2558 172.16.176.143:1079 65.54.81.22:80 2044
0x05536e70 172.16.176.143:1090 65.54.81.14:80 2044
0x05802340 172.16.176.143:1062 65.55.18.18:80 2044
0x05c9e200 172.16.176.143:1067 65.54.81.14:80 2044
0x05deea30 172.16.176.143:1068 65.54.81.14:80 2044
0x06015ab0 172.16.176.143:1053 207.46.170.10:80 2044
0x0605f208 172.16.176.143:1086 202.89.231.60:80 2044
0x06125538 172.16.176.143:1083 65.54.81.79:80 2044
0x0623a438 172.16.176.143:1066 96.6.41.210:80 2044
0x06450720 172.16.176.143:1077 65.55.149.121:80 2044
0x064509f0 172.16.176.143:1063 64.4.18.73:80 2044
0x06497a68 172.16.176.143:1075 65.55.15.124:80 2044
0x067bd218 172.16.176.143:1070 65.54.81.209:80 2044
0x07c17be0 172.16.176.143:1060 65.55.239.161:80 2044
- We can observer number of connections to external servers
- All connections are made by pid 2044 , iexplore.exe
- All connections are using port 80
- Apart from processes using http port 80, nothing suspicious.
Next we will take a look at the output of sockets plugin
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 sockets > C:\dumps\coreflood\sockets.txt
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x80fd1008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00
0xff158c00 2044 1052 17 UDP 127.0.0.1 2010-08-15 18:11:19
0xff258008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35
0xff2984a0 1088 1078 17 UDP 0.0.0.0 2010-08-15 18:11:23
0xff367008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17
0x80ffc128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24
0xff225b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35
0xff254008 1028 123 17 UDP 127.0.0.1 2010-08-15 18:24:00
0x80fce930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38
0xff127d28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39
0xff3a97a0 1088 1061 17 UDP 0.0.0.0 2010-08-15 18:11:21
0xff12b580 1148 1900 17 UDP 127.0.0.1 2010-08-15 18:24:00
0xff1b8250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35
0xff382e98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00
0x80fbdc40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17
- Pid 2044 has 1 incoming UDP connection
- Nothing much is observed.
To sum up, we have executed and analyzed all the basic Volatility plugins and till now we do not have any clue of malicious activity on the host. cmd.exe and iexplore.exe, the processes that can under scanner by default , are not looking suspicious by basic analysis and now we have to dig deeper to find out . Before using more sophisticated plugins, I as a matter of habit always analyze environment variables set on the host.
To display env variables that are being used by processes we will execute envars plugin. This plugin will list out all the environment variables . T
C:\volatility>volatility.exe -f C:\dumps\coreflood.vmem --profile=WinXPSP3x86 envars > C:\dumps\coreflood\envars.txtHere, will just put the intersting parts of the output
...
....
...
2044 IEXPLORE.EXE 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
2044 IEXPLORE.EXE 0x00010000 APPDATA C:\Documents and Settings\Administrator\Application Data
2044 IEXPLORE.EXE 0x00010000 CLIENTNAME Console
2044 IEXPLORE.EXE 0x00010000 CommonProgramFiles C:\Program Files\Common Files
2044 IEXPLORE.EXE 0x00010000 COMPUTERNAME BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
2044 IEXPLORE.EXE 0x00010000 FP_NO_HOST_CHECK NO
2044 IEXPLORE.EXE 0x00010000 GIEVMXDVLMISML EWONSYG
2044 IEXPLORE.EXE 0x00010000 HOMEDRIVE C:
2044 IEXPLORE.EXE 0x00010000 HOMEPATH \Documents and Settings\Administrator
2044 IEXPLORE.EXE 0x00010000 LOGONSERVER \\BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 NUMBER_OF_PROCESSORS 1
2044 IEXPLORE.EXE 0x00010000 OS Windows_NT
2044 IEXPLORE.EXE 0x00010000 Path C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
2044 IEXPLORE.EXE 0x00010000 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_ARCHITECTURE x86
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_IDENTIFIER x86 Family 6 Model 23 Stepping 10, GenuineIntel
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_LEVEL 6
2044 IEXPLORE.EXE 0x00010000 PROCESSOR_REVISION 170a
2044 IEXPLORE.EXE 0x00010000 ProgramFiles C:\Program Files
2044 IEXPLORE.EXE 0x00010000 SESSIONNAME Console
2044 IEXPLORE.EXE 0x00010000 SystemDrive C:
2044 IEXPLORE.EXE 0x00010000 SystemRoot C:\WINDOWS
2044 IEXPLORE.EXE 0x00010000 TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
2044 IEXPLORE.EXE 0x00010000 TMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
2044 IEXPLORE.EXE 0x00010000 USERDOMAIN BILLY-DB5B96DD3
2044 IEXPLORE.EXE 0x00010000 USERNAME Administrator
2044 IEXPLORE.EXE 0x00010000 USERPROFILE C:\Documents and Settings\Administrator
2044 IEXPLORE.EXE 0x00010000 windir C:\WINDOWS
124 logon.scr 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
124 logon.scr 0x00010000 CommonProgramFiles C:\Program Files\Common Files
124 logon.scr 0x00010000 COMPUTERNAME BILLY-DB5B96DD3
124 logon.scr 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
124 logon.scr 0x00010000 FP_NO_HOST_CHECK NO2044 IEXPLORE.EXE 0x00010000 GIEVMXDVLMISML EWONSYGIf you take a close look at above line we observe that pid 2044 is using a very strangely named environment variable with a even more stranger value. A quick google search , did not reveal anything and this is the first clue that something suspicious is going on with pid 2044 , IEXPLORE.EXE and going ahead we should focus our investigation on this process.
Conclusion
To conclude the first part of the series we used basic volatility commands :
- pslist to list out all the processes running on the host
- pstree to check hierarchy of processes
- cmdscan to list commands executed by cmd.exe
- consoles to print screen outputs
- connscan to list connections
- sockets to list open/closed sockets
- envars to list environment variables used by processes
We finally got a clue with envars plugin which suggested that iexplore.exe process could be compromised and in the next post we will take a closer look into it
14 Responses