8:48 p.m.
I've got a suspect process running on a system.
0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12
%Windir%\Temp\8880792.tmp
It's 64K on disk and looks like it's packed with Armadillo:
File Name: 8880792.tmp
File Size: 65536
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 Hash: fec737234a47ae90ee79af44d3081a4d
SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
Cymru MHR: Not listed
Packer ID(s):
=> Armadillo v1.71
Number of sections: 3
--------------------
('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)
I dump process memory (procmemdump) and end up with strings not much
different than what I get for the file on disk. The procmemdump output
is about 10K larger.
The memdump output is 245M and going through the addressable memory
contents I get loads of suspicious data that looks like it's related
to malware. Samples:
are\EES\BIFROST
//sharedfreehosting.c
USER remote
hello keypublic
WEBCAM Ekran.png Ekran.bmp
60.167.78.224
www.proxyserverlist.biz
proxy_checker/index.php
ClientSocket
www.66444.com
open
ww4.tmdqq.net/51lin
www3.57185.com/is686_.h
1.hao591.net/is6
exefile=cdb.exe
dllfile=test.dll
regedits=stubpath
tp://bravor.net
w.ya.ru
whatismyip.co
Welcom to BackDor serv by emPyte
Fan666` .
tem\lsass.ex
ion\Run
*sniff*
sad
yo,
PRIVMSG
Splinter ddos v1.0
INFECT
Plus!
terra.com.mx
send.aspx?id=
Windll22.exe
!reboot
!reconnect
!join
!pwl
!connection
!switch
!chatslaves
Connected to
NetShadow v1.2
Server ID:
F:\Work\TEST MyFunlove
\calc.ex
LAgPCfAGCxoRI
CwgMCA8JERAO9x
Chat-Fenster
pcinfo
Resolution:
tmdqq.net 57185.com
szfocus.net
cool-pic.com
dcomScaner
Vortex1 mazafaka
GONNA BE AN IRCF
HTTP://WWW.ASEXVIDEO
HACKTOOLZ
?ACTION=LOGIN&SEND=
ICQBETA
I suppose though that this is data from the HIPS application that has
been injected into this executable's process space. The same strings
are present in the memory space of all processes. I want to confirm
this by finding an indicator in the process memory that attributes
this data to the HIPS application. What is the best way to do this?
My initial suspicion is that the VAD table could show me that. Is this
right? How could this analysis proceed in Volatility? The 'modules'
plugin shows me a couple of entries that I suspect relate to it.
0x8a3c01e8 mfehidk.sys
0x00f70a9000 0x052000 mfehidk.sys
0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys
0x00f7697000 0x00e000 mfetdik.sys
0x89237e68 \Device\mfehidk01.sys
0x00b7f38000 0x053000 mfehidk01.sys
--
Darren Spruell
phatbuckett(a)gmail.com
8:28 p.m.
Hey Darren,
On Tue, Nov 8, 2011 at 8:48 PM, Darren Spruell <phatbuckett(a)gmail.com> wrote:
I've got a suspect process running on a system.
0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12
%Windir%\Temp\8880792.tmp
It's 64K on disk and looks like it's packed with Armadillo:
File Name: 8880792.tmp
File Size: 65536
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 Hash: fec737234a47ae90ee79af44d3081a4d
SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
Cymru MHR: Not listed
Packer ID(s):
=> Armadillo v1.71
Number of sections: 3
--------------------
('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)
I dump process memory (procmemdump) and end up with strings not much
different than what I get for the file on disk. The procmemdump output
is about 10K larger.
The memdump output is 245M and going through the addressable memory
contents I get loads of suspicious data that looks like it's related
to malware. Samples:
are\EES\BIFROST
//sharedfreehosting.c
USER remote
hello keypublic
WEBCAM Ekran.png Ekran.bmp
60.167.78.224
www.proxyserverlist.biz
proxy_checker/index.php
ClientSocket
www.66444.com
open
ww4.tmdqq.net/51lin
www3.57185.com/is686_.h
1.hao591.net/is6
exefile=cdb.exe
dllfile=test.dll
regedits=stubpath
tp://bravor.net
w.ya.ru
whatismyip.co
Welcom to BackDor serv by emPyte
Fan666` .
tem\lsass.ex
ion\Run
*sniff*
sad
yo,
PRIVMSG
Splinter ddos v1.0
INFECT
Plus!
terra.com.mx
send.aspx?id=
Windll22.exe
!reboot
!reconnect
!join
!pwl
!connection
!switch
!chatslaves
Connected to
NetShadow v1.2
Server ID:
F:\Work\TEST MyFunlove
\calc.ex
LAgPCfAGCxoRI
CwgMCA8JERAO9x
Chat-Fenster
pcinfo
Resolution:
tmdqq.net 57185.com
szfocus.net
cool-pic.com
dcomScaner
Vortex1 mazafaka
GONNA BE AN IRCF
HTTP://WWW.ASEXVIDEO
HACKTOOLZ
?ACTION=LOGIN&SEND=
ICQBETA
I suppose though that this is data from the HIPS application that has
been injected into this executable's process space. The same strings
are present in the memory space of all processes. I want to confirm
this by finding an indicator in the process memory that attributes
this data to the HIPS application. What is the best way to do this?
That's possible. I'd suggest using vaddump instead of memdump. You'll
get the same content, but it will be broken up into chunks named
according to the starting address. For example:
$ ls -alh vads/
-rw-r--r-- 1 User staff 128K Feb 8 15:29
System.a2d960.00120000-0013ffff.dmp
-rw-r--r-- 1 User staff 128K Feb 8 15:29
System.a2d960.00140000-0015ffff.dmp
-rw-r--r-- 1 User staff 128K Feb 8 15:29
System.a2d960.00160000-0017ffff.dmp
-rw-r--r-- 1 User staff 128K Feb 8 15:29
System.a2d960.00180000-0019ffff.dmp
Then you'd find out which one(s) contain the strings you see. If its
the first one, then you know the starting memory address is 00120000.
Then you'd use vadinfo on that process and look for the vad entry
whose start address is 00120000. The entry will tell you if there's a
mapped file or DLL loaded there, if the memory is executable or just
RW, and some other things. Compare those characteristics to some known
instances of code injection (like zeus, stuxnet, whatever).
My initial suspicion is that the VAD table could show
me that. Is this
right? How could this analysis proceed in Volatility? The 'modules'
plugin shows me a couple of entries that I suspect relate to it.
0x8a3c01e8 mfehidk.sys
0x00f70a9000 0x052000 mfehidk.sys
0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys
0x00f7697000 0x00e000 mfetdik.sys
0x89237e68 \Device\mfehidk01.sys
0x00b7f38000 0x053000 mfehidk01.sys
Well those are related in the sense that they're part of McAfee, but
"modules" shows the kernel drivers and you're asking about something
found in user mode. Also depending on which product of McAfee's is
installed, you may see DLLs with names like HIPIS*.dll, which you can
then look at the module base + size to figure out where its loaded. Or
use the verinfo plugin which can sometimes print FileDescription =
"HIPSCore Injected Stub" etc.
Hope it helps!
MHL
--
Darren Spruell
phatbuckett(a)gmail.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4753
days inactive
4754
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Darren Spruell -
Michael Hale Ligh