Stuxnet Trojan - Memory Forensics with Volatility | Part II

DETECTING API CALLS

If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
strings evidences/process.*

Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928


These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.

http://www.symantec.com/connect/blogs/w32stuxnet-installation-details

DETECTING MALICIOUS DRIVERS

With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
python2 vol.py -f stuxnet.vmem modscan

The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000

We get the sha256 hash of this driver...
sha256sum evidences/driver.b21d8000.sys


...and we upload it to www.virustotal.com

Here you have the report where you will see that this drivers has been  recognized as malicious.

https://www.virustotal.com/en/file/6aa1f54fbd8c79a3109bfc3e7274f212e5bf9c92f740d5a194167ea940c3d06c/analysis/


We have just detected a malicious driver but I think that it’s necessary to look for more  drivers with a similar name in order to try to find a new ones...
python2 vol.py -f stuxnet.vmem modscan | grep mrx

Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000

https://www.virustotal.com/en/file/6bc86d3bd3ec0333087141215559aec5b11b050cc49e42fc28c2ff6c9c119dbd/analysis/


We have just found two malicious drivers: mrxcls.sys and mrxnet.sys. 

I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.

DETECTING REGISTER KEYS

In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services

We can obtain valuable information about some of them with the next commands.
python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'

python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'

With these key registers, Stuxnet will be started in each computer restart.

Source: http://www.behindthefirewalls.com/2014/01/stuxnet-memory-forensics-volatility-II.html

Nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

Configuring DHCP Relay service on the FortiGate unit

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space