/Malware-Analysis

An e-book of malware analysis applications

Malware Analysis

An E-book of malware analysis applications.You can download the programs used here from the applications folder.

Will be constantly updated...

PAGES

1-)Zeus Botnet Memory Analysis

2-)Stuxnet Memory Analysis

3-)Darcomet RAT Memory Analysis

Zeus Botnet Memory Analysis

We will analyze memory dump with Volatility. We run the following command to find out from which system the image was taken.

vol.exe -f zeus.vmem imageinfo

1

Processes taken in the image are displayed with the following command.

vol.exe -f zeus.vmem pstree

2

There doesn't appear to be a problem with running processes. We will check if there is a connection to the machine and if there is a connection to the machine, we will find out which process started via PiD.

vol.exe -f zeus.vmem connscan

3

When we look at the screenshot above, we see that svchost.exe connects to the connection on port 80.This is not normal for svchost.exe. (For more information on svchost.exe, see here. https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ )

We continue

We check whether the address 193.104.41.75 is in the black list via ipvoid.com.

4

We see that the result is clean.

We check the ip address on the malwaredomain.com site.

5

It has been observed that the ip address is distributing malicious files and the description is zeus botnet.

Let's see if the malicious file runs itself at startup.

vol.exe -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"

6

As seen in the screenshot, sdra64.exe runs itself automatically.

We are now looking for a malicious signature.

vol.exe -f zeus.vmem malfind -D dump

I saved the output under the dump folder. We see svchost.exe in the output.

7

Now with piD, the malware signature is saved under the dump folder

vol.exe -f zeus.vmem malfind -D dump/ -p 856

The output in the dump folder was scanned at virustotal.com. and once again we see that the malware is Zbot.

8

Stuxnet Memory Analysis

What is stuxnet?

Stuxnet is worm software used by the US and Israel to disrupt Iran's nuclear operations. The virus, whose existence was revealed in June 2010, affected Iran's nuclear facilities in Bushehr and Natanz. We are looking at image information

vol.exe -f stuxnet.vmem imageinfo

9

then we view the processes in the system.

vol.exe -f stuxnet.vmem pslist

10 11

It is doubtful to have 3 identical lsass.exe processes.

vol.exe -f stuxnet.vmem pstree

We are viewing the start time of processes.

12

The winlogon process must run in order to perform the login process in the Windows operating system. We see that piD 680 and piD 624 start at the same time. this appears normal, but other lsass.exe processes do not appear to be normal.piD(868, 1928)

Let's examine the network connections.

vol.exe -f stuxnet.vmem connections

13

no open network connections were seen. We are examining the network sockets.

vol.exe -f stuxnet.vmem sockets

14

It is normal for lsass.exe number piD 680 to broadcast from 500 and 4500 ports, but it isn't normal that the other 2 lsass.exe processes don't open ports.

vol.exe -f stuxnet.vmem ldrmodules -p 1928 -v

The dlls of the process piD 1928 have been seen.

15

As seen in the screenshot, kernel calls made are related to stuxnet.We are now looking for a malware signature.

vol.exe -f stuxnet.vmem malfind -p 1928 -D dump

16

We go to virustotal.com and scan the results

17

Darcomet RAT

Download image: https://drive.google.com/file/d/0B-pKvSR-QbsHdDRzeG8xNVNnbEU/edit

As always, we first look at the image information.

vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw imageinfo

18

We see that the image is taken from the Windows 7 operating system. Then the psxview parameter is executed to see the process list.

vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 psxview

20

Looking carefully at the screenshot, the process that should be rundll32.exe is shown as runddl32.exe. This process is suspicious. We need to examine the dll files that the process uses.

vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dlllist -p 1524

1

When we look at the file path that started the process, we can see that appdata is used. We are deepening our research

vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dumpfiles -r runddl32 -D .

2

these files will be stored for review with the strings utility. We continue to see if runddl32.exe starts other processes.

vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 pstree

3

After running 2 cmd as separate processes, it was seen that notepad.exe and runddl32.exe were running. We use malfind parameter for notepad.exe

vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 -p 1896 malfind

vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 memdump -p 1896 -D dumpfiles

We will use the mutantscan parameter to find mutex objects in memory.

4

We see that the malware is dc_mutex_khnew006.

Now we dump runddl32.exe continuation

Let's analyze the dump file with the strings tool.

5

As you can see, everything is clearly seen. ;)

Let's look at the startup

vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

6

the malware has been shown to run itself at startup and the analysis is over.