-
Notifications
You must be signed in to change notification settings - Fork 50
Memory Analysis of DarkComet using VolDiff
In this wiki page we will be using VolDiff to analyze a memory image of a Windows 7 system that has been infected with the DarkComet RAT.
A detailed memory analysis of DarkComet was provided in the past by TekDefense in this recommended read. The purpose of this wiki page is not to duplicate the TekDefense analysis, but to demonstrate the automation that VolDiff provides for detecting and dissecting the threat.
The DarkComet memory image has been made available by TekDefense and can be downloaded using this link.
We will be using a Ubuntu 14.04 desktop system where the Volatility framework is installed.
Let's use the --help switch to find the correct VolDiff syntax to use:
python2.7 VolDiff.py --help
Usage: ./VolDiff.py [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS] Options: --help display this help and exit --version display version information and exit --dependencies display information about script dependencies and exit --malware-checks hunt and report suspicious anomalies (slow, recommended) --no-report do not create a report
In this case, all we have is an "infected" memory image with no clean image to use as a baseline. The accurate profile to use is Win7SP1x86. Let's not forget to append the recommended --malware-checks option which will instruct VolDiff to identify and report threat / malware artifacts:
python2.7 VolDiff.py path/to/DarkComet/image.raw Win7SP1x86 --malware-checks
VolDiff will run a selection of 40+ Volatility plugins against the memory image. Once that is done, and since we have opted for the --malware-checks option, VolDiff will analyse the output of these plugins and report the anomalies identified. The entire process usually takes no less than 10 minutes to complete.
VolDiff: Malware Memory Footprint Analysis (v2.1) Only one memory image specified: standalone mode Path to memory image: path/to/DarkComet/image.raw Profile: Win7SP1x86 Running a selection of volatility plugins (time consuming): Volatility plugin handles execution in progress... Volatility plugin psxview execution in progress... ... Volatility plugin gditimers execution in progress... Volatility plugin ssdt execution in progress... Hunting for malicious artifacts in memory... VolDiff execution completed in 10 minutes and 30 seconds.
VolDiff stores the output of the Volatility plugins in a folder named VolDiff_DD-MM-YYYY_HH:MM. A text report with the name VolDiff_Report.txt is created within that folder.
Since no baseline image was provided to VolDiff, the tool won't be able to spot/report the exact changes that the malware execution introduced to the system. Nonetheless, the Volatility plugin execution results provide a wealth of information for VolDiff to be able to identify abnormal processes, injected code, suspicious timers etc.
The first section of the VolDiff report will highlight the unique IP addresses that were found in the output of plugins such as netscan and iehistory:
IP addresses found in netscan output. ======================================= 192.168.26.136 176.106.48.182
While the first IP address in the list is obviously a private one, 176.106.48.182 definitely warrants further investigation. A quick search on VirusTotal shows that the IP is indeed associated with malicious activity.
VolDiff runs a number of checks to identify the suspicious processes within the memory image. Examples include child/parent process relationships, process sessions, execution paths, etc. All the checks are solely based on the output of Volatility plugins such as pslist, psscan, dlllist and malfind.
Within the DarkComet memory image, VolDiff spotted an unusual process ID of 3220 that has 4 childs, 3 of which are highly suspicious cmd.exe instances:
Parent process with PPID 3220 is not listed in psscan output. =============================================================== Offset(P) Name PID PPID PDB Time created ------------------ ---------------- ------ ------ ---------- ----------------------------- 0x000000003e859af0 cmd.exe 3656 3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000 0x000000003e935af0 cmd.exe 3656 3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000 0x000000003fb35d40 cmd.exe 1128 3220 0x3f57a500 2014-02-03 12:27:17 UTC+0000 0x000000003fb36030 runddl32.exe 1524 3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000
The fourth child is runddl32.exe, which has a suspicious name and runs from a temporary folder. Again, this information is highlighted in the VolDiff report:
Process runddl32.exe (PID 1524) is running from a temporary folder (\users\tekdef~1\appdata\local\temp\msdcsc\runddl32.exe). ======================================================================== Offset(P) Name PID PPID PDB Time created ------------------ ---------------- ------ ------ ---------- ------------------------------ 0x000000003fb36030 runddl32.exe 1524 3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000
If any process is identified as potentially malicious by VolDiff, more information will be collected and reported about it further down the line in the report. In the DarkComet memory image case, no less than three processes will be thoroughly analysed by VolDiff, for different reasons detailed in the report as follows:
Processes that will be analysed in the next section: ======================================================= runddl32.exe (1524): non-default process, potential code injection, running from a temporary folder. notepad.exe (1896): non-default process, potential code injection. explorer.exe (2052): potential code injection.
In the following section we will explore the information reported by VolDiff about runddl32.exe.
When analyzing a suspicious process, VolDiff starts by dumping the process executable on disk using the procdump plugin, then calculates its MD5 hash. Based on that hash, it will check if a similar executable was ever submitted to VirusTotal:
VirusTotal scan results: --------------------------- MD5 value: f13a88591bfa841ef474bcb5f1cf9067 VirusTotal scan date: 2015-03-28 15:32:17 VirusTotal engine detections: 51/57 Link to VirusTotal report: https://www.virustotal.com/file/d8a9a2ff060cf4f9994a07afbab33054d4e7d784f6987ef8e2fb40a3362363dc/analysis/1427556737/
51 AV engines out of 57 detected the process as malicious. The associated VirusTotal report can be viewed online using this link.
As mentioned, VolDiff did not upload any data to VirusTotal get those results, other than the MD5 hash of the process executable.
VolDiff will then display other information about the suspicious process, such as the psxview output, the associated envars (environment variables), parent/child process information, etc. Here is a brief extract of the report section highlighting the parent and childs of runddl32.exe:
Parent process (PPID 3220) is not listed in psscan output: -------------------------------------------------------------- Offset(P) Name PID PPID PDB Time created ------------------ ---------------- ------ ------ ---------- ------------------------------ 0x000000003e859af0 cmd.exe 3656 3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000 0x000000003e935af0 cmd.exe 3656 3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000 0x000000003fb35d40 cmd.exe 1128 3220 0x3f57a500 2014-02-03 12:27:17 UTC+0000 0x000000003fb36030 runddl32.exe 1524 3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000
Child process(es): -------------------- Offset(P) Name PID PPID PDB Time created ------------------ ---------------- ------ ------ ---------- ------------------------------ 0x000000003fb06480 notepad.exe 1896 1524 0x3f57a5c0 2014-02-03 12:27:18 UTC+0000
One of the most known and powerful Volatility plugins is malfind. We can see in the report the associated output for runddl32.exe:
Code injection (malfind): ---------------------------- Process: runddl32.exe Pid: 1524 Address: 0x220000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x00220000 00 00 00 00 59 e9 52 10 20 00 e8 f5 ff ff ff 00 ....Y.R......... 0x00220010 00 00 00 00 00 00 00 e8 e8 ff ff ff 0a 00 22 00 ..............". 0x00220020 00 00 00 00 e8 db ff ff ff 17 00 22 00 00 00 00 ...........".... 0x00220030 00 e8 ce ff ff ff 24 00 22 00 00 00 00 00 e8 c1 ......$.".......
Another powerful Volatility plugin is impscan, which can be used to scan the import table of any process within the memory image.
VolDiff uses the information provided by impscan to highlight the interesting imports from a malware analysis perspective:
Interesting imports. ---------------------- Can use antidebug techniques (FindWindowA, FindWindowExA, GetLastError, GetProcessHeap, GetWindowThreadProcessId, Sleep, TerminateProcess, UnhandledExceptionFilter, WSAGetLastError). Can receive or send files from or to internet (InternetReadFile, URLDownloadToFileA, WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getservbyname, getsockname, inet_addr, inet_ntoa, ioctlsocket, listen, ntohs, select, send, sendto, shutdown, socket). Can inject code to other processes (CreateProcessA, CreateRemoteThread, FindResourceA, LoadLibraryA, LoadLibraryExA, ResumeThread, SetThreadContext, VirtualAllocEx, VirtualProtectEx, WinExec, WriteProcessMemory, ZwQuerySystemInformation). Can create or start services (CreateServiceA, OpenServiceA, StartServiceA). Can track keyboard strokes (GetKeyState, GetKeyboardState).
Last but not least, VolDiff will perform a quick analysis of the strings present in the dumped process executable, and report any findings of interest:
Suspicious strings from process memory. ---------------------------------------- Web related keyword(s): DOWNLOAD, Download, HTTP, Http, Socket, URLMON, UrlMon, download, http, socket Information gathering keyword(s): GetHost, GetVolumeInformation, SystemInfo, gethost, systeminfo Password related keyword(s): PASSWORD, PWD, Password Executable file(s): \Internet Explorer\iexplore.exe, cmd.exe, explorer.exe, notepad.exe Keylogger keyword(s): Keylog, SHIFT, Shift
The Volatility framework is a very powerful tool that can be used to hunt the most sophisticated malware in the darkest corners of memory. Tools like VolDiff can be very useful to automate (parts of) the memory analysis process using Volatlity, and to quickly highlight IOCs and abnormal memory artifacts for further manual inspection.