Volatility is an excellent way for analyzing memory dumps. It can help find artifacts hidden within the memory which is otherwise little cumbersome to find during manual analysis. After fetching a memory dump post exploitation of Angler Exploit Kit, here's steps to get to the malware - which is executed directly from the memory.
I've got hold of a VM snapshot from here (thanks to "Malware don't need Coffee") which was frozen post Angler Kit dropping its malware after exploitation.
You should end up with multiple ".dmp" files under "vaddump" directory. Based upon the address of the data - "0x06cb0000" we should target the dump starting at this address and we end up with the file - "iexplore.exe.24296b8.0x06cb0000-0x06cd8fff.dmp". Opening the file in hex editor reveals everything.
I've got hold of a VM snapshot from here (thanks to "Malware don't need Coffee") which was frozen post Angler Kit dropping its malware after exploitation.
Get the running processes list
From the list the process that we need to concentrate is PID - 860 that belongs to "iexplore.exe" (see that it's parent is again iexplore.exe and not explorer.exe)
Later use malfind to find abnormalities within PID : 860.
Analyzing "malfind.txt" - you will find traces of Angler shellcode. From analysis and the blog its understood that Angler's shellcode most often starts with NOPs "\x90\x90". Here's what malfind has for us in store.
Make a not of the address where this data is found. We'll then use vaddump on the iexplore PID to dump the shellcode + malware file completely.
From the list the process that we need to concentrate is PID - 860 that belongs to "iexplore.exe" (see that it's parent is again iexplore.exe and not explorer.exe)
Later use malfind to find abnormalities within PID : 860.
C:\VOL>vola -f memdump.vmss -p 860 malfind > malfind.txtAnalyzing "malfind.txt" - you will find traces of Angler shellcode. From analysis and the blog its understood that Angler's shellcode most often starts with NOPs "\x90\x90". Here's what malfind has for us in store.
Process: iexplore.exe Pid: 860 Address: 0x6cb0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 41, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06cb0000 90 90 90 90 e9 00 00 00 00 e8 17 03 00 00 8d 88 ................
0x06cb0010 2c 07 40 00 85 c9 74 05 e8 14 03 00 00 e8 03 03 ,.@...t.........
0x06cb0020 00 00 05 64 07 40 00 b9 4d 5a 00 00 8b 10 83 c0 ...d.@..MZ......
0x06cb0030 04 66 39 08 75 39 8b 48 3c 83 f9 40 72 31 3b ca .f9.u9.H<..@r1;.
0x6cb0000 90 NOP
0x6cb0001 90 NOP
0x6cb0002 90 NOP
0x6cb0003 90 NOP
0x6cb0004 e900000000 JMP 0x6cb0009
0x6cb0009 e817030000 CALL 0x6cb0325
0x6cb000e 8d882c074000 LEA ECX, [EAX+0x40072c]
0x6cb0014 85c9 TEST ECX, ECX
0x6cb0016 7405 JZ 0x6cb001d
0x6cb0018 e814030000 CALL 0x6cb0331
0x6cb001d e803030000 CALL 0x6cb0325
0x6cb0022 0564074000 ADD EAX, 0x400764
0x6cb0027 b94d5a0000 MOV ECX, 0x5a4d
0x6cb002c 8b10 MOV EDX, [EAX]
0x6cb002e 83c004 ADD EAX, 0x4
0x6cb0031 663908 CMP [EAX], CX
0x6cb0034 7539 JNZ 0x6cb006f
0x6cb0036 8b483c MOV ECX, [EAX+0x3c]
0x6cb0039 83f940 CMP ECX, 0x40
0x6cb003c 7231 JB 0x6cb006f
0x6cb003e 3bca CMP ECX, EDX
Make a not of the address where this data is found. We'll then use vaddump on the iexplore PID to dump the shellcode + malware file completely.
C:\VOL>vola -f memdump.vmss vaddump -p 860 -D vaddump
You should end up with multiple ".dmp" files under "vaddump" directory. Based upon the address of the data - "0x06cb0000" we should target the dump starting at this address and we end up with the file - "iexplore.exe.24296b8.0x06cb0000-0x06cd8fff.dmp". Opening the file in hex editor reveals everything.
VT link for malware.
No comments:
Post a Comment