VolDiff, for memory image differential analysis
VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour.
I had intended to include it in my latest toolsmith article, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time.
Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean image prior to infection or compromise, and one after buggering your target system.
As you'll note in the article, I compromised a Windows 7 x64 SP1 VM with a PowerShell one-two punch, the vast majority of which occurred in-memory only. While documenting the related activities for the column, I also took before and after images for VolDiff testing as follows:
winpmem_1.6.2.exe baseline.raw, and after pwnzorship, winpmem_1.6.2.exe compromised.raw.
I then ran ./VolDiff.sh baseline.raw compromised.raw Win7SP1x64 on my Ubuntu server and bingo, after much time and ado (VolDiff takes a while to be sure), out popped VolDiff-report.txt.
To summarize briefly from the article, the malfeasance I unleashed against that poor, unsuspecting VM was all executed in the context of powershell.exe. To that end, did the VolDiff results corroborate the findings achieved with Rekall? Absolutely! Note that the suspicious PIDs from the article are 1284 and 2396. You'll spot them prominently in the following snippets of affirmation:
| | / /___ / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_
| |/ / /_/ / / /_/ / / __/ __/
|___/\____/_/_____/_/_/ /_/
Volatility analysis report generated by VolDiff v0.9.3.
Download the latest version from https://github.com/aim4r/VolDiff/.
Suspicious new netscan entries
===========================================================================
0x13c8993d0 UDPv4 0.0.0.0:0 *:* 2396 powershell.exe 2015-04-26 17:56:08 UTC+0000
0x13e81acb0 UDPv4 0.0.0.0:0 *:* 1284 powershell.exe 2015-04-26 18:17:33 UTC+0000
Suspicious new pslist entries
===========================================================================
0xfffffa8031da1400 cmd.exe 1676 2396 0 -------- 1 0 2015-04-26 18:11:52 UTC+0000 2015-04-26 18:15:50 UTC+0000
0xfffffa8033b17060 powershell.exe 2604 1676 5 250 1 1 2015-04-26 18:12:58 UTC+0000
0xfffffa80322c2060 cmd.exe 2912 1284 0 -------- 1 0 2015-04-26 19:16:50 UTC+0000 2015-04-26 19:19:41 UTC+0000
0xfffffa8032407460 powershell.exe 1984 2912 6 235 1 0 2015-04-26 19:18:20 UTC+0000
Suspicious new psscan entries
===========================================================================
0x000000013eac2060 cmd.exe 2912 1284 0x0000000055564000 2015-04-26 19:16:50 UTC+0000 2015-04-26 19:19:41 UTC+0000
0x000000013eb65060 powershell.exe 1284 2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000
0x000000013f6a8060 cmd.exe 2288 1284 0x000000006dd6f000 2015-04-26 19:19:44 UTC+0000 2015-04-26 19:55:20 UTC+0000
0x000000013eb65060 powershell.exe 1284 2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000
Suspicious new ldrmodules entries
===========================================================================
1284 powershell.exe 0x000000006df70000 False False False \Windows\SysWOW64\schannel.dll
2396 powershell.exe 0x000000006e010000 False False False \Windows\SysWOW64\credssp.dll
Suspicious new executables
===========================================================================
powershell
Suspicious new malfind entries
===========================================================================
Process: powershell.exe Pid: 2396 Address: 0x6400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 216, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06400000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 d0 MZ.....[REU.....
Process: powershell.exe Pid: 1284 Address: 0x4ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x04ff0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
Suspicious new getsids entries
===========================================================================
powershell.exe (1284): S-1-5-21-1828531342-1736868966-1560356964-513 (Domain Users)
powershell.exe (1284): S-1-1-0 (Everyone)
powershell.exe (1284): S-1-5-114
powershell.exe (1284): S-1-5-32-544 (Administrators)
powershell.exe (1284): S-1-5-32-545 (Users)
powershell.exe (1284): S-1-5-4 (Interactive)
powershell.exe (1284): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
powershell.exe (1284): S-1-5-11 (Authenticated Users)
powershell.exe (1284): S-1-5-15 (This Organization)
powershell.exe (1284): S-1-5-113
powershell.exe (1284): S-1-5-5-0-194227 (Logon Session)
powershell.exe (1284): S-1-2-0 (Local (Users with the ability to log in locally))
powershell.exe (1284): S-1-5-64-10 (NTLM Authentication)
powershell.exe (1284): S-1-16-12288 (High Mandatory Level)
Yep, powershell.exe definitely did it. :-) Great memory analysis tool from Houcem Hachicha (@aim4r). Give it a try!
Pop quiz: Under the malfind results, in the ASCII readable output dumped from the hex, what jumps out at you? First right answer to @sans_isc and @holisticinfosec in the same Tweet, one per reader, wins some insignificant yet enjoyable schwag.
Cheers!
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago