Last Updated: 2013-06-18 20:59:59 UTC
by Russ McRee (Version: 1)
As I sit in my hotel room in Washington DC at the SANSFIRE 2013 conference, preparing to present Memory Analysis with Volatility to a SANS@Night crowd (7:15 International Ballroom Center), an opportunity arose from which to get you warmed up for tonight's talk or inspire you to become a Volatility user (you should be already).
We received an advisory from a faithful reader indicating that he had uploaded "a dropper we got blitzed with from a spam campaign today" to ISC. We love us some malware samples, so I got busy. A typical review of the sample (invoice.exe) on a Windows VM gave us the basic behavioral details as seen in this ProcDOT visualization (ProcDOT also rules).
We can see that the invoice.exe process makes two Internet calls, spawns some shells to run reg.exe to create some registry entries, and creates a log file along with replicating itself to mc.exe in the victim user Application Data directory, before hiding itself from visible user APIs. Anubis provides better detail, but of concern was that fact that invoice.exe and mc.exe (same file, same hash) exhibited only one AV detection via Virustotal as this was written (certain to change soon). As such, we don't have much to go from as to what malware family we're really dealing with here.
But wait...Volatility to the rescue. I grapped a memory image from the compromised VM, copied the memory dump to my faithful SIFT 2.14 VM, and issued three simple commands that gave me all I needed to know.
- vol.py --profile=WinXPSP3x86 connscan -f invoice.raw
- vol.py --profile=WinXPSP3x86 pslist -f invoice.raw
- vol.py --profile=WinXPSP3x86 malfind -p 268 -D ~/Desktop/output/ -f invoice.raw
Here's the play by play.
- Step 1 indicated that Process ID (PID) 268 was responsible for an connection to 126.96.36.199 over port 80 in Hong Kong (oh boy, we know this doesn't end well).
- Step 2 indicated that PID 268 belonged to invoice.exe (our intial sample, we're on the right track).
- Step 3 dumped PID 268 to the SIFT desktop as process.0x86372a38.0x400000.dmp
I upload said .dmp file to Virustotal and voila, now we know what we're dealing with. Our faithful reader is the proud owner of a W32.Shadesrat (Blackshades) variant. This is one malware family where they apparently caught the bad guy last year (not before he sold his warez to many a miscreant as is evident here).
Wise man say "What I hear I forget, what I see I remember, what I do with Volatility I understand."
Hope to see you tonight at SANSFIRE 2013 for some Volatility 101 across the full lifecycle of security analytics (penetration testing, monitoring, incident response).