An E-book of malware analysis applications.You can download the programs used here from the applications folder.
Will be constantly updated...
1-)Zeus Botnet Memory Analysis
3-)Darcomet RAT Memory Analysis
We will analyze memory dump with Volatility. We run the following command to find out from which system the image was taken.
vol.exe -f zeus.vmem imageinfo
Processes taken in the image are displayed with the following command.
vol.exe -f zeus.vmem pstree
There doesn't appear to be a problem with running processes. We will check if there is a connection to the machine and if there is a connection to the machine, we will find out which process started via PiD.
vol.exe -f zeus.vmem connscan
When we look at the screenshot above, we see that svchost.exe connects to the connection on port 80.This is not normal for svchost.exe. (For more information on svchost.exe, see here. https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ )
We continue
We check whether the address 193.104.41.75 is in the black list via ipvoid.com.
We see that the result is clean.
We check the ip address on the malwaredomain.com site.
It has been observed that the ip address is distributing malicious files and the description is zeus botnet.
Let's see if the malicious file runs itself at startup.
vol.exe -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"
As seen in the screenshot, sdra64.exe runs itself automatically.
We are now looking for a malicious signature.
vol.exe -f zeus.vmem malfind -D dump
I saved the output under the dump folder. We see svchost.exe in the output.
Now with piD, the malware signature is saved under the dump folder
vol.exe -f zeus.vmem malfind -D dump/ -p 856
The output in the dump folder was scanned at virustotal.com. and once again we see that the malware is Zbot.
What is stuxnet?
Stuxnet is worm software used by the US and Israel to disrupt Iran's nuclear operations. The virus, whose existence was revealed in June 2010, affected Iran's nuclear facilities in Bushehr and Natanz. We are looking at image information
vol.exe -f stuxnet.vmem imageinfo
then we view the processes in the system.
vol.exe -f stuxnet.vmem pslist
It is doubtful to have 3 identical lsass.exe processes.
vol.exe -f stuxnet.vmem pstree
We are viewing the start time of processes.
The winlogon process must run in order to perform the login process in the Windows operating system. We see that piD 680 and piD 624 start at the same time. this appears normal, but other lsass.exe processes do not appear to be normal.piD(868, 1928)
Let's examine the network connections.
vol.exe -f stuxnet.vmem connections
no open network connections were seen. We are examining the network sockets.
vol.exe -f stuxnet.vmem sockets
It is normal for lsass.exe number piD 680 to broadcast from 500 and 4500 ports, but it isn't normal that the other 2 lsass.exe processes don't open ports.
vol.exe -f stuxnet.vmem ldrmodules -p 1928 -v
The dlls of the process piD 1928 have been seen.
As seen in the screenshot, kernel calls made are related to stuxnet.We are now looking for a malware signature.
vol.exe -f stuxnet.vmem malfind -p 1928 -D dump
We go to virustotal.com and scan the results
Download image: https://drive.google.com/file/d/0B-pKvSR-QbsHdDRzeG8xNVNnbEU/edit
As always, we first look at the image information.
vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw imageinfo
We see that the image is taken from the Windows 7 operating system. Then the psxview parameter is executed to see the process list.
vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 psxview
Looking carefully at the screenshot, the process that should be rundll32.exe is shown as runddl32.exe. This process is suspicious. We need to examine the dll files that the process uses.
vol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dlllist -p 1524
When we look at the file path that started the process, we can see that appdata is used. We are deepening our research
vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dumpfiles -r runddl32 -D .
these files will be stored for review with the strings utility. We continue to see if runddl32.exe starts other processes.
vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 pstree
After running 2 cmd as separate processes, it was seen that notepad.exe and runddl32.exe were running. We use malfind parameter for notepad.exe
vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 -p 1896 malfind
vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 memdump -p 1896 -D dumpfiles
We will use the mutantscan parameter to find mutex objects in memory.
We see that the malware is dc_mutex_khnew006.
Now we dump runddl32.exe continuation
Let's analyze the dump file with the strings tool.
As you can see, everything is clearly seen. ;)
Let's look at the startup
vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
the malware has been shown to run itself at startup and the analysis is over.