Microsoft Word - APA_FUM_W_FNSC_0087

340994259 26334 469 79 520 99042 92494 207 2 244092 0449 c e r t @ u m. a c. i r 4994904 690204 5956 09 92597 90 90099 Volatility 6 (692 928)6 94 85904 soltani@cert.um.ac.ir 249942 928 ｨC 7499 39 2999 07:6 APA_FUM_W_FNSC_0087

4747:6 75 90 4994904 690204 595626 49520 2 926994 97997 690204 90 59564 540474 79964229 92.6 59564 540474 7909799074 95897924 59 2 99 790994 5982 429 79 598 9499 940927.6 09 59520 764 90 78 952294 5956 2 25848 40 924 799642294 745926 942290 5982 429 9384 99 090904 797.6 90099 4994904 690204 59564 volatility 79994 40094 962854 0994 25848 764 5956 940927.6 0795099 9769944 79 5956 0949 9458997 7 09 47 90099 25848 9090 942290 409 99 6479 797.6 29294 78474:6 4994904 690204 595626 2volatility 25848 6 90 296726 4974294 952294 595626 25848 952294 595626 96299.IAT 090904 5948 09409426 20946 7726 4728 2DKOM 2704794 2VAD 96299 2PEB 96299 2ETHREAD 96299 2EPROCESS

- 9679 4994904 690204 5956 2998 920222 59520 90 59564 540474 429 2 25848 4026 062 78474 79 25848 0795099 2 59734 96797 924 429 7997.6 09 25848 764 59564 429 942290 0 9589792 994 99007 0909994 79 598 9499 924 42926 594894 090 2726 9239892 5798 207 2 7994299 2 92494 099 27 72 4952.6 79 940 040 942290 0 9589792 99025 0 0795099 99007 697904 949944 079509926 9922894 099 27 225 697904 079509926 9239892 2074 096999 27 225 940 6979026 952294 59564 69790 2 849 72 4952.6 94040 942290 5948 094094 697904 0795099 99 090904 797 2 6 40 99 09 9009994 9074 9772 99007 IDA Pro 9297 25848 04229 6999 797.6 79 969894 09 70290 6 "4974294 2 25848 952294 59564 540474 79 429 7998 240720"6 025348 790994 92294 96285 764 59520 90 952294 59564 540474 22445 79749.6 94040 0 97954 90099 volatility 42 25848 764 5956 5952 27 69796249.6 79 940 9698 0 97954 7998 940 90099 946979049.6 90099 4994904 690204 59564 volatility 79994 722992 962854 0994 926994 9589792 96285 90 764 5956 940927.6 070290 9398 942290 69790944 7 0990 59520 764 79 598 9499 027907 99 09 7229 pslist 90 volatility 926994 797.6 999 9970 92 0795099 09 2704794 2DKOM 697904 949944 627 99 90 842 6979094 5798 585 797 0927.6 volatility 0994 725 6979094 9654 27 225 9227429 72 7229 psscan 2 psxview 99 99944 797 92.6 9922894 099 27 225 697904 07629 7 09 7229 dlllist 90 volatility 6908 209944 20726 94229007 2957274 799797 0795099 99 9263 7007.6 00909940 9970 92 0795099 74 79 9654904 99228 09 585 40 90 842 992289 09947.6 volatility 09 92597 90 96299 VAD 9 6979026 0 0994 2999 095494 92427 79 59564 69790 697962 2 594894 05922 27 0 9 0954 99 6 (79 3292 2427)6 944907.6 79 540 09094 9970 92 0 095494 90 5956 096297 707 7 5948 DLL 05922 27 0 40 225 0795099 90 842 992289 585 27 92.6 7229 ldrmodules 90 volatility 962895 040 842 992289 2 96299 VAD 99 7922 94707.6 0795099 9422907 09 92597 90 2704794 20946 7726 697904 74594 99 94029 0 90499 7970 79994 9297 069 627 99007 790827 292490 49 962 9589792 707.6 volatility 09 7229 2malfind 79 59564 6979094 96285 429 042424 0954944 7 9997 949944 6297907 999 59484 0 409 05922 027 945977.6 0 940 29240 DLL94 20946 27 0 47 69790 225 697904 07629 209944 942207.6 94040 09 7229 yarascan 90 volatility 942290 79 59564 69790 042424 99494 079509994 96285 522.6 474 7459 90 40094 2volatility 690842 090904 594894 094094 2998 594894 DLL9 2exe 2 79942994 2 940927.6 0 940 29240 942290 0 064 094094 07950994 7 565 03292 990 49 909 27 924 747 92427 9226 72 4952.6 5948 094094 090904 27 99 942290 09 900994 99007 IDA Pro 749908 797 2 77 40 99 9297 25848 6999 797.6 722992 procexedump 2 procmemdump 90 volatility 0994 926994 5948 094094 90 5956 9297 92597 6999 9454907.6 0795099 9970 92 42 9320 99070 90 2584826 74 707 9589792 IAT 99 09 922944 99007 697 7970 78 94407 PE 49 49049 7970 IAT 96722 707.6 79 940 3292 99790 25848 7998 5948 094094 697904 07629 225 IDA Pro 0940927.6 7229 impscan 90 volatility 0994 957 940 9278 99944 27 92.6 79 06294 96285 940 9698 0 22945 9 47 90 40094 96285 volatility 0994 22643 0795099 946979049.6 2

-2 97954 Volatility 47 499420 4994904 690204 59564 64295226 0222 27 0 python 2 03292 77 9007 090 92 7 09 924 42994 7998 volatility 24072026 84027 2 Mac OS X 6908 9499 940927.6 0599 02220 940 969826 064 2.2 940 90099 79 729 92 7 924 0694 32 0424 2 64 0424 24072094 Server 2008 R2 2Server 2008 2Vista 2Server 2003 2XP 2 7 799 94707.6 volatility 924 90297 96285 764 5956 2998 6980 69926 2Microsoft crash dump 5948 hibernation 2 2 5948 23249 85694 99240 94904 799 94707.6 volatility 2.2 79994 277974 7229 79684 940927 7 295 962394 90 9 47 90 940 722992 79 4728 497 92.6 9802 8909 0 879 92 7 0 7848 77 9007 090 0270 2volatility 99790 9495 7970 722992 4747 0 940 499420 2427 7997.6 0964 90 940 722992 9970 92 79 0694 4747 volatility 0 24 40 9495 59707.6 070290 9398 79 5984 7 volatility.3 565 79994 40 7229 79684 9226 0 064 2. 40 2 7229 9495 27 2 volatility 2. 79994 6 7229 79684 92.6 79 2volatility 2.2 27797 75 7229 79684 2427 7997.6 apihooks atoms atomscan bioskbd callbacks clipboard cmdscan connections connscan consoles crashinfo deskscan devicetree dlldump dlllist driverirp driverscan envars eventhooks filescan gahti gditimers gdt getsids handles hibinfo hivedump hivelist hivescan idt imagecopy 4728. 722992 volatility 2.2 Detect API hooks in process and kernel memory Print session and window station atom tables Pool scanner for _RTL_ATOM_TABLE Reads the keyboard buffer from Real Mode memory Print system-wide notification routines Extract the contents of the windows clipboard Extract command history by scanning for _COMMAND_HISTORY Print list of open connections [Windows XP and 2003 Only] Scan Physical memory for _TCPT_OBJECT objects (tcp connections) Extract command history by scanning for _CONSOLE_INFORMATION Dump crash-dump information Poolscaner for tagdesktop (desktops) Show device tree Dump DLLs from a process address space Print list of loaded dlls for each process Driver IRP hook detection Scan for driver objects _DRIVER_OBJECT Display process environment variables Print details on windows event hooks Scan Physical memory for _FILE_OBJECT pool allocations Dump the USER handle type information Print installed GDI timers and callbacks Display Global Descriptor Table Print the SIDs owning each process Print list of open handles for each process Dump hibernation file information Prints out a hive Print list of registry hives Scan Physical memory for _CMHIVE objects (registry hives) Display Interrupt Descriptor Table Copies a physical address space out as a raw DD image 6908 794952 90 479 https://code.google.com/p/volatility/ 2 https://www.volatilesystems.com/default/volatility 2 Snapshot 3

imageinfo impscan kdbgscan kpcrscan ldrmodules malfind memdump memmap messagehooks moddump modscan modules mutantscan patcher printkey procexedump procmemdump pslist psscan pstree psxview raw2dmp screenshot sessions sockets sockscan ssdt strings svcscan symlinkscan thrdscan threads timers userassist userhandles vaddump vadinfo vadtree vadwalk volshell windows wintree wndscan yarascan Identify information for the image Scan for calls to imported functions Search for and dump potential KDBG values Search for and dump potential KPCR values Detect unlinked DLLs Find hidden and injected code Dump the addressable memory for a process Print the memory map List desktop and thread window message hooks Dump a kernel driver to an executable file sample Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects Print list of loaded modules Scan for mutant objects _KMUTANT Patches memory based on page scans Print a registry key, and its subkeys and values Dump a process to an executable file sample Dump a process to an executable memory sample Print all running processes by following the EPROCESS lists Scan Physical memory for _EPROCESS pool allocations Print process list as a tree Find hidden processes with various process listings Converts a physical memory sample to a windbg crash dump Save a pseudo-screenshot based on GDI windows List details on _MM_SESSION_SPACE (user logon sessions) Print list of open sockets Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) Display SSDT entries Match physical offsets to virtual addresses (may take a while, VERY verbose) Scan for Windows services Scan for symbolic link objects Scan physical memory for _ETHREAD objects Investigate _ETHREAD and _KTHREADs Print kernel timers and associated module DPCs Print userassist registry keys and information Dump the USER handle tables Dumps out the vad sections to a file Dump the VAD info Walk the VAD tree and display in tree format Walk the VAD tree Shell in the memory image Print Desktop Windows (verbose details) Print Z-Order Desktop Windows Tree Pool scanner for tagwindowstation (window stations) Scan process or kernel memory with Yara signatures 3-09094 697909 79 920222 5956 2 240720 0994 974904 697909 0 409 47 96299 EPROCESS 4729 962393 9477.6 EPROCESS 99025 0 9 69790 79 9600 3550074 0274 59564 2 9649 940927.6 6980 940 96299 6 (2 949 9629994 9297 053 79 06294 0774)6 040 0694 96285 240720 925922 92.6 9802 94229047 09 90099 2WinDbg 96299 9297 069 429 7998 4994 99 6479 7047.6 79 9398 04926 96299 0624 90 Non-paged pool 4

EPROCESS 99025 0 240720 XP SP2 99 9297 947047:6 kd> dt nt!_eprocess +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x0c0 ExceptionPort : Ptr32 Void +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE +0xc VadRoot : Ptr32 Void +0x20 VadHint : Ptr32 Void : Ptr32 _PAGEFAULT_HISTORY +0x48 Win32WindowStation : Ptr32 Void +0x4c InheritedFromUniqueProcessId : Ptr32 Void +0x50 LdtInformation : Ptr32 Void +0x54 VadFreeHint : Ptr32 Void +0x58 VdmObjects : Ptr32 Void +0x5c DeviceMap : Ptr32 Void +0x60 PhysicalVadList : _LIST_ENTRY +0x68 PageDirectoryPte : _HARDWARE_PTE +0x68 Filler : Uint8B +0x70 Session : Ptr32 Void +0x74 ImageFileName : [6] UChar +0x84 JobLinks : _LIST_ENTRY +0x8c LockedPagesList : Ptr32 Void +0x90 ThreadListHead : _LIST_ENTRY +0x98 SecurityPort : Ptr32 Void +0x9c PaeTop : Ptr32 Void +0xa0 ActiveThreads : Uint4B +0xa4 GrantedAccess : Uint4B [...] kd> dt nt!_list_entry +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY 96299 EPROCESS 79994 049962994 90 027 LIST_ENTRY 0099 ActiveProcessLinks 92.6 96299 LIST_ENTRY 2998 72 742 Flink 2 Blink 92.6 Flink 0 96799 Flink 96299 EPROCESS 0774 9299 94707 2 Blink 0 96799 Blink 96299 EPROCESS 6084 9299 94707.6 940 72 92995926 0044994 90 92494 69790 99 94497 947007 6 (278 ). 278. 049 96299 ActiveProcessLinks 79 96299 EProcess 5

ntoskrnl.exe 7 79 PsActiveProcessHead 79 764 595626 90 928494 0099 EPROCESS 0994 49520 9629994 volatility 27945 27 9226 92597 94707.6 940 9284926 47 92849 79294 027 7 0 902794 842 642074 725954 9629994 EPROCESS 9299 94707 6 (278 ). 09 242747 ntoskrnl.exe 92849 PsActiveProcessHead 99 export 09470726 940 92849 90 96299 729 92.6 2 KPCR 6908 volatility 79994 407 7229 0994 09942 9589792 790994 697909 940927.6 7229 2pslist 842 642074 725954 EPROCESS 99 649942 94707.6 7229 2pstree 69244 99 90 pslist 5952 2 40 99 03292 79624 09942 9477.6 7229 psscan 764 5956 99 6242 797 2 92494 EPROCESS 99 6479 94707.6 9398 049 922 92597 90 7229 pslist 99 09942 9477.6 24444 f- 764 5956 99 9263 94707.6 0947 09 24444 2--profile 064 7646 240720 99 9263 797.6 96799 642594 0994 940 2444426 WinXPSP2x86 9226 00909940 79 940 9398 7 764 5956 90 429 240720 6 0326 00424 XP SP2 5952 27 9226 04904 0 879 940 24444 042.6 79 32924 7 90 064 429 7998 5948 764 5956 958974 07922 0924726 94229047 90 7229 imageinfo 797 054947.6 474 90 95897924 7 940 7229 09942 947726 6925948 6420974 0994 764 5956 92.6 $ python volatility.py pslist ｨCf memory.bin Name Pid PPid Thds Hnds Time System 4 0 54 232 Thu Jan 0 00:00:00 970 smss.exe 368 4 3 2 Tue Dec 0 5:58:54 2009 csrss.exe 56 368 0 324 Tue Dec 0 5:58:55 2009 winlogon.exe 540 368 8 505 Tue Dec 0 5:58:55 2009 services.exe 652 540 6 252 Tue Dec 0 5:58:55 2009 lsass.exe 664 540 2 326 Tue Dec 0 5:58:55 2009 svchost.exe 828 652 9 96 Tue Dec 0 5:58:55 2009 svchost.exe 908 652 0 225 Tue Dec 0 5:58:55 2009 svchost.exe 004 652 67 085 Tue Dec 0 5:58:55 2009 volatility 0994 09942 940 9589792 79 69244 7229 pslist 90 0964 97494 96299 EPROCESS 92597 797 92.6 4728 2 05922 040 409 99 09942 9477.6 79 69244 WinDbg 0290 797 27 79 902794 940 06226 940 9749 69 90529 09942 797 27907.6 Field Name Pid PPid Thds Hnds Time 4728 2. 05922 040 9589792 69244 7229 pslist 2 97494 EPROCESS Description Source Name of the process executable EPROCESS.ImageFileName Process ID EPROCESS.UniqueProcessId Parent process ID EPROCESS.InheritedFromUniqueProcessId Number of active threads in the process EPROCESS.ActiveThreads Number of open handles in the process EPROCESS.ObjectTable.HandleCount Time when the process was started EPROCESS.CreateTime - - 3 22643 6979094 9654 27 09 27047 DKOM 90499 94707 99 22643 77.6 727994 92649 92493 2 0 92294 962854 6908 7229 pslist 09422907 922742944 7 3 DKOM 5948 2ntoskrnl.exe 764 2 429 7998 0994 42994 7998 6902974 240720 NT 92.6 0994 429944 09 62240904 Physical Address 2Extension 764 2 79 5948 ntkrnlpa.exe 6999 7997.6 2 Kernel Processor Control Region 3 727994 92649 92493 2:6 Direct Kernel Object Manipulation 6

90499 92 7 9802 6090904 69790 09 479 7970 96299 EPROCESS 40 90 842 642074 72 59526 474 90 979282940 2704794 92597 27 225 9227429 940927.6 0994 90499 940 79926 92995994 Flink 2 Blink 9629994 95995 96299 697904 4994 99 0 0524 28449 94749 7 96299 69790 6090 227 6 (278 2). 278 2. 6090 904 69790 09 27047 DKOM 7229 psscan 6979 0 209944 92493 EPROCESS 479 27 90 842 225 922742 2 94040 EPROCESS 6979094 6929 4952 940927.6 psscan 0494 649942 842 642074 2EPROCESS 5956 99 0994 49520 92493 EPROCESS 6242 94707.6 0795099 092294 962854 9422907 0529 92649 92493 2 99 28449 777 ) 09 099 7970 47 799429 2 7 6 90 4026 7294 849 95727 0 92493 92427 79 59564 2 6297 7922.6 2) 09 92597 90 47 2907 API 0294 693 0099.ZwSystemDebugControl 940 2907 0 090994 927 79909 94904 629070 2 02220 59564 5494 2 99 9477.6 0994 295 0524 92597 90 psscan 0994 49520 6979094 965426 924 07950994 0099 Prolaco 929970 942249.6 940 079509926 DKOM 99 0529 7998 90 927 79909 09 92597 90 2907 ZwSystemDebugControl 90499 9477.6 0994 22643 697904 0795099 0947 69244 72 7229 pslist 2 psscan 99 09 477459 9694 7049:6 $ vol.py pslist -f prolaco.vmem Offset(V) Name PID PPID Thds Hnds Start ---------- -------------------- ------ ------ ------ -------- -------------------- 0x80b660 System 4 0 56 253 0xff2ab020 smss.exe 544 4 3 2 200-08- 06:06:2 0xffecda0 csrss.exe 608 544 349 200-08- 06:06:23 0xffec978 winlogon.exe 632 544 9 565 200-08- 06:06:23 0xff247020 services.exe 676 632 6 269 200-08- 06:06:24 0xff255020 lsass.exe 688 632 9 34 200-08- 06:06:24 0xff28230 vmacthlp.exe 844 676 24 200-08- 06:06:24 0x80ff88d8 svchost.exe 856 676 6 98 200-08- 06:06:24 0xff27560 svchost.exe 936 676 9 256 200-08- 06:06:24 0x80fbf90 svchost.exe 028 676 63 334 200-08- 06:06:24 0xff22d558 svchost.exe 088 676 4 75 200-08- 06:06:25 0xff203b80 svchost.exe 48 676 4 207 200-08- 06:06:26 0xffd7da0 spoolsv.exe 432 676 3 35 200-08- 06:06:26 0xffb8b28 vmtoolsd.exe 668 676 5 29 200-08- 06:06:35 0xfffdc88 VMUpgradeHelper 788 676 3 97 200-08- 06:06:38 0xff43b28 TPAutoConnSvc.e 968 676 5 00 200-08- 06:06:39 0xff25a7e0 alg.exe 26 676 6 04 200-08- 06:06:39 0xff36430 wscntfy.exe 888 028 27 200-08- 06:06:49 0xff38b5f8 TPAutoConnect.e 084 968 6 200-08- 06:06:52 0xff3865d0 explorer.exe 724 708 294 200-08- 06:09:29 7

0xff3667e8 VMwareTray.exe 432 724 49 200-08- 06:09:3 0xff374980 VMwareUser.exe 452 724 5 76 200-08- 06:09:32 0x80f94588 wuauclt.exe 468 028 3 30 200-08- 06:09:37 0xff37a4b0 ImmunityDebugge 36 724 2 73 200-08- 6:50:9 $ vol.py psscan ｨCf prolaco.vmem Offset(P) Name PID PPID Time created Time exited ---------- ---------------- ------ ------ -------------------- -------------------- 0x005f23a0 rundll32.exe 260 724 200-08- 6:50:29 200-08- 6:50:42 0x00f7588 wuauclt.exe 468 028 200-08- 06:09:37 0x02290 svchost.exe 028 676 200-08- 06:06:24 0x03f648 _doc_rcdata_6 336 36 200-08- 6:50:20 0x05b8d8 svchost.exe 856 676 200-08- 06:06:24 0x024660 System 4 0 0x02ab28 TPAutoConnSvc.e 968 676 200-08- 06:06:39 0x049c5f8 TPAutoConnect.e 084 968 200-08- 06:06:52 0x04a065d0 explorer.exe 724 708 200-08- 06:09:29 0x04a544b0 ImmunityDebugge 36 724 200-08- 6:50:9 0x04b5a980 VMwareUser.exe 452 724 200-08- 06:09:32 0x04be97e8 VMwareTray.exe 432 724 200-08- 06:09:3 0x04c2b30 wscntfy.exe 888 028 200-08- 06:06:49 0x0547020 smss.exe 544 4 200-08- 06:06:2 0x05f027e0 alg.exe 26 676 200-08- 06:06:39 0x05f47020 lsass.exe 688 632 200-08- 06:06:24 0x0605020 services.exe 676 632 200-08- 06:06:24 0x06ef558 svchost.exe 088 676 200-08- 06:06:25 0x06384230 vmacthlp.exe 844 676 200-08- 06:06:24 0x063c5560 svchost.exe 936 676 200-08- 06:06:24 0x0640ac0 msiexec.exe 44 420 200-08- 6:49:33 200-08- 6:50:08 0x06499b80 svchost.exe 48 676 200-08- 06:06:26 0x0655fc88 VMUpgradeHelper 788 676 200-08- 06:06:38 0x066f0978 winlogon.exe 632 544 200-08- 06:06:23 0x066f0da0 csrss.exe 608 544 200-08- 06:06:23 0x06945da0 spoolsv.exe 432 676 200-08- 06:06:26 0x069d5b28 vmtoolsd.exe 668 676 200-08- 06:06:35 pslist _doc_rcdata_6.exe psscan 990 529 7 9297 94704726 79 69244 6979094 0099 2427 7997 7 79 69244 747 094227.6 72 697904 rundll32.exe 2 msiexec.exe 040 79 69244 pslist 747 0942207 7 9802 940 999 0994 69790944 7 96499 6929 495290726 7974 940927. 7229 74594 7 0994 725 DKOM 6908 799097 9226 7229 psxview 92 7 6979094 9654 27 99 09 96944 842 9299 27 225 PsActiveProcessHead 09 949 90907 842 697909 9694 94707.6 9970 92 92274226 697904 07629 99 90 474 49 04229 90 90907 842 69790 585 797 092726 999 79 0964 7459 02290 976944 90 40 99 4952.6 7229 2psxview 9629994 EPROCESS 4952 27 225 969749 049 99 09 477459 9694 94707:6 842 642074 PsActiveProcessHead 6 (7229 (pslist 6242 5956 0994 49520 EPROCESS9 6 (7229 (psscan 6242 5956 0994 49520 ETHREAD9 6 (7229 :(thrdscan 09 7229 2thrdscan 79 764 5956 0 70098 92493 ETHREAD ETHREAD 9459749.6 90 4049 7 96299 79994 54874 92 7 697904 2987 40 99 9263 9470726 942290 09 940 27047 764 59564 prolaco.vmem 2 949 76494 59564 99025 0 07950999 7 79 9799 879 942207 99 94229047 https://code.google.com/p/malwarecookbook/source/browse/trunk 794952 7047.6 90 479 8

6979094 6090 99 6479 797.6 94 697909 79994 57968 47 06 949944 940920726 942290 069 99 924 429 29992 797.6 79 32924 7 064 0 6979094 92786 0927 7 40 69790 79 842 697909 92427 0092726 40 69790 7979 90 842 585 59747 92.6 PspCidTable 47 92849 2 92 7 429 7998 225 4026 697909 2 0694 5798 429 99 974904 94707.6 :PspCidTable 79 2967 47 243 HANDLE_TABLE 92 7 2998 725494 697909 2 069 940927.6 2094 697909 2 069 09 99 9790 409 79 940 4728 27440 94227.6 942290 09 0994 2PspCidTable 6979094 9654 99 4952.6 9802 9970 92 92274226 725494 69790 99 90 PspCidTable 040 585 797 0927.6 4728 7254994 :Csrss.exe 697904 Csrss.exe 90 725494 2999 6979094 924 429 040 6272 2 69790944 7 608 System 2Idle 2 smss 94227)26 764 945497.6 09 25848 4728 7254994 90 40 2927 27907 6 (979289 565 2998 6979094 69790944 99 4952 7 225 922742 90 842 642074 96299 EPROCESS9 585 2790726 999 79 940 Csrss.exe 942290 4728 725494 090 0 409 2427 7997.6 79 9799 93984 90 49520 0795099 prolaco 225 7229 psxview 497 92.6 2427 False 79 9 220 049059 940 92 7 69790 79 842 99025 2427 07997.6 697904 _doc_rcdata_6 92727 9226 499 7 79 2999 8429 040 pslist 2427 7997.6 990529 7 9297 9422726 72 697904 6929 49524 rundll32.exe 2 msiexec.exe 90 84294 96285 09942 697909 585 59747907 2 565 6242 5956 0994 49520 EPROCESS9 6979 0 725 409 92.6 $ vol.py psxview ｨCf prolaco.vmem Offset(P) Name PID pslist psscan thrdproc pspcdid csrss ---------- -------------------- ------ ------ ------ -------- ------- ----- 0x06499b80 svchost.exe 48 True True True True True 0x04b5a980 VMwareUser.exe 452 True True True True True 0x0655fc88 VMUpgradeHelper 788 True True True True True 0x02ab28 TPAutoConnSvc.e 968 True True True True True 0x04c2b30 wscntfy.exe 888 True True True True True 0x06ef558 svchost.exe 088 True True True True True 0x06945da0 spoolsv.exe 432 True True True True True 0x0547020 smss.exe 544 True True True True False 0x04a544b0 ImmunityDebugge 36 True True True True True 0x069d5b28 vmtoolsd.exe 668 True True True True True 0x06384230 vmacthlp.exe 844 True True True True True 0x00f7588 wuauclt.exe 468 True True True True True 0x066f0da0 csrss.exe 608 True True True True False 0x05f027e0 alg.exe 26 True True True True True 0x0605020 services.exe 676 True True True True True 0x04a065d0 explorer.exe 724 True True True True True 0x049c5f8 TPAutoConnect.e 084 True True True True True 0x05b8d8 svchost.exe 856 True True True True True 0x024660 System 4 True True True True False 0x02290 svchost.exe 028 True True True True True 0x04be97e8 VMwareTray.exe 432 True True True True True 0x05f47020 lsass.exe 688 True True True True True 0x063c5560 svchost.exe 936 True True True True True 0x066f0978 winlogon.exe 632 True True True True True 0x0640ac0 msiexec.exe 44 False True False False False 0x005f23a0 rundll32.exe 260 False True False False False 0x03f648 _doc_rcdata_6 336 False True True True True 9

- -2 3 22643 6979094 9654 27 09 92294 7459 2 727994 92649 92493 595626 9880 0994 9949 69 040 9226 499 7 0490 0 02220 77 6947994 92 7 0973 272 429 0227.6 79 9799 92294 9729 74594 7 0964 07950999 0994 9654 99070 92597 94700726 99 0490 947049.6 0964 0795099926 697904 627 99 09 099 47 697904 97209 lsass.exe 58922 92.6 97954 947007.6 070290 9398 0795099 2Stuxnet 099 697904 07629 627 99 3 lsass.exe 099 47 697904 97209 79 429 7998 240720 92 7 972099 099 799094 2 7894 7029 29274 429 99 0994 94707.6 940 69790 79 0599 022 429 225 697904 Winlogon.exe 79 240720 XP 2 225 Wininit.exe 79 240720 2429 0 077 94497 94227.6 79 47 429 979284 24072026 565 47 0920 90 940 69790 2427 7997.6 999 842 6979094 79 598 9499 90 764 595694 7 Stuxnet 79 40 79 598 9499 9226 72 09204 7459 90 940 69790 99 09942 9477.6 $ vol.py -f ｰstuxnet.vmem" --profile=winxpsp3x86 pslist Offset(V) Name PID PPID Thds Hnds Start 0x823c8830 System 4 0 59 403 0x820df020 smss.exe 376 4 3 9 200-0-29 7:08:53 0x82a2da0 csrss.exe 600 376 395 200-0-29 7:08:54 0x8da5650 winlogon.exe 624 376 9 570 200-0-29 7:08:54 0x82073020 services.exe 668 624 2 43 200-0-29 7:08:54 0x8e70020 lsass.exe 680 624 9 342 200-0-29 7:08:54 0x82335d8 vmacthlp.exe 844 668 25 200-0-29 7:08:55 0x8db8da0 svchost.exe 856 668 7 93 200-0-29 7:08:55 0x8e6da0 svchost.exe 940 668 3 32 200-0-29 7:08:55 0x822843e8 svchost.exe 032 668 6 69 200-0-29 7:08:55 0x8e8b28 svchost.exe 080 668 5 80 200-0-29 7:08:55 0x8ff7020 svchost.exe 200 668 4 97 200-0-29 7:08:55 0x8fee8b0 spoolsv.exe 42 668 0 8 200-0-29 7:08:56 0x822b9a0 wuauclt.exe 976 032 3 33 200-0-29 7:2:03 0x8c543a0 Procmon.exe 660 96 3 89 20-06-03 04:25:56 0x8fa5390 wmiprvse.exe 872 856 5 34 20-06-03 04:25:58 0x8c498c8 lsass.exe 868 668 2 23 20-06-03 04:26:55 0x8c47c00 lsass.exe 928 668 4 65 20-06-03 04:26:55 990529 7 9297 94704726 697904 lsass.exe 97209 09 2094 680 79994 29874 09 2094 624 92 7 92786 0 winlogon.exe 940927.6 999 72 697904 lsass.exe 0997209 79994 2094 2987 668 207 7 92786 0 services.exe 940927.6 6 90 22643 697904 0997209 49 92727 94229047 09 949 722992 volatility 7 79 9799 9444726 9589792 042294 790994 0795099 2 0524 799 40 072 42947.6 79 9398 608 74749 7 09 797 2094 2987 6979026 942290 697904 0997209 99 90 97209 22643 797.6 999 9994 927774 2427 7997 29 6979094 99 94029 797 7 2987 090994 07629 0927:6 959 69790 99 070290 47 924 240720 4890 704726 2987 69790 0529 627799 09909 services.exe 94227.6 79 42994 240720 2429 0 07726 942290 09 92597 90 2907 2CreateProcess 2987 69790 99 9263 797.6 070290 939826 942290 2987 697904 notepad.exe 99 lsass.exe 27440 797.6 0529 9792826 2987 697904 474726 6979094 92 7 40 99 94497 797 92 6 (90 5946.(CreateProcess 999 942290 00524 90 940 2907 API 92597 797 7 2987 69790 99 627990 27440 7049.6 942290 09 20946 7726 2907 CreateProcess 99 90 7968 5494 47 697904 92427 59962904 797.6 79 940 329226 40 6979026 2987 Stable 2 Crash 3 Local Security Authentication SubSystem 0

697904 4747 94227.6 4704 services.exe 940927.6 90 4049 79 9398 049 697904 svchost.exe 09 2094 2908 79994 29874 09909 949 6979094 svchost.exe 7 979289 407 764 svchost.exe 0529 90990 924 429 79 598 9499 9226 22643 697904 076294 7 070290 924 9499 27 2 00909940 79994 2987 services.exe 94092726 0922 6084 9970 042.6 $ python volatility.py pslist ｨCf fakesvchost.bin Name Pid PPid Thds Hnds Time System 4 0 53 233 Thu Jan 0 00:00:00 970 smss.exe 520 4 3 2 Thu Dec 03 6:43:20 2009 csrss.exe 584 520 2 336 Thu Dec 03 6:43:2 2009 winlogon.exe 608 520 6 542 Thu Dec 03 6:43:2 2009 services.exe 652 608 5 257 Thu Dec 03 6:43:2 2009 lsass.exe 664 608 8 38 Thu Dec 03 6:43:2 2009 svchost.exe 820 652 6 90 Thu Dec 03 6:43:2 2009 svchost.exe 896 652 9 235 Thu Dec 03 6:43:22 2009 svchost.exe 992 652 48 053 Thu Dec 03 6:43:22 2009 svchost.exe 036 652 4 55 Thu Dec 03 6:43:22 2009 svchost.exe 080 652 3 20 Thu Dec 03 6:43:23 2009 spoolsv.exe 436 652 0 07 Thu Dec 03 6:43:23 2009 explorer.exe 560 536 384 Thu Dec 03 6:43:24 2009 cmd.exe 984 560 3 Thu Dec 03 6:44:42 2009 svchost.exe 2908 652 8 Fri Dec 04 5:06:4 2009 win32dd.exe 296 984 2 Fri Dec 04 5:36:50 2009 697904 07629 90 9494 849 90 C: Windows System32 svchost.exe 7 949 927995 764 949944 697904 svchost.exe 9226 9499 27 92.6 0994 92974 949 7998 0 094094 69790 942290 90 7229 2 dlllist 92597 797.6 990529 7 79 69244 940 7229 9297 9422726 697904 svchost.exe 09 2094 2908 90 949 849927995 C: Temp svchost.exe 9499 27 92.6 $ python volatility.py dlllist ｨCf fakesvchost.bin ｨCp 2908 ************************************************* svchost.exe pid: 2908 Command line : C: Temp svchost.exe Service Pack 2 4-09094 DLL9 79 920222 5956 9 96299 EPROCESS 3 79994 7424 0099 PEB 92.6 09 92974 96299 PEB 09 92597 90 WinDbg 9297 947047 7 79 452 PEB_LDR_DATA 940927.6 96299 PEB_LDR_DATA 2427 7997 7 9299594 0 96299 Ldr 90 940 9629926 7424 0099 0xC 627 2998 head 90 842 642074 72595 92 7 2998 9922894 099 27 225 69790 9409207.6 940 842 642074 0624 90 962994 0099 LDR_DATA_TABLE_ENTRY 9409207.6 79 940 96299 9589792 8909 790994 992289 2998 479 69426 90790 2 099 DLL 497 92 6 (278 3). 697904 svchost.exe 47 697904 4294 92 7 940090 40740 924 240720 940927.6 940 9249 03292 594894.dll 207 2 094229007 020944 9499 220726 00909940 0994 9499 0490 0 940 697904 4294 79907.6 9 592 924 225 47 697904 svchost.exe 9499 942207.6 3 Process Environment Block 295 7998 940 7229 79 062 4 497 92.6 2

278 3. 0524 7294 0 84294 642074 9922894 099 27 225 69790 kd> dt _PEB ntdll!_peb +0x000 InheritedAddressSpace : UChar +0x00 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x00 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS [...] kd> dt _PEB_LDR_DATA ntdll!_peb_ldr_data +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x04 InMemoryOrderModuleList : _LIST_ENTRY +0x0c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void kd> dt _LDR_DATA_TABLE_ENTRY ntdll!_ldr_data_table_entry +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x00 InInitializationOrderLinks : _LIST_ENTRY +0x08 DllBase : Ptr32 Void +0x0c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING [...] InMemoryOrderModuleList 2InLoadOrderModuleList 96299 PEB_LDR_DATA 79994 742 009994 2 InInitializationOrderModuleList 940927 7 0 842 642074 72595 90 9922894 099 27 225 69790 9299 947007.6 9 842 642074 2998 DLL94 47904 20726 999 02924094 962854 79 842 6999 59529077 79 642074 842 2

2InLoadOrderModuleList 029240 926742290 79 5956 6999 5952907.6 842 642074 DLL9 2InMemoryOrderModuleList DLL9 99 029240 0990 099 270 79 842 6999 9477 2 79 DLL9 2InInitializationOrderList 09 99 0990 9679974 9284 9920 27907.6 7229 dlllist 90 volatility 0 09942 DLL94 099 27 225 69790 94697907.6 940 7229 842 642074 7259594 90 LDR_DATA_TABLE_ENTRY 7 225 InLoadOrderModuleList 9299 94227 99 649942 94707 6 (278 3). 05994 7 6979094 LoadLibrary 99 59962904 9470726 DLL9 0529 627799 0 940 842 9495 942207.6 79 32924 7 09 24444 p-2 697904 6934 99 27440 0797 0924726 940 7229 DLL94 94 697909 99 09942 9477.6 224 7922 09247 7 7229 dlllist 565 6979 0 09942 DLL94 6979094 92427 79 842 642074 6979094 5798 940927.6 9802 79 32924 7 69790 6929 4952 0927 49 225 47 922742 90 842 6979094 5798 585 27 092726 090 9 942290 6 90 072 42970 452 540474 EPROCESS 4026 09 24444 2--offset 842 DLL94 40 99 09942 797.6 $ python volatility.py dlllist -p 820 -f memory.bin svchost.exe pid: 820 Command line : C: WINDOWS system32 svchost -k DcomLaunch Base Size Path 0x0000000 0x6000 C: WINDOWS system32 svchost.exe 0x7c900000 0xb0000 C: WINDOWS system32 ntdll.dll 0x7c800000 0xf4000 C: WINDOWS system32 kernel32.dll 0x77dd0000 0x9b000 C: WINDOWS system32 ADVAPI32.dll 0x77e70000 0x9000 C: WINDOWS system32 RPCRT4.dll 0x5cb70000 0x26000 C: WINDOWS system32 ShimEng.dll 0x6f880000 0xca000 C: WINDOWS AppPatch AcGenral.DLL 0x77d40000 0x90000 C: WINDOWS system32 USER32.dll 0x77f0000 0x46000 C: WINDOWS system32 GDI32.dll 0x76b40000 0x2d000 C: WINDOWS system32 WINMM.dll 0x774e0000 0x3c000 C: WINDOWS system32 ole32.dll [...] 9880 27797 DLL94 099 27 79 47 69790 0497 92 2 49520 DLL 92727 2 07629 79 9490 409 0490 0 79220 9589792 7954 790994 DLL94 97209 7997.6 942290 90 990994 784 049 0994 22643 DLL94 92727 92597 0927:6 DLL944 09 09994 92727 49 099944 7 6089 950 747 027 92.6.C: windows sys kernel32.dll 09 09994 97928 7 90 794972294 849 92907997 099 27907.6 070290 9398 DLL944 DLL944 7 94904 7294 0 90907 959562 27 94707 49 99042 429 99 28449 94707.6 070290 939826 0795099 9422907 99228 sfc_os.dll 2 99 099 797 2 9790409 55962 5948 240720 99 8495798 707 2 99228 pstorec.dll 99 099 797 2 9720990999 99 90 09544 3 59564 959562 274 240720 926994 707.6 wininet.dll 2winsock32.dll 2ws2_32.dll 972094 7 79 494 9090 92597 0942207.6 070290 9398 9922894 DLL94 2 urlmon.dll 69084294 20794 5999 9442907 7 6579 06274 627 07629 09409207.6 999 959 9297 227 7 940 DLL9 79 6979094 99007 notepad.exe 7 979289 7294 0 9402902 0799726 099 2790726 9422907 02907074 5429 07950994 0927 7 0 6979094 924 429 774 6 (09 29025494 20794)6 20946 797 92.6 Windows File Protection (WFP) 2 Credentials 3 Windows Protected Storage 3

- - 4 49520 DLL94 479 27 90 842 225 0795099 90 4049 7 9922894 099 27 225 69790 94229007 29 57274 799797 40 69790 99 9263 700726 0795099 9970 92 74 70726 0964 90 9922894 099 2792 99 9654 707.6 0 940 90629 697904 07629 09 7294 0 96299 PEB 62726 DLL94 099 2792 99 90 474 49 04229 90 842 642074 992289 585 94707.6 798 585 DLL9 90 842 992289 9290 5984 DKOM 92 7 79 062-2 295 797 27.6 9802 90 4049 7 940 8429 90 927 79909 6908 72990726 799 995229 027 2 04904 0 55 7294 2 0940927.6 05994 7 0795099 DLL94 99 90 842 585 9470726 90099944 99007 2 listdlls 2 Process Explorer 2 524 7229 dlllist 499420 volatility 6979 0 09942 40 DLL 04207.6 79 940 062 9224 0994 22643 DLL94 585 27 09 96944 84294 PEB 09 7974 92427 79 962994 0099 VAD 99 295 94749.6 LoadLibrary 2 594894 05922 27 0994 797 0524 49520 DLL94 479 27 90 84226 0964 90 92840 79994 90499 27 225 LoadLibrary 99 79 069 054947:6 94707.6 09 92597 90 2ZwCreateFile 47 72549 0 DLL 924 747 090 94707.6 3 09 92597 90 2ZwCreateSection 47 657 6 (0827 59564 94904)6 99205 0 725494 5948 94497 94707.6 09 92597 90 2ZwMapViewOfSection 9522492 5948 99 7968 657 764 94707.6 8649 79 02444 940 9799826 2 9589792 8909 0994 8407 7970 6574 47479 94497 27 09 5948 99205 (DLL) 99 79 962994 0099 4 VAD 5 942290 9 0954 4 59564 962393 4952 79 69790 99 0994 797 7 449 2998 47 5948 05922 4952 92 2 79 3292 9302 027026 099 5948 99 072 4297.6 09 940 922 942290 DLL944 7 79 69790 099 2790726 999 0994 409 92427424 79 84294 PEB 69790 2427 07997 99 209944 797.6 97954 VAD 96299 2VAD 47 9007 7984 4994904 690204 94092726 499 7 09 92597 90 40 942290 27440 797 4 0954944 90 5956 79 5494 479 94904 69790 6908 729 9409207.6 2VAD 47 7962 094094 627 22900 92 7 79 9 594 4026 47994 59564 6944029 90 479 594 4994 79 92 46 59 2 47994 098929 79 92 992 6479 942207.6 96299 EPROCESS 6979026 2998 7424 0099 VadRoot 940927 7 0 9424 7962 9299 94707.6 05994 7 6979094 09 VirtualAlloc 6 595694 962393 947726 9749 5956 47 29274 79 7962 VAD 94497 94 707.6 9 59 90 940 7962 2998 95897924 99007 479 90279 2 90294 0827 59564 962393 4952 2 5948 05922 27 0 940 6574 5956 6 (79 3292 2427)6 92.6 3 Section 4 Virtual Address Descriptor 5 Range 6 Memory manager 2 6908 729 90 http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx 6908 729 90 http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx 4

9802 7294 0 5948 05922 2726 09 92597 90 407 96299 227922 99790 6849 92.6 47 0920 96299 VAD 2 949 9629994 8909 0994 9470 0 099 2 479 5948 05922 27 99 79 69244 WinDbg 049 9297 947047:6 kd> dt _MMVAD nt!_mmvad +0x000 StartingVpn : Uint4B +0x004 EndingVpn : Uint4B +0x008 Parent : Ptr32 _MMVAD +0x00c LeftChild : Ptr32 _MMVAD +0x00 RightChild : Ptr32 _MMVAD +0x04 u : unnamed +0x08 ControlArea : Ptr32 _CONTROL_AREA +0x0c FirstPrototypePte : Ptr32 _MMPTE +0x020 LastContiguousPte : Ptr32 _MMPTE +0x024 u2 : unnamed kd> dt _CONTROL_AREA nt!_control_area +0x000 Segment : Ptr32 _SEGMENT +0x004 DereferenceList : _LIST_ENTRY +0x024 FilePointer : Ptr32 _FILE_OBJECT +0x028 WaitingForDeletion : Ptr32 _EVENT_COUNTER +0x02c ModifiedWriteCount : Uint2B +0x02e NumberOfSystemCacheViews : Uint2B kd> dt _FILE_OBJECT ntdll!_file_object +0x000 Type : Int2B +0x002 Size : Int2B +0x030 FileName : _UNICODE_STRING +0x038 CurrentByteOffset : _LARGE_INTEGER 09 99 940 958979226 9 DLL 099 27 09 LoadLibrary 9049 0 94497 47 59 79 7962 VAD 69790 9422726 7 479 DLL 099 27 79 5956 (StartingVpn) 99 0 5948 40 09 747 (ControlArea.FilePointer.FileName) 99205 94707.6 05994 7 0795099 DLL94 99 90 474 49 04229 90 84294 PEB 585 9470726 09 7974 92427 79 VAD 293494 09458997.6 00909940 0599 0909426 942290 594894 05922 27 0 65792 5956 99 79 47 69790 29992 797 2 409 99 09 84294 PEB 9694 797.6 959 VAD 47 DLL 99 50992 707 7 79 84294 PEB 4952 022726 40 DLL 7979 90 842 585 27 92.6 278 4 0624 90 47 7962 VAD 99 0290 9477.6 9 59 79 23249 2998 72 49 692 92 7 029240 90 0989 0 69440 7099207 90:6 92840 692 027 96299 Vadl 2Vad) VAD 2 (VadS 2 479 59564 2 7 96299 79 40 8649 27 99 9263 94707.6 72940 69226 479 94904 90279 2 90294 0954 79 5494 59564 69790 99 9263 94707.6 2940 692 79 3292 242726 099 5948 05922 27 0 5956 99 27440 94707.6 940 9589792 79 32924 2427 7997 7 027 96299 Vad 49 Vadl 027 2 59484 0 40 0954 05922 27 0927.6 5

7229 volatility 99205 09 VAD 2427 7997:6 278 4. 0624 90 7962 VAD :vadinfo 9589792 79984 790994 3592 VAD 2 594894 05922 27 99944 9477.6 :vadwalk 9589792 928494 790994 VAD 99944 797 2 69244 99 79 22094 9204 09942 9477.6 :vadtree 9589792 928494 790994 VAD 99944 797 2 69244 99 06980 79624 94497 94707.6 9802 942290 69244 99 03292 0994 09942 40 92597 797.6 06594 94497 797 2 6 90 47 90099 09942 5995 99007 Graphviz 722992 VAD 79 volatility 90 742 VadRoot 96299 EPROCESS 6979026 2927 0 09942 4044492 790994 9 09544 6908 729 5956 947007.6 7229 049 0524 92597 90 7229 vadtree 99 0994 94497 59484 06594 0290 9477:6 $ python volatility.py vadtree -f memory.bin ｨCp 680 --output=dot --output-file=vad.html 05994 7 5948 69244 99 09 90099 Graphviz 090 94704726 4404 9290 278 4 9297 62947 797.6 0994 072 42970 9589792 7646 790994 59564 6979026 94229047 90 7229 vadinfo 92597 7047.6 69244 049 9589792 99025 0 72 594 09894 7962 278 4 99 09942 9477:6 $ python volatility.py vadinfo -p 680 -f memory.bin [...] VAD node @82b9e60 Start 7ffab000 End 7ffabfff Tag Vadl Flags: NoChange, PrivateMemory, MemCommit Commit Charge: Protection: 4 First prototype PTE: 00000000 Last contiguous PTE: 00000000 Flags2: LongVad, OneSecured File offset: 00000000 Secured: 7ffab000-7ffabfff Pointer to _MMEXTEND_INFO (or _MMBANKED_SECTION?): 00000000 6908 794952 90 http://www.graphviz.org 6

VAD node @82c3d8 Start 7c900000 End 7c9bfff Tag Vad Flags: ImageMap Commit Charge: 5 Protection: 7 ControlArea @823c72d8 Segment e4cdcc8 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: NumberOfPfnReferences: 05 NumberOfMappedViews: 30 NumberOfSubsections: 5 FlushInProgressCount: 0 NumberOfUserReferences: 3 Flags: Accessed, HadUserReference, DebugSymbolsLoaded, Image, File FileObject @823e5f90 (023e5f90), Name: WINDOWS system32 ntdll.dll WaitingForDeletion Event: 00000000 ModifiedWriteCount: 0 NumberOfSystemCacheViews: 0 First prototype PTE: e4cdd00 Last contiguous PTE: fffffffc Flags2: Inherit File offset: 00000000 [...] 92840 594 VAD 7 79 479 82b9e60 90 59564 2 6999 799726 47994 0904 7ffab000-7ffabfff 90 69790 99 22345 94707.6 72940 59 79 282c3d8 47994 0904 7c900000-7c9bfff 99 22345 94707.6 79 9 72 59 47 96299 _CONTROL_AREA 2427 7997 7 565 79 7294 0994 27440 5948 ntdll.dll 05922 27 0 5956 90 40 92597 27 92.6 7229 ldrmodules 7229 ldrmodules 90 volatility 962895 040 84294 PEB 2 96299 VAD 99 7922 94707.6 940 7229 479 694 2 949 7998 0 2999 594894 949944 05922 27 79 47 69790 99 09942 9477.6 940 7229 0994 9 47 90 842 PEB 47 220 79 069 945497 ) 0 09994 InInit 2InLoad 2 (InMem 7 2998 96799 True 49 False 79 3292 2427 49 779 2427 DLL 79 842 98729 940927.6 $vol.py -f laqma.vmem ldrmodules Pid Process Base InLoad InInit InMem MappedPath 340 IEXPLORE.EXE 0x02370000 False False False WINDOWS system32 mshtml.tlb 340 IEXPLORE.EXE 0x74980000 True True True WINDOWS system32 msxml3.dll 340 IEXPLORE.EXE 0x76390000 True True True WINDOWS system32 imm32.dll 340 IEXPLORE.EXE 0x77c0000 True True True WINDOWS system32 msvcrt.dll 340 IEXPLORE.EXE 0x025f0000 False False False WINDOWS system32 stdole2.tlb 340 IEXPLORE.EXE 0x5ad70000 True True True WINDOWS system32 uxtheme.dll 340 IEXPLORE.EXE 0x7aa0000 True True True WINDOWS system32 ws2help.dll 340 IEXPLORE.EXE 0x746c0000 True True True WINDOWS system32 msls3.dll 340 IEXPLORE.EXE 0x76ee0000 True True True WINDOWS system32 rasapi32.dll 340 IEXPLORE.EXE 0x03a50000 False False False WINDOWS system32 msxml3r.dll 340 IEXPLORE.EXE 0x4d4f0000 True True True WINDOWS system32 winhttp.dll 340 IEXPLORE.EXE 0x77b20000 True True True WINDOWS system32 msasn.dll 990529 7 79 69244 7229 0989 9297 94704726 7229 ldrmodules 09 7922 96299 VAD 697904 2iexplore.exe 79 0964 02954 59564 6979026 594894 05922 2794 99 4952 92 7 292744 79 44 47 90 84294 PEB 079907.6 5-49520 9589792 79 59564 69790 79 062 6084 790994 7229 VAD 7 95897924 790994 095494 92427 79 59564 69790 99944 947970726 22445 79749.6 7229 74594 0099 vaddump 2427 7997 7 99790 7294 0 7974 92427 79 9 47 90 940 09549 99 9477.6 940 722926 7974 92427 79 9 0954 90 7

59564 69790 99 79 59484 9409 924 747 8649 94707.6 09 797 940 7229 942290 79 59564 69790 0 42424 9589792 9297 069 522.6 79 940 062 74 947049 09 0490 47 9398 9726 0524 49520 9589792 9297 069 79 59564 47 69790 99 295 749.6. 90279 09 92597 90 2Firefox 47 3554 20 7 0490 0 9720990994 29274 7997 99007 Gmail 99 989692 947049.6 099 799094 SecretUser 2 7894 7029 SecretPass 99 99007 278 5 2997 947049.6 9802 2927 0 942 09 659 92265 9422726 999 90 4049 7 Firefox 29274 99 684952 2 47 796292 HTTP 09 92597 90 9720990999 962 9226 0947 0229049 976944 90 940 969749 29274 79 59564 Firefox 6479 7049.6 278 5. 355 29274 Gmail 09 92597 90 474 90 9009994 920222 5494 59564 540474 90 59564 540474 429 764 9454949.6 79 969894 09 70290 6 "4974294 2 25848 952294 59564 540474 79 429 7998 240720"26 9009994 920222 5494 5956 22445 797 27907.6 09 7229 pslist 90 volatility 2094 697904 Firefox 99 9449049.6 09 92597 90 7229 vaddump 2999 65794 59564 69790 99 926994 947049.6 $ vol.py -f gmail.bin --profile=win7spx86 pslist find "Firefox" Name Pid PPid Thds Hnds Time Firefox.exe 5384 3856 3 373 202--6 09:40:53 $ vol.py -f gmail.bin --profile=win7spx86 vaddump -p 5384 ｨC-dump-dir=outdir 940 7229 7962 VAD 99 649942 94707 2 0994 7974 235 27 225 9 594 4026 5948 940944 79 794972294 outdir 94497 94707.6 volatility 099 59489 99 09 99 099 6979026 479 540474 96299 EPROCESS 69790 6 (0994 29940 69448 270 040 6979094 09 099 4790)26 479 902794 0904 5956 2 479 90294 0904 5956 27945 94707.6 070290 939826 5948 Firefox.exe.bb87338.0x09df0000-0x09eeffff 5924 7974 0904 0x09df0000-0x09eeffff 90 59564 697904 Firefox 940927.6 7229 vaddump 27797 04974 5948 69244 94497 94707 6 (79 940 9398 483 29).6 942290 90 29740 72 7229 49520 976944 90 97209909994 29274 79 940 59489 92597 797.6 strings 2 find 0994.2.3.4.5 $ strings outdir * find "SecretUser" outdir Firefox.exe.bb87338.0x03800000-0x038fffff.dmp: SecretUser 6908 790827 90 http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx 8

outdir Firefox.exe.bb87338.0x03800000-0x038fffff.dmp: https://mail.google.com/mail?gxlu=secretuser&zx=35306580702 outdir Firefox.exe.bb87338.0x03800000-0x038fffff.dmp: Would you like to remember the password for "SecretUser" on google.com? outdir Firefox.exe.bb87338.0x05600000-0x056fffff.dmp: continue=http%3a%2f%2fmail.google.com%2fmail 8% F&service=mail&rm=false&dsh=- 765870646349508990&ltmpl=default&scc=&GALX=95bJEYRdzKc&pstMsg=&dnConn=&checkConnection=&checkedDomai ns=youtube&timestmp=&sectok=&email=secretuser&passwd=secretpass&signin=sign+in&rmshown= outdir Firefox.exe.bb87338.0x08200000-0x082fffff.dmp: -EmailSecretUser $ strings outdir * find "SecretPass" outdir Firefox.exe.bb87338.0x05600000-0x056fffff.dmp: continue=http%3a%2f%2fmail.google.com%2fmail 8% F&service=mail&rm=false&dsh=- 765870646349508990&ltmpl=default&scc=&GALX=95bJEYRdzKc&pstMsg=&dnConn=&checkConnection=&checkedDomai ns=youtube&timestmp=&sectok=&email=secretuser&passwd=secretpass&signin=sign+in&rmshown= outdir Firefox.exe.bb87338.0x08300000-0x083fffff.dmp: SecretPass outdir Firefox.exe.bb87338.0x0a500000-0x0a5fffff.dmp: SecretPass 0 940 7848 7 Gmail 90 47 20 942 959562 27 09 SSL 92597 9470726 9720990999 03292 990 27 040 72 429 90268 942207.6 999 990529 7 79 940 9398 7474726 942290 969749 849 990274 409 99 90 59564 540474 926994 797.6 6-20946 77 0795099 09 92597 90 2704794 20946 77 2 697904 74594 99 94029 0 90499 7970 79994 9297 069 627 94707.6 070290 939826 47 697904 97209 99 29799 0 790827 292490 49 962 9589792 90 429 94707.6 9949 0 92294 962854 9422907 0 47 69790 77 20946 70726 99007 02220 92649 7968 59564 69790 49 9495 7970 47 7847 944294 7 0973 94227 6979094 474726 dll 9297 069 9949 99 099 7007.6 09 959874 940 062 94229047 27440 7047 7 449 697904 924 42926 690904 20946 77 92 2 79 3292 9302 0270 69626 94229047 692944 90 5956 7 2998 77 07629 92 99 926994 7047.6 - - 6 49520 77 20946 27 09 malfind 2 yarascan 79 062 6084 93984 99 74747 7 9720990994 6934 SecretUser) 2 (SecretPass 99 79 59564 47 697904 693 (Firefox) 4242 94797.6 959 079047 0947 70098 4 97209909994 059747 49 079047 7 40 99 79 4 6979094 4242 704726 594407 879 27 79 9398 608 64447 6297 27.6 7229 malfind 90 volatility 0964 90 59994 8909 0994 22643 095494 92727 5956 99 09 797 2425494 VAD 2 952294 5956 627799 797 92.6 940 7229 0954944 90 5956 7 9997 executable 6297907 999 59484 0 409 05922 027 99 920222 945497.6 0 940 2924026 04994 90 shellcode9 2 DLL94 20946 27 0 47 69790 225 697904 07629 209944 942207.6 7229 malfind 0994 0994 947 952294 09544 92727 595626 09942 hex dump 2 99084 40 99 99944 9477.6 0795099 0994 90499 20946 7726 2907 VirtualAllocEx 99 0994 26343 5956 79 697904 9637 59962904 94707.6 940 2907 API 95328924 90 627 0964 9458997 7 942290 409 99 79 09409 2 protection94 8649 27 79 VAD 4952.6 79 9398 049 764 59564 4827 27 0 0795099 2Zeus 474 90 979252940 079509994 962 9589792 99 09 7229 malfind 9297 0994 6999 94749.6 Code injection 9

$ vol.py -f zeus.vmem malfind --dump-dir=outdir Process: explorer.exe Pid: 724 Address: 0x600000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge:, MemCommit:, PrivateMemory:, Protection: 6 0x0600000 b8 35 00 00 00 e9 cd d7 30 7b b8 9 00 00 00 e9.5...0{... 0x060000 4f df 30 7b 8b ff 55 8b ec e9 ef 7 c 75 8b ff O.0{..U...u.. 0x0600020 55 8b ec e9 95 76 bc 75 8b ff 55 8b ec e9 be 53 U...v.u..U...S 0x0600030 bd 75 8b ff 55 8b ec e9 d6 8 c 75 8b ff 55 8b.u..U...u..U. 0x600000 b835000000 0x600005 e9cdd7307b 0x60000a b89000000 0x60000f e94fdf307b 0x60004 8bff 0x60006 55 0x60007 8bec 0x60009 e9ef7c75 0x6000e 8bff 0x600020 55 0x60002 8bec 0x600023 e99576bc75 0x600028 8bff 0x60002a 55 0x60002b 8bec 0x60002d e9be53bd75 0x600032 8bff 0x600034 55 0x600035 8bec 0x600037 e9d68c75 0x60003c 8bff 0x60003e 55 0x60003f 8b MOV EAX, 0x35 JMP 0x7c90d7d7 MOV EAX, 0x9 JMP 0x7c90df63 MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77280d MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77c76bd MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77d53f0 MOV EDI, EDI PUSH EBP MOV EBP, ESP JMP 0x77292 MOV EDI, EDI PUSH EBP DB 0x8b Process: explorer.exe Pid: 724 Address: 0x5d0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 38, MemCommit:, PrivateMemory:, Protection: 6 0x05d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ... 0x05d000 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00...@... 0x05d0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 0x05d0030 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00... 0x5d0000 4d 0x5d000 5a 0x5d0002 90 0x5d0003 0003 0x5d0005 0000 0x5d0007 000400 0x5d000a 0000 0x5d000c ff 0x5d000d ff00 0x5d000f 00b800000000 0x5d005 0000 0x5d007 004000 0x5d00a 0000 0x5d00c 0000 0x5d00e 0000 0x5d0020 0000 0x5d0022 0000 0x5d0024 0000 0x5d0026 0000 0x5d0028 0000 0x5d002a 0000 0x5d002c 0000 0x5d002e 0000 0x5d0030 0000 0x5d0032 0000 0x5d0034 0000 DEC EBP POP EDX NOP ADD [EBX], AL ADD [EAX+EAX], AL DB 0xff INC DWORD [EAX] ADD [EAX+0x0], BH ADD [EAX+0x0], AL 20

0x5d0036 0000 0x5d0038 0000 0x5d003a 0000 0x5d003c d000 0x5d003e 0000 ROL BYTE [EAX], 0x 79 940 7229 697904 6934 99 27440 0797949 00909940 7229 malfind 59564 2999 6979094 924 429 99 6242 94707.6 0 9094 9 09544 92727 5956 7 malfind 6479 94707 95897924 2998 099 6979026 2094 6979026 479 94904 0827 5956 79 6979026 0940 2VAD 027 959562 09544 595626 hex dump 2 99084 0624 90 0827 5956 99 09942 9477.6 79 940 9398 565 72 0920 90 095494 59564 697904 explorer.exe 7 20946 77 79 409 90499 27 99 0290 797949.6 999 224 7922 09247 7 0795099 Zeus 0 2999 6979094 924 429 040 csrss.exe 77 20946 94707.6 Zeus 90 20946 77 0 csrss.exe 942090 94707 499 7 9 6594 09099 0244 79 77 20946 27 9049 0 90 799 952970 697904 75 94227.6 79 3292 90 799 952970 2csrss.exe 78 429 69922 6297 27.6 79 77 9 0795099 95897924 99007 47994 IP 49 09994 94009026 22984 72299226 92294 920426 709992 09697726 09994 09079 2 849 4952 94227.6 90 940 9589792 942290 070290 99494 0795099 92597 797.6 0 940 9709 7 79 3292 49520 940 9589792 79 47 697904 79 598 9499 924 429 49 79 47 697904 92427 79 764 595626 40 69790 92727 97954 945977.6 900994 0099 Yara 0994 94497 99494 079509994 96285 2427 7997.6 942290 90 940 90099 0994 49520 976944 90 0795099 79 47 594826 622 49 90 697904 79 598 9499 92597 797.6 9802 942290 Yara 99 90 979462 python 040 59962904 797.6 0 940 90629 064 Yara-Python Yara 92597 94227.6 volatility 09 92597 90 940 9009926 72294 0099 yarascan 99 0994 6242 095494 96285 69790 0994 42424 99494 0795099 59954 797 92.6 09 92597 90 Yara 942290 6290404 0994 22643 47 690297 90 07950999 94497 797.6 9 69020 Yara 2998 72 062 9384 strings 2 condition 940927.6 092094 90 47 5948 yara 2998 99494 407 690297 90 07950999 79 049 497 92:6 rule xmlc : banker { strings: $a = "/c del" fullword $b = "PostDel" fullword $c = ">> NUL" fullword $d = "LOADXML" $e = "lm.dat" $f = "---------------%s----------------" $g = /( x00 x20)([a-z0-9]{5,8}.dll) x00{,8} 2/ } condition: filesize < 50KB and (3 of ($a,$b,$c,$d,$e,$f) or #g >= 2) rule silent_banker : banker { strings: $a = {6A 40 68 00 30 00 00 6A 4 8D 9} $b = {8D 4D B0 2B C 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: 6908 794952 90 http://code.google.com/p/yara-project 2

} $a or $b or $c rule zbot : banker { strings: $a = " SYSTEM " wide $b = "*tanentry*" $c = "*<option" $d = "*<select" $e = "*<input" } condition: ($a and $b) or ($c and $d and $e) 79 7229 yarascan 09 24444 --yara-file 949 5948 Yara 99 9263 947049.6 990529 7 79 9398 049 9297 9422726 79 095494 962854 90 59564 697904 2system 99494 0795099 (Zeus) Zbot 9297 94227.6 9802 990529 7 6089 0490 2726 79 2999 6979094 429 99494 940 0795099 6908 9297 92.6 $ vol.py -f zeus.vmem yarascan --yara-file=malwarerule --dump-dir=outdir Rule: zbot Owner: Process System Pid 4 0x00a658 5f 00 5f 00 53 00 59 00 53 00 54 00 45 00 4d 00 _._.S.Y.S.T.E.M. 0x00a668 5f 00 5f 00 36 00 34 00 4 00 44 00 30 00 36 00 _._.6.4.A.D.0.6. 0x00a678 32 00 35 00 5f 00 5f 00 00 00 00 00 2a 2f 2a 00 2.5._._...*/*. 0x00a688 00 00 00 00 2f 00 00 00 4d 6f 7a 69 6c 6c 6 2f.../...Mozilla/ Rule: zbot Owner: Process System Pid 4 0x00a304 2a 3c 73 65 6c 65 63 74 20 00 00 00 2a 3c 6f 70 *<select...*<op 0x00a3024 74 69 6f 6e 20 20 73 65 6c 65 63 74 65 64 00 00 tion..selected.. 0x00a3034 2a 3c 69 6e 70 75 74 20 2a 76 6 6c 75 65 3d 22 *<input.*value=" 0x00a3044 00 00 00 00 42 00 4f 00 46 00 4 00 20 00 6 00...B.O.F.A...a. 7-962 9477 0940949 474 90 697990972940 40094 2volatility 690842 920222 59520 2 962 9477 594894 PE 6 (594894 94994426 DLL9 2 79942994 2)6 940927.6 07848 28449924 7 540 94994 47 09099 96 947726 0942290 47 764 7646 90 094094 9384 072 429726 524 0 952998 0497 764 072 497 924 99240 7459 9499 06297 27.6 999 0959826 764 5938 0 907904 7954 9290 064 9384 92 29 02290 0795099 99 749908 79726 98529429942 99 072 4297 2 690842942 99 27440 797.6 94040 090904 5948 764 949944 69790 0994 25848 07950999 0499 27907 9226 499 7 9880 07950999 924 747 03292 909 27 6 (990 2726 5297 27 49 9 72)6 6999 9454907 2 25848 9429 99 09 9278 9294 949007.6 94040 0964 07950999 565 03292 9649 5956 207 2 950 09 924 747 62 0222 09422077 926994 764 949944 90 920222 5956 9970 92 209 99 7294 0 47 764 90 5948 0994 25848 0927.6 72472940 90790 355 924 47 429 2407204 6 0326 00424 x86 09909 4096 0942 940927.6 04229 594894 PE 2 79994 062 944 207 7 0529 7646 94904 90 72472940 90790 355 0940927.6 278 6 29349 940 999 99 924 090904 0940949 0290 9477.6 062.text 7 9490 Memory-resident 2 Section 22

76464 90 4096 04226 0947 0529 7998 79 595694 504907 227 7 9997 (read, execute) RX 7997 2 062.data 0947 0529 7998 79 59564 09 9997 (read, write, execute) RWX 504907 227.6 90 4049 7 559629 79 55 355 97998 94227 6 (4704 959 070290 939826 47 355 9997 executable 7922 092726 94 09429 92427 79 355 949944 9409207)26 72 062 0947 0599 099 270 0 5956 90 477459 479 09207.6 79 849 940 329226 902794 062.data 0494 RWX 09909 RX 6297 27.6 6525 065 440 79 278 62 99094 355 99 0490 947007 2 06294 69 2726 5494 720 99 9263 947007.6 990529 7 0490 2726 940 549 07848 9407 90790 0629 9490 35454 90 72472940 90790 355 0420726 02427 94447.6 00909940 959 764 92427 79 5956 99 926499 924 747 920222 704726 920222 5938 2998 5494 720 040 6297 027.6 9970 92 79 940 5494 720 040 02290 9589792 95474 0994 09094 4952.6 278 6. 227 49520 594894 949944 79 5956 0994 9 29904 0629 9802 volatility 9422907 764 594894 949944 79 5956 99 09 49 0720 5494 720 924 747 920222 707.6 0529 78426 0994 090904 47 2 094094 90 595626 0490 0 0994 9440794 06294 PE 92 29 02290 479 2 90790 06294 PE 99 072 4297.6 6 942290 96799 9090 797 99 90 5956 04920 7247 2 0629 99 79 47 5948 924 747 79 92674294 9384290 94779 29740 797.6 722994 procexedump 6 (0720 764 59520 90 5494 720)6 2 procmemdump 6 (09 764 59520 90 5494 720)6 90 volatility 0994 926994 5948 PE 90 5956 92597 942207.6 79 9398 04926 4294 7 09 292490 Laqma 4827 27 99 0994 947049.6 90279 09 7229 2pslist 842 697909 99 072 9442949 2 6 PID 49 452 697904 9297 069 0994 920222 59520 99 0 7229 procexedump 9998 947049.6 $ vol.py -f laqma.vmem pslist Offset(V) Name PID PPID Thds Hnds Start ---------- -------------------- ------ ------ ------ -------- ------------------- 0xff3667e8 VMwareTray.exe 432 724 49 200-08- 06:09:3 0xff3825f8 lanmanwrk.exe 80 060 2 75 200-08-5 9:09:2 Slack space 2 PE section headers 23