Memory Analysis of DarkComet using VolDiff

aim4r edited this page Jun 19, 2015 · 1 revision
Clone this wiki locally

In this wiki page we will be using VolDiff to analyze a memory image of a Windows 7 system that has been infected with the DarkComet RAT.

A detailed memory analysis of DarkComet was provided in the past by TekDefense in this recommended read. The purpose of this wiki page is not to duplicate the TekDefense analysis, but to demonstrate the automation that VolDiff provides for detecting and dissecting the threat.

Downloading the memory image

The DarkComet memory image has been made available by TekDefense and can be downloaded using this link.

Running VolDiff

We will be using a Ubuntu 14.04 desktop system where the Volatility framework is installed.

Let's use the --help switch to find the correct VolDiff syntax to use:

python2.7 VolDiff.py --help

Usage: ./VolDiff.py [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS]

Options:
--help              display this help and exit
--version           display version information and exit
--dependencies      display information about script dependencies and exit
--malware-checks    hunt and report suspicious anomalies (slow, recommended)
--no-report         do not create a report

In this case, all we have is an "infected" memory image with no clean image to use as a baseline. The accurate profile to use is Win7SP1x86. Let's not forget to append the recommended --malware-checks option which will instruct VolDiff to identify and report threat / malware artifacts:

python2.7 VolDiff.py path/to/DarkComet/image.raw Win7SP1x86 --malware-checks

VolDiff will run a selection of 40+ Volatility plugins against the memory image. Once that is done, and since we have opted for the --malware-checks option, VolDiff will analyse the output of these plugins and report the anomalies identified. The entire process usually takes no less than 10 minutes to complete.

VolDiff: Malware Memory Footprint Analysis (v2.1)

Only one memory image specified: standalone mode
Path to memory image: path/to/DarkComet/image.raw
Profile: Win7SP1x86

Running a selection of volatility plugins (time consuming):
Volatility plugin handles execution in progress...
Volatility plugin psxview execution in progress...
...
Volatility plugin gditimers execution in progress...
Volatility plugin ssdt execution in progress...

Hunting for malicious artifacts in memory...

VolDiff execution completed in 10 minutes and 30 seconds.

Reviewing Results

VolDiff stores the output of the Volatility plugins in a folder named VolDiff_DD-MM-YYYY_HH:MM. A text report with the name VolDiff_Report.txt is created within that folder.

Since no baseline image was provided to VolDiff, the tool won't be able to spot/report the exact changes that the malware execution introduced to the system. Nonetheless, the Volatility plugin execution results provide a wealth of information for VolDiff to be able to identify abnormal processes, injected code, suspicious timers etc.

Suspicious IP address

The first section of the VolDiff report will highlight the unique IP addresses that were found in the output of plugins such as netscan and iehistory:

IP addresses found in netscan output.
=======================================
192.168.26.136
176.106.48.182

While the first IP address in the list is obviously a private one, 176.106.48.182 definitely warrants further investigation. A quick search on VirusTotal shows that the IP is indeed associated with malicious activity.

Malicious processes

VolDiff runs a number of checks to identify the suspicious processes within the memory image. Examples include child/parent process relationships, process sessions, execution paths, etc. All the checks are solely based on the output of Volatility plugins such as pslist, psscan, dlllist and malfind.

Within the DarkComet memory image, VolDiff spotted an unusual process ID of 3220 that has 4 childs, 3 of which are highly suspicious cmd.exe instances:

Parent process with PPID 3220 is not listed in psscan output.
===============================================================
Offset(P)          Name                PID   PPID PDB        Time created                   
------------------ ---------------- ------ ------ ---------- -----------------------------
0x000000003e859af0 cmd.exe            3656   3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000
0x000000003e935af0 cmd.exe            3656   3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000
0x000000003fb35d40 cmd.exe            1128   3220 0x3f57a500 2014-02-03 12:27:17 UTC+0000
0x000000003fb36030 runddl32.exe       1524   3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000 

The fourth child is runddl32.exe, which has a suspicious name and runs from a temporary folder. Again, this information is highlighted in the VolDiff report:

Process runddl32.exe (PID 1524) is running from a temporary folder (\users\tekdef~1\appdata\local\temp\msdcsc\runddl32.exe).
========================================================================
Offset(P)          Name                PID   PPID PDB        Time created                  
------------------ ---------------- ------ ------ ---------- ------------------------------ 
0x000000003fb36030 runddl32.exe       1524   3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000

If any process is identified as potentially malicious by VolDiff, more information will be collected and reported about it further down the line in the report. In the DarkComet memory image case, no less than three processes will be thoroughly analysed by VolDiff, for different reasons detailed in the report as follows:

Processes that will be analysed in the next section:
=======================================================
runddl32.exe (1524): non-default process, potential code injection, running from a temporary folder.
notepad.exe (1896): non-default process, potential code injection.
explorer.exe (2052): potential code injection.

In the following section we will explore the information reported by VolDiff about runddl32.exe.

Analysis of runddl32.exe

VirusTotal scan results

When analyzing a suspicious process, VolDiff starts by dumping the process executable on disk using the procdump plugin, then calculates its MD5 hash. Based on that hash, it will check if a similar executable was ever submitted to VirusTotal:

VirusTotal scan results:
---------------------------
MD5 value: f13a88591bfa841ef474bcb5f1cf9067
VirusTotal scan date: 2015-03-28 15:32:17
VirusTotal engine detections: 51/57
Link to VirusTotal report: https://www.virustotal.com/file/d8a9a2ff060cf4f9994a07afbab33054d4e7d784f6987ef8e2fb40a3362363dc/analysis/1427556737/

51 AV engines out of 57 detected the process as malicious. The associated VirusTotal report can be viewed online using this link.

As mentioned, VolDiff did not upload any data to VirusTotal get those results, other than the MD5 hash of the process executable.

Parent and child processes

VolDiff will then display other information about the suspicious process, such as the psxview output, the associated envars (environment variables), parent/child process information, etc. Here is a brief extract of the report section highlighting the parent and childs of runddl32.exe:

Parent process (PPID 3220) is not listed in psscan output:
--------------------------------------------------------------
Offset(P)          Name                PID   PPID PDB        Time created                   
------------------ ---------------- ------ ------ ---------- ------------------------------
0x000000003e859af0 cmd.exe            3656   3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000
0x000000003e935af0 cmd.exe            3656   3220 0x3f57a4c0 2014-02-03 12:27:17 UTC+0000  
0x000000003fb35d40 cmd.exe            1128   3220 0x3f57a500 2014-02-03 12:27:17 UTC+0000
0x000000003fb36030 runddl32.exe       1524   3220 0x3f57a5a0 2014-02-03 12:27:18 UTC+0000
Child process(es):
--------------------
Offset(P)          Name                PID   PPID PDB        Time created                   
------------------ ---------------- ------ ------ ---------- ------------------------------ 
0x000000003fb06480 notepad.exe        1896   1524 0x3f57a5c0 2014-02-03 12:27:18 UTC+0000       
Code injection (malfind)

One of the most known and powerful Volatility plugins is malfind. We can see in the report the associated output for runddl32.exe:

Code injection (malfind):
----------------------------

Process: runddl32.exe Pid: 1524 Address: 0x220000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00220000  00 00 00 00 59 e9 52 10 20 00 e8 f5 ff ff ff 00   ....Y.R.........
0x00220010  00 00 00 00 00 00 00 e8 e8 ff ff ff 0a 00 22 00   ..............".
0x00220020  00 00 00 00 e8 db ff ff ff 17 00 22 00 00 00 00   ..........."....
0x00220030  00 e8 ce ff ff ff 24 00 22 00 00 00 00 00 e8 c1   ......$.".......
Imports table

Another powerful Volatility plugin is impscan, which can be used to scan the import table of any process within the memory image.

VolDiff uses the information provided by impscan to highlight the interesting imports from a malware analysis perspective:

Interesting imports.
----------------------
Can use antidebug techniques (FindWindowA, FindWindowExA, GetLastError, GetProcessHeap, GetWindowThreadProcessId, Sleep, TerminateProcess, UnhandledExceptionFilter, WSAGetLastError).
Can receive or send files from or to internet (InternetReadFile, URLDownloadToFileA, WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getservbyname, getsockname, inet_addr, inet_ntoa, ioctlsocket, listen, ntohs, select, send, sendto, shutdown, socket).
Can inject code to other processes (CreateProcessA, CreateRemoteThread, FindResourceA, LoadLibraryA, LoadLibraryExA, ResumeThread, SetThreadContext, VirtualAllocEx, VirtualProtectEx, WinExec, WriteProcessMemory, ZwQuerySystemInformation).
Can create or start services (CreateServiceA, OpenServiceA, StartServiceA).
Can track keyboard strokes (GetKeyState, GetKeyboardState).
Strings

Last but not least, VolDiff will perform a quick analysis of the strings present in the dumped process executable, and report any findings of interest:

Suspicious strings from process memory.
----------------------------------------
Web related keyword(s): DOWNLOAD, Download, HTTP, Http, Socket, URLMON, UrlMon, download, http, socket
Information gathering keyword(s): GetHost, GetVolumeInformation, SystemInfo, gethost, systeminfo
Password related keyword(s): PASSWORD, PWD, Password
Executable file(s): \Internet Explorer\iexplore.exe, cmd.exe, explorer.exe, notepad.exe
Keylogger keyword(s): Keylog, SHIFT, Shift

Closing thoughts

The Volatility framework is a very powerful tool that can be used to hunt the most sophisticated malware in the darkest corners of memory. Tools like VolDiff can be very useful to automate (parts of) the memory analysis process using Volatlity, and to quickly highlight IOCs and abnormal memory artifacts for further manual inspection.