Tuesday, January 21, 2014

When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one of the things we usually need to do is get the files which were downloaded. The reason is that we need to have a copy of the malware or the exploit to analyze it by reversing engineer or similar... 

We usually detect the original sources where these files were downloaded from just analyzing the pcap file, but they disappear in a short period of time from they were originally hosted. Because of that, we will need to extract them directly from the pcap file.

In this post, I will show you three different ways to achieve this goal using the the pcap hosted in Barracuda related to the www.php.net compromise which can be downloaded here:


As you know, Wireshark is the most popular network protocol analyzer. It is capable of extracting all the files which were downloaded and captured.

If you load the pcap file in you Wireshark and use the command below...
http contains "in DOS mode"

... you can check that some executables were downloaded.

We are able to download all files which were downloaded like executables, pictures, javascripts, etc... by clicking File --> Export Objects --> HTTP and clicking on "Save all".

In the picture below shows you the files which are been recovered.

We use the command below to filter only the executables.

If we upload these files to Virustotal, we check that all of them have been categorized as malicious.


NetworkMiner is another Network Forensic Analysis Tool (NFAT) for Windows. Also, it can be installed on Linux using Mono. This tool is a great alternative to Wireshark if you just want to extract the files which were downloaded, look at the sessions, discover the DNS queries or get details about the mails detected from a pcap file.

Just loaded the traffic capture file, Network Minner downloads all files from it. Because of that, if you are using an Antivirus, It is possible it warns you if some file is detected as malicious.

You can find the folder where files have been recovered by right-clicking on a file and selecting "Open Folder". In the Picture below you can see this folder.

If we get the SHA256 checksum of the PE files, we can see that the results are exactly the same than using Wireshark. We have got the sames files.


Foremost is a well known file carving tool. It was developed by the United States Air Force Office of Special Investigations and The Centre for Information Systems Security Studies and Research and now, it has been opened to the general public.

This tool has been designed to work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive...

Although I usually use Wireshark or NetworkMinner I have read some blogs where they describe how to use Foremost to extract files from a pcap file. For this, I have decided to use it in our example.

Just downloaded we extract all files from the pcap file, we execute the command in the picture below to extract all the files.

We can check that a "/output/exe" folder has been created containing six files.

But the checksum is different than we got with Wireshark or NetworkMinner. It seems like Foremost hasn't work well with the pcap file... For this reason I don't usually use it with a pcap file...

I've uploaded these files to my Cuckoo Sandbox and it seems to be corrupted because the files couldn't run properly...

The VirusTotal links below redirect you to the reports of the corrupted executables:

Posted on Tuesday, January 21, 2014 by Javier Nieto

1 comment

Sunday, January 12, 2014

You can read the first part of this post here:



If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
strings evidences/process.*

Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928

These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.



With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
python2 vol.py -f stuxnet.vmem modscan

The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000

We get the sha256 hash of this driver...
sha256sum evidences/driver.b21d8000.sys

...and we upload it to www.virustotal.com

Here you have the report where you will see that this drivers has been  recognized as malicious.


We have just detected a malicious driver but I think that it’s necessary to look for more  drivers with a similar name in order to try to find a new ones...
python2 vol.py -f stuxnet.vmem modscan | grep mrx

Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000


We have just found two malicious drivers: mrxcls.sys and mrxnet.sys.

I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.


In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services

We can obtain valuable information about some of them with the next commands.
python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'

python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'

With these key registers, Stuxnet will be started in each computer restart.

Posted on Sunday, January 12, 2014 by Javier Nieto

No comments

Monday, January 06, 2014

Stuxnet could be the first advanced malware. It is thought that it was developed by the United States and Israel to attack Iran's nuclear facilities. It attacked Windows systems using a zero-day exploit and It was focused on SCADA systems in order to  affect critical infrastructures... Also, it may be spread from USB drivers. It is necessary a squad of highly capable programmers with depth of knowledge of industrial processes and an interest in attacking industrial infrastructure to develop this malware.

Kaspersky Lab concluded that the sophisticated attack could only have been conducted "with nation-state support" and a study of the spread of Stuxnet by Symantec says that it was spread to Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%)....

Thanks to Malware Cookbook we can download a memory dump from an infected host with this malware in the URL below: 


Ok, let’s go. We are going to analyze it with Volatility.


First of all we want to get more info of the memory image. With the command below we can see the volatility suggested profile and when the image was dumped. In this case it was in 2011-06-03.
python2 vol.py -f stuxnet.vmem imageinfo

It is a good practice to export the profile WinXPSP3x86 in order not to specify more this profile in the Volatility commands.


First of all, I usually want to know what process was running the computer when the memory was dumped.

Notice you will see that three lsass.exe processes were running… It draws our attention.

  • lsass.exe Pid 680
  • lsass.exe Pid 868
  • lsass.exe Pid 1928
python2 vol.py -f stuxnet.vmem pslist

We know that lsass.exe is one of the first processes to start when Windows boots. Because of this, it’s normal that “lsass.exe” has a lower Pid. You can see when the three lsass.exe process started in the picture above:

  • Pid 680 started at 2010-10-29 17:08:54
  • Pid 868 started at 2011-06-03 04:26:55
  • Pid 1928 started at 2011-06-03 04:26:55

You can see the “lsass.exe” with lower Pid (680) started in 2010 and the other ones with higher Pid (868 and 1928) started in 2011. It isn’t a normal behavior.

In the picture below we can notice that Winlogon.exe (Pid 624) started one of the “lsass.exe” process (Pid 680). This is a really good indication of which “lsass.exe” isn’t malicious, because Winlogon.exe always starts the real “lsass.exe”. The “lsass.exe” with Pid 868 and 1928 was started by the “services.exe” process. It isn’t a normal behavior. They could be malicious processes.
python2 vol.py -f stuxnet.vmem pstree | egrep '(services.exe|lsass.exe|winlogon.exe)'

We have just discovered two suspicious processes.


It is really important to indentify if theses suspicious processes were making connections.  With the command below we can check it.
python2 vol.py -f stuxnet.vmem connections

No connections were establishing when the memory was dumped. Now, we are going to see the ports that were listening in the computer.

In the picture bellow you will see a “lsass.exe” with Pid 680 is bound to Port 500 and 4500, while “lsass.exe” with Pid 868 and the another one with Pid 1928 are not listening in these ports. It seems again that the “lsass.exe” with the PID 680 has a normal behavior because this process usually listens on these ports.
python2 vol.py -f stuxnet.vmem sockets


The “lsass.exe” process with PID 680 appears to be a normal process… What’s happened with the other ones?

With the command below, we can check that “lsass.exe” with Pid 868 and Pid 1928 have a load lower DLLs.
python2 vol.py -f stuxnet.vmem dlllist –p 680 | wc –l

python2 vol.py -f stuxnet.vmem dlllist –p 868 | wc –l

python2 vol.py -f stuxnet.vmem dlllist –p 1928 | wc –l

Also, we can detect that the process with Pid 1928 has unlinked DLLs.
python2 vol.py -f stuxnet.vmem ldrmoudles –p 1928

We can get more information about it with this command.
python2 vol.py -f stuxnet.vmem ldrmoudles –p 1928 -v

These kernel calls are directly related with stuxnet worm. See the URL below:



The malfind command helps us to find hidden or injected code/DLLs in the user mode memory. Then we are going to export these DLLs and we will upload them to www.virustotal.com in order to check if an anti-virus detects them.

We already know that the process with PID 680 is normal. For this reason we will continue with the other ones.
python2 vol.py -f stuxnet.vmem malfind –p 868 –dump-dir evidences/

We can see two files have been created. We continue doing the same with the “lsass.exe” process with Pid 1928.
python2 vol.py -f stuxnet.vmem malfind –p 1928 –dump-dir evidences/

The next step will be to upload to www.virustotal.com these files in order to check if some anti-virus vendor detects them as malicious files. In order to not upload the files, we will obtain the sha256 checksum of the files and then we will search on the Virustotal website.
sha256sum *.dmp

Here, you have the links to Virustotal with the report of the files which have been analyzed:








Notice that the majority of them have been detected as Stuxnet Worm

Stuxnet Trojan - Memory Forensics with Volatility |  Part II

Continue reading the second part here:

Posted on Monday, January 06, 2014 by Javier Nieto

No comments