You can read the first part of this post here:


If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
strings evidences/process.*

Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 -f stuxnet.vmem malfind apihooks –p 1928

These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.


With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
python2 -f stuxnet.vmem modscan

The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000

We get the sha256 hash of this driver...
sha256sum evidences/driver.b21d8000.sys

...and we upload it to

Here you have the report where you will see that this drivers has been  recognized as malicious.

We have just detected a malicious driver but I think that it’s necessary to look for more  drivers with a similar name in order to try to find a new ones...
python2 -f stuxnet.vmem modscan | grep mrx

Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000

We have just found two malicious drivers: mrxcls.sys and mrxnet.sys.

I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.


In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services

We can obtain valuable information about some of them with the next commands.
python2 -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'

python2 stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'

With these key registers, Stuxnet will be started in each computer restart.