DETECTING API CALLS
If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928
These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.
DETECTING MALICIOUS DRIVERS
With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
python2 vol.py -f stuxnet.vmem modscan
The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000
We get the sha256 hash of this driver...
...and we upload it to www.virustotal.com
Here you have the report where you will see that this drivers has been recognized as malicious.
We have just detected a malicious driver but I think that it’s necessary to look for more drivers with a similar name in order to try to find a new ones...
python2 vol.py -f stuxnet.vmem modscan | grep mrx
Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000
We have just found two malicious drivers: mrxcls.sys and mrxnet.sys.
I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.
DETECTING REGISTER KEYS
In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services
We can obtain valuable information about some of them with the next commands.
python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'
python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'
With these key registers, Stuxnet will be started in each computer restart.