http://www.behindthefirewalls.com/2013/12/stuxnet-trojan-memory-forensics-with_16.html
DETECTING API CALLS
If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words...
strings evidences/process.*
Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928.
python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928
These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec.
http://www.symantec.com/connect/blogs/w32stuxnet-installation-details
DETECTING MALICIOUS DRIVERS
With modscan we can pick up
previously unloaded drivers and drivers that have been
hidden/unlinked by rootkits.
python2 vol.py -f stuxnet.vmem modscan
The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000
We get the sha256 hash of this driver...
sha256sum evidences/driver.b21d8000.sys

...and we upload it to www.virustotal.com
Here you have the report where you will see that this drivers has been recognized as malicious.
https://www.virustotal.com/en/file/6aa1f54fbd8c79a3109bfc3e7274f212e5bf9c92f740d5a194167ea940c3d06c/analysis/
We have just detected a malicious driver but I think that it’s necessary to look for more drivers with a similar name in order to try to find a new ones...
python2 vol.py -f stuxnet.vmem modscan | grep mrx
Ok. Let’s go to export the second suspicious driver. We will follow the same steps as described above.
python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xf895a000
https://www.virustotal.com/en/file/6bc86d3bd3ec0333087141215559aec5b11b050cc49e42fc28c2ff6c9c119dbd/analysis/
We have just found two malicious drivers: mrxcls.sys and mrxnet.sys.
I checked with the same commands the other two drivers and they aren’t categorized as malicious files. This is the reason I haven't show you.
DETECTING REGISTER KEYS
In this section, we will detect the register keys that have been added to the computer. With the command below, we will see a lot of them.
strings stuxnet.vmem | grep –i mrx | grep -i Services
We can obtain valuable information about some of them with the next commands.
python2 vol.py -f stuxnet.vmem printkey -K 'ControlSet001\Services\MrxNet'
python2 vol.py stuxnet .vmem printkey -K 'ControlSet001\Services\MrxCls'
With these key registers, Stuxnet will be started in each computer restart.
0 comments:
Post a Comment