[root&windows]#volatility -f stuxnet.vmem imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/root/amf/windows/stuxnet.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-06-03 04:31:36 UTC+0000
Image local date and time : 2011-06-03 00:31:36 -0400
[root&windows]#export profile=WinXPSP3x86
[root&windows]#volatility -f stuxnet.vmem --profile=$profile pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System 4 0 59 403 ------ 0
0x820df020 smss.exe 376 4 3 19 ------ 0 2010-10-29 17:08:53 UTC+0000
0x821a2da0 csrss.exe 600 376 11 395 0 0 2010-10-29 17:08:54 UTC+0000
0x81da5650 winlogon.exe 624 376 19 570 0 0 2010-10-29 17:08:54 UTC+0000
0x82073020 services.exe 668 624 21 431 0 0 2010-10-29 17:08:54 UTC+0000
0x81e70020 lsass.exe 680 624 19 342 0 0 2010-10-29 17:08:54 UTC+0000
0x823315d8 vmacthlp.exe 844 668 1 25 0 0 2010-10-29 17:08:55 UTC+0000
0x81db8da0 svchost.exe 856 668 17 193 0 0 2010-10-29 17:08:55 UTC+0000
0x81e61da0 svchost.exe 940 668 13 312 0 0 2010-10-29 17:08:55 UTC+0000
0x822843e8 svchost.exe 1032 668 61 1169 0 0 2010-10-29 17:08:55 UTC+0000
0x81e18b28 svchost.exe 1080 668 5 80 0 0 2010-10-29 17:08:55 UTC+0000
0x81ff7020 svchost.exe 1200 668 14 197 0 0 2010-10-29 17:08:55 UTC+0000
0x81fee8b0 spoolsv.exe 1412 668 10 118 0 0 2010-10-29 17:08:56 UTC+0000
0x81e0eda0 jqs.exe 1580 668 5 148 0 0 2010-10-29 17:09:05 UTC+0000
0x81fe52d0 vmtoolsd.exe 1664 668 5 284 0 0 2010-10-29 17:09:05 UTC+0000
0x821a0568 VMUpgradeHelper 1816 668 3 96 0 0 2010-10-29 17:09:08 UTC+0000
0x8205ada0 alg.exe 188 668 6 107 0 0 2010-10-29 17:09:09 UTC+0000
0x820ec7e8 explorer.exe 1196 1728 16 582 0 0 2010-10-29 17:11:49 UTC+0000
0x820ecc10 wscntfy.exe 2040 1032 1 28 0 0 2010-10-29 17:11:49 UTC+0000
0x81e86978 TSVNCache.exe 324 1196 7 54 0 0 2010-10-29 17:11:49 UTC+0000
0x81fc5da0 VMwareTray.exe 1912 1196 1 50 0 0 2010-10-29 17:11:50 UTC+0000
0x81e6b660 VMwareUser.exe 1356 1196 9 251 0 0 2010-10-29 17:11:50 UTC+0000
0x8210d478 jusched.exe 1712 1196 1 26 0 0 2010-10-29 17:11:50 UTC+0000
0x82279998 imapi.exe 756 668 4 116 0 0 2010-10-29 17:11:54 UTC+0000
0x822b9a10 wuauclt.exe 976 1032 3 133 0 0 2010-10-29 17:12:03 UTC+0000
0x81c543a0 Procmon.exe 660 1196 13 189 0 0 2011-06-03 04:25:56 UTC+0000
0x81fa5390 wmiprvse.exe 1872 856 5 134 0 0 2011-06-03 04:25:58 UTC+0000
0x81c498c8 lsass.exe 868 668 2 23 0 0 2011-06-03 04:26:55 UTC+0000
0x81c47c00 lsass.exe 1928 668 4 65 0 0 2011-06-03 04:26:55 UTC+0000
0x81c0cda0 cmd.exe 968 1664 0 -------- 0 0 2011-06-03 04:31:35 UTC+0000 2011-06-03 04:31:36 UTC+0000
0x81f14938 ipconfig.exe 304 968 0 -------- 0 0 2011-06-03 04:31:35 UTC+0000 2011-06-03 04:31:36 UTC+0000
[root&windows]#volatility -f stuxnet.vmem --profile=$profile pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
Volatility Foundation Volatility Framework 2.4
0x81e70020 lsass.exe 680 624 19 342 0 0 2010-10-29 17:08:54 UTC+0000
0x81c498c8 lsass.exe 868 668 2 23 0 0 2011-06-03 04:26:55 UTC+0000
0x81c47c00 lsass.exe 1928 668 4 65 0 0 2011-06-03 04:26:55 UTC+0000
Lsass should be started from winlogon.exe.
[root&windows]#volatility -f stuxnet.vmem --profile=$profile psscan | grep 624
0x0000000001fa5650 winlogon.exe 624 376 0x0a940060 2010-10-29 17:08:54 UTC+0000
0x0000000002070020 lsass.exe 680 624 0x0a9400a0 2010-10-29 17:08:54 UTC+0000
Winlogon spawned lsass with PID 680... which is legitimate.
[root&windows]#volatility -f stuxnet.vmem --profile=$profile psscan | grep 668
0x0000000001e47c00 lsass.exe 1928 668 0x0a9403c0 2011-06-03 04:26:55 UTC+0000
0x0000000001e498c8 lsass.exe 868 668 0x0a940360 2011-06-03 04:26:55 UTC+0000
0x0000000002273020 services.exe 668 624 0x0a940080 2010-10-29 17:08:54 UTC+0000
And services.exe created two new lsass!
[root&windows]#volatility -f stuxnet.vmem --profile=$profile dlllist -p 1928,868,668
Volatility Foundation Volatility Framework 2.4
************************************************************************
services.exe pid: 668
Command line : C:\WINDOWS\system32\services.exe
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x1c000 0xffff C:\WINDOWS\system32\services.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll
0x5f770000 0xc000 0xffff C:\WINDOWS\system32\NCObjAPI.DLL
0x76080000 0x65000 0xffff C:\WINDOWS\system32\MSVCP60.dll
0x7dbd0000 0x51000 0xffff C:\WINDOWS\system32\SCESRV.dll
0x776c0000 0x12000 0xffff C:\WINDOWS\system32\AUTHZ.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
0x769c0000 0xb4000 0xffff C:\WINDOWS\system32\USERENV.dll
0x7dba0000 0x21000 0xffff C:\WINDOWS\system32\umpnpmgr.dll
0x76360000 0x10000 0xffff C:\WINDOWS\system32\WINSTA.dll
0x5b860000 0x55000 0xffff C:\WINDOWS\system32\NETAPI32.dll
0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll
0x47260000 0xf000 0x1 C:\WINDOWS\AppPatch\AcAdProc.dll
0x77b40000 0x22000 0x2 C:\WINDOWS\system32\Apphelp.dll
0x77c00000 0x8000 0x4 C:\WINDOWS\system32\VERSION.dll
0x77b70000 0x11000 0x1 C:\WINDOWS\system32\eventlog.dll
0x76bf0000 0xb000 0x3 C:\WINDOWS\system32\PSAPI.DLL
0x71ab0000 0x17000 0xb C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 0x9 C:\WINDOWS\system32\WS2HELP.dll
0x76f50000 0x8000 0x1 C:\WINDOWS\system32\wtsapi32.dll
0x76c30000 0x2e000 0x1 C:\WINDOWS\system32\WINTRUST.dll
0x77a80000 0x95000 0x4 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 0x12000 0x5 C:\WINDOWS\system32\MSASN1.dll
0x76c90000 0x28000 0x2 C:\WINDOWS\system32\IMAGEHLP.dll
0x01020000 0x2c5000 0x1 C:\WINDOWS\system32\xpsp2res.dll
0x68000000 0x36000 0x1 C:\WINDOWS\system32\rsaenh.dll
0x5ad70000 0x38000 0x2 C:\WINDOWS\system32\uxtheme.dll
0x75150000 0x13000 0x1 C:\WINDOWS\system32\Cabinet.dll
0x774e0000 0x13d000 0x6 C:\WINDOWS\system32\ole32.dll
0x013f0000 0x138000 0x1 C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360c5e2
0x76f20000 0x27000 0x2 C:\WINDOWS\system32\DNSAPI.dll
0x76d60000 0x19000 0x2 C:\WINDOWS\system32\IPHLPAPI.DLL
0x77120000 0x8b000 0x4 C:\WINDOWS\system32\OLEAUT32.dll
0x7c9c0000 0x817000 0x2 C:\WINDOWS\system32\SHELL32.dll
0x77f60000 0x76000 0x8 C:\WINDOWS\system32\SHLWAPI.dll
0x771b0000 0xaa000 0x2 C:\WINDOWS\system32\WININET.dll
0x71ad0000 0x9000 0x2 C:\WINDOWS\system32\WSOCK32.dll
0x773d0000 0x103000 0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll
************************************************************************
lsass.exe pid: 868
Command line : "C:\WINDOWS\\system32\\lsass.exe"
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x6000 0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
************************************************************************
lsass.exe pid: 1928
Command line : "C:\WINDOWS\\system32\\lsass.exe"
Service Pack 3
Base Size LoadCount Path
---------- ---------- ---------- ----
0x01000000 0x6000 0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll
0x7e410000 0x91000 0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000 0x49000 0xffff C:\WINDOWS\system32\GDI32.dll
0x00870000 0x138000 0x1 C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab
0x76f20000 0x27000 0x2 C:\WINDOWS\system32\DNSAPI.dll
0x77c10000 0x58000 0x27 C:\WINDOWS\system32\msvcrt.dll
0x71ab0000 0x17000 0xa C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 0x8 C:\WINDOWS\system32\WS2HELP.dll
0x76d60000 0x19000 0x2 C:\WINDOWS\system32\IPHLPAPI.DLL
0x5b860000 0x55000 0x2 C:\WINDOWS\system32\NETAPI32.dll
0x774e0000 0x13d000 0x5 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 0x4 C:\WINDOWS\system32\OLEAUT32.dll
0x76bf0000 0xb000 0x2 C:\WINDOWS\system32\PSAPI.DLL
0x7c9c0000 0x817000 0x2 C:\WINDOWS\system32\SHELL32.dll
0x77f60000 0x76000 0x8 C:\WINDOWS\system32\SHLWAPI.dll
0x769c0000 0xb4000 0x2 C:\WINDOWS\system32\USERENV.dll
0x77c00000 0x8000 0x2 C:\WINDOWS\system32\VERSION.dll
0x771b0000 0xaa000 0x2 C:\WINDOWS\system32\WININET.dll
0x77a80000 0x95000 0x2 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 0x12000 0x2 C:\WINDOWS\system32\MSASN1.dll
0x71ad0000 0x9000 0x2 C:\WINDOWS\system32\WSOCK32.dll
0x773d0000 0x103000 0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll
Rouge processes also do not have many handles compared to the legit process
[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles -p 680 | wc -l
344
[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles -p 1928 | wc -l
67
[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles -p 868 | wc -l
25
[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles -p 868
Volatility Foundation Volatility Framework 2.4
Offset(V) Pid Handle Access Type Details
---------- ------ ---------- ---------- -------------------------- -------
0x8225b710 868 0xc 0x100020 File \Device\HarddiskVolume1\WINDOWS\system32
0x81eddc18 868 0x7a4 0x1f03ff Thread TID 592 PID 940
0x82083a60 868 0x7ac 0x1f0003 IoCompletion
0x81c427a8 868 0x7b0 0x1f0003 IoCompletion
0x82083a60 868 0x7b4 0x1f0003 IoCompletion
0x822bbda8 868 0x7b8 0x1f03ff Thread TID 1884 PID 868
0x81f9eae8 868 0x7bc 0x1f0003 Event
0x81c36ef8 868 0x7c0 0x1f0003 Event
0x81c8ee00 868 0x7c4 0x1f0003 Event
0x81f6cff0 868 0x7c8 0x1f0003 Event
0x81e61da0 868 0x7cc 0x1f0fff Process svchost.exe(940)
0x822bbda8 868 0x7d0 0x1f03ff Thread TID 1884 PID 868
0x81d9c670 868 0x7d4 0xf016e WindowStation Service-0x0-3e7$
0x822563f0 868 0x7d8 0xf00cf Desktop Default
0x81d9c670 868 0x7dc 0xf016e WindowStation Service-0x0-3e7$
0x821a4678 868 0x7e0 0x21f0003 Event
0xe2a6e830 868 0x7e4 0x20f003f Key MACHINE
0x81c68458 868 0x7e8 0x100003 Semaphore
0xe2b19ae0 868 0x7ec 0x21f0001 Port
0xe1613978 868 0x7f0 0xf000f Directory Windows
0x81fb0a88 868 0x7f4 0x100003 Semaphore
0xe16008f8 868 0x7f8 0x3 Directory KnownDlls
0xe10096e0 868 0x7fc 0xf0003 KeyedEvent CritSecOutOfMemoryEvent
[root&windows]#volatility -f stuxnet.vmem --profile=$profile threads -p 868
Volatility Foundation Volatility Framework 2.4
[x86] Gathering all referenced SSDTs from KTHREADs...
Finding appropriate address space for tables...
------
ETHREAD: 0x822bbda8 Pid: 868 Tid: 1884
Tags: HookedSSDT
Created: 2011-06-03 04:26:55 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: lsass.exe
Attached Process: lsass.exe
State: Waiting:UserRequest
BasePriority: 0x8
Priority: 0x9
TEB: 0x7ffdc000
StartAddress: 0x7c8106e9 kernel32.dll
ServiceTable: 0x80552fa0
[0] 0x80501b8c
[0x19] NtClose 0xb240f80e PROCMON20.SYS
[0x29] NtCreateKey 0xb240f604 PROCMON20.SYS
[0x3f] NtDeleteKey 0xb240f4ac PROCMON20.SYS
[0x41] NtDeleteValueKey 0xb240f4f2 PROCMON20.SYS
[0x47] NtEnumerateKey 0xb240f3f2 PROCMON20.SYS
[0x49] NtEnumerateValueKey 0xb240f34e PROCMON20.SYS
[0x4f] NtFlushKey 0xb240f446 PROCMON20.SYS
[0x62] NtLoadKey 0xb240f972 PROCMON20.SYS
[0x77] NtOpenKey 0xb240f7d0 PROCMON20.SYS
[0xa0] NtQueryKey 0xb240f03e PROCMON20.SYS
[0xb1] NtQueryValueKey 0xb240f166 PROCMON20.SYS
[0xf7] NtSetValueKey 0xb240f28a PROCMON20.SYS
[0x107] NtUnloadKey 0xb240fac2 PROCMON20.SYS
[1] 0x00000000
[2] 0x00000000
[3] 0x00000000
Win32Thread: 0x00000000
CrossThreadFlags:
Eip: 0x7c90e4f4
eax=0x0066feb8 ebx=0x00000000 ecx=0x000004a5 edx=0x7c90e4f4 esi=0x000007a4 edi=0x00000000
eip=0x7c90e4f4 esp=0x0066ff1c ebp=0x0066ff80 err=0x00000000
cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 fs=0x3b efl=0x00000246
dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000
0x7c8106e9 33ed XOR EBP, EBP
0x7c8106eb 53 PUSH EBX
0x7c8106ec 50 PUSH EAX
0x7c8106ed 6a00 PUSH 0x0
0x7c8106ef e9e8afffff JMP 0x7c80b6dc
0x7c8106f4 90 NOP
0x7c8106f5 33ed XOR EBP, EBP
0x7c8106f7 50 PUSH EAX
0x7c8106f8 6a00 PUSH 0x0
0x7c8106fa e945690000 JMP 0x7c817044
0x7c8106ff 90 NOP
0x7c810700 8b DB 0x8b
------
ETHREAD: 0x81f2ec48 Pid: 868 Tid: 112
Tags: HookedSSDT
Created: 2011-06-03 04:26:55 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: lsass.exe
Attached Process: lsass.exe
State: Waiting:UserRequest
BasePriority: 0x8
Priority: 0x8
TEB: 0x7ffdd000
StartAddress: 0x7c8106f5 kernel32.dll
ServiceTable: 0x80552f60
[0] 0x80501b8c
[0x19] NtClose 0xb240f80e PROCMON20.SYS
[0x29] NtCreateKey 0xb240f604 PROCMON20.SYS
[0x3f] NtDeleteKey 0xb240f4ac PROCMON20.SYS
[0x41] NtDeleteValueKey 0xb240f4f2 PROCMON20.SYS
[0x47] NtEnumerateKey 0xb240f3f2 PROCMON20.SYS
[0x49] NtEnumerateValueKey 0xb240f34e PROCMON20.SYS
[0x4f] NtFlushKey 0xb240f446 PROCMON20.SYS
[0x62] NtLoadKey 0xb240f972 PROCMON20.SYS
[0x77] NtOpenKey 0xb240f7d0 PROCMON20.SYS
[0xa0] NtQueryKey 0xb240f03e PROCMON20.SYS
[0xb1] NtQueryValueKey 0xb240f166 PROCMON20.SYS
[0xf7] NtSetValueKey 0xb240f28a PROCMON20.SYS
[0x107] NtUnloadKey 0xb240fac2 PROCMON20.SYS
[1] 0xbf999b80
[2] 0x00000000
[3] 0x00000000
Win32Thread: 0xe28044a0
CrossThreadFlags:
Eip: 0x7c90e4f4
eax=0x0006fda0 ebx=0x7ffde000 ecx=0x0006ff98 edx=0x7c90e4f4 esi=0x000007d0 edi=0x00000000
eip=0x7c90e4f4 esp=0x0006ff38 ebp=0x0006ff9c err=0x00000000
cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 fs=0x3b efl=0x00000246
dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000
0x7c8106f5 33ed XOR EBP, EBP
0x7c8106f7 50 PUSH EAX
0x7c8106f8 6a00 PUSH 0x0
0x7c8106fa e945690000 JMP 0x7c817044
0x7c8106ff 90 NOP
0x7c810700 8bff MOV EDI, EDI
0x7c810702 648b1518000000 MOV EDX, [FS:0x18]
0x7c810709 8b4210 MOV EAX, [EDX+0x10]
0x7c81070c 8b DB 0x8b
XP Images lets us use connscan and sockscan
[root&windows]#volatility -f stuxnet.vmem --profile=$profile connscan
Volatility Foundation Volatility Framework 2.4
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
[root&windows]#volatility -f stuxnet.vmem --profile=$profile sockscan
Volatility Foundation Volatility Framework 2.4
Offset(P) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x01e20898 1200 1900 17 UDP 127.0.0.1 2011-06-03 04:25:47 UTC+0000
0x01e79778 1080 1142 17 UDP 0.0.0.0 2010-10-31 16:36:16 UTC+0000
0x01eb3d70 1080 1141 17 UDP 0.0.0.0 2010-10-31 16:36:16 UTC+0000
0x01eb9e98 1580 5152 6 TCP 127.0.0.1 2010-10-29 17:09:05 UTC+0000
0x01fa4d18 680 0 255 Reserved 0.0.0.0 2010-10-29 17:09:05 UTC+0000
0x01fa54b0 4 445 17 UDP 0.0.0.0 2010-10-29 17:08:53 UTC+0000
0x01fc2008 680 500 17 UDP 0.0.0.0 2010-10-29 17:09:05 UTC+0000
0x021dbe98 1032 123 17 UDP 127.0.0.1 2011-06-03 04:25:47 UTC+0000
0x02260008 680 4500 17 UDP 0.0.0.0 2010-10-29 17:09:05 UTC+0000
0x02261c08 4 445 6 TCP 0.0.0.0 2010-10-29 17:08:53 UTC+0000
0x023a5008 188 1025 6 TCP 127.0.0.1 2010-10-29 17:09:09 UTC+0000
0x02494aa8 940 135 6 TCP 0.0.0.0 2010-10-29 17:08:55 UTC+0000
Found a few locations in lsass that had RWX memory and had signs of code injection...
Several results were "MZ" headers!
Csrss, services, Svchost, explorer and Lsass had signs of code injection.
PID 600, 668, 940, 1196, 868, 1928.
Process: lsass.exe Pid: 1928 Address: 0x870000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
Process: lsass.exe Pid: 1928 Address: 0x1000000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, Protection: 6
With vadinfo we see there are no file objects backing these MZ headers
(also one at 0x80000, but snipped for brevity)
[root&windows]#volatility -f stuxnet.vmem --profile=$profile vadinfo -p 1928 -a 0x870000
************************************************************************
Pid: 1928
VAD node @ 0x82232950 Start 0x00870000 End 0x009a7fff Tag Vad
Flags: Protection: 6
Protection: PAGE_EXECUTE_READWRITE
ControlArea @822bbd38 Segment e107e600
NumberOfSectionReferences: 0 NumberOfPfnReferences: 0
NumberOfMappedViews: 1 NumberOfUserReferences: 1
Control Flags: Commit: 1, HadUserReference: 1
First prototype PTE: e107e640 Last contiguous PTE: e107eff8
Flags2: Inherit: 1
[root&windows]#volatility -f stuxnet.vmem --profile=$profile vadinfo -p 1928 -a 0x1000000
************************************************************************
Pid: 1928
VAD node @ 0x82086d40 Start 0x01000000 End 0x01005fff Tag Vad
Flags: CommitCharge: 2, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
ControlArea @81ff33e0 Segment e2343888
NumberOfSectionReferences: 1 NumberOfPfnReferences: 0
NumberOfMappedViews: 1 NumberOfUserReferences: 2
Control Flags: Commit: 1, HadUserReference: 1
First prototype PTE: e23438c8 Last contiguous PTE: e23438f0
Flags2: Inherit: 1
Hidden DLLs?
Addresses of interest 0x80000, 0x00870000 and 0x01000000
[root&windows]#volatility -f stuxnet.vmem --profile=$profile ldrmodules -p 1928
Volatility Foundation Volatility Framework 2.4
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
1928 lsass.exe 0x00080000 False False False
1928 lsass.exe 0x01000000 True False True
1928 lsass.exe 0x00870000 True True True
[root&windows]#volatility -f stuxnet.vmem --profile=$profile ldrmodules -p 1928
Volatility Foundation Volatility Framework 2.4
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
1928 lsass.exe 0x00080000 False False False
1928 lsass.exe 0x00870000 True True True
Load Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Init Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Mem Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
1928 lsass.exe 0x01000000 True False True
Load Path: C:\WINDOWS\system32\lsass.exe : lsass.exe
Mem Path: C:\WINDOWS\system32\lsass.exe : lsass.exe
0x01000000 appears to be the ImageBase for lsass... but it's path is blank!
Create process suspended, hollow its insides out and replace with mal code!
[root&windows]#volatility -f stuxnet.vmem --profile=$profile procdump -p 680,868,1928 -D stuxnetDump/
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x81e70020 0x01000000 lsass.exe OK: executable.680.exe
0x81c498c8 0x01000000 lsass.exe OK: executable.868.exe
0x81c47c00 0x01000000 lsass.exe OK: executable.1928.exe
[root&windows]#ssdeep -d stuxnetDump/executable.680.exe stuxnetDump/executable.1928.exe -a
/root/amf/windows/stuxnetDump/executable.1928.exe matches /root/amf/windows/stuxnetDump/executable.680.exe (0)
[root&windows]#ssdeep -d stuxnetDump/*
/root/amf/windows/stuxnetDump/executable.868.exe matches /root/amf/windows/stuxnetDump/executable.1928.exe (100)
[root&windows]#strings stuxnetDump/executable.868.exe
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
TerminateProcess
GetCurrentProcess
CloseHandle
WaitForSingleObject
OpenProcess
ExitProcess
CreateThread
SetUnhandledExceptionFilter
SetErrorMode
KERNEL32.dll
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ADVAPI32.dll
VirtualProtect
GetModuleHandleW
GetCurrentThreadId
GetTickCount
lstrcpyW
lstrlenW
GetProcAddress
wsprintfW
USER32.dll
ZwMapViewOfSection is used for Hollow Process Injection to unmap a section!
[root&stuxnetDump]#../virus.py
['executable.868.exe', 'executable.1928.exe', 'executable.680.exe']
executable.868.exe
Report
- Resource's UID: 6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760-1428734311
- Scan's UID: 6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760-1428734311
- Permalink: https://www.virustotal.com/file/6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760/analysis/1428734311/
- Resource's MD5: 7b62da1a65ffc31c55da778b276ad1e2
- Resource's status: Scan finished, information embedded
- Antivirus' total: 57
- Antivirus's positives: 35
executable.1928.exe
Report
- Resource's UID: 20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d-1426221873
- Scan's UID: 20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d-1426221873
- Permalink: https://www.virustotal.com/file/20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d/analysis/1426221873/
- Resource's MD5: e1e00c2d5815e4129d8ac503f6fac095
- Resource's status: Scan finished, information embedded
- Antivirus' total: 57
- Antivirus's positives: 38
executable.680.exe
Report
- Resource's UID: 45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92-1423774745
- Scan's UID: 45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92-1423774745
- Permalink: https://www.virustotal.com/file/45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92/analysis/1423774745/
- Resource's MD5: f9e5dd3014390b8ead50deab4907dafe
- Resource's status: Scan finished, information embedded
- Antivirus' total: 56
- Antivirus's positives: 1
[lots of snip]
[root&windows]#volatility -f stuxnet.vmem --profile=$profile callbacks
Volatility Foundation Volatility Framework 2.4
Type Callback Module Details
------------------------------------ ---------- -------------------- -------
IoRegisterShutdownNotification 0xf86aa73a MountMgr.sys \Driver\MountMgr
IoRegisterShutdownNotification 0xf8bb05be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf8bb05be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf8bb05be Fs_Rec.SYS \FileSystem\Fs_Rec
IoRegisterShutdownNotification 0xf853c2be ftdisk.sys \Driver\Ftdisk
IoRegisterShutdownNotification 0x805cdef4 ntoskrnl.exe \FileSystem\RAW
IoRegisterShutdownNotification 0xf83d98f1 Mup.sys \FileSystem\Mup
IoRegisterShutdownNotification 0x805f5d66 ntoskrnl.exe \Driver\WMIxWDM
IoRegisterFsRegistrationChange 0xf84be876 sr.sys -
GenericKernelCallback 0xf87ad194 vmci.sys -
IoRegisterFsRegistrationChange 0xb21d89ec mrxnet.sys -
GenericKernelCallback 0xb240ce4c PROCMON20.SYS -
GenericKernelCallback 0x805f81a6 ntoskrnl.exe -
GenericKernelCallback 0xb240cc9a PROCMON20.SYS -
GenericKernelCallback 0xf895ad06 mrxcls.sys -
PsSetLoadImageNotifyRoutine 0xb240ce4c PROCMON20.SYS -
PsSetLoadImageNotifyRoutine 0x805f81a6 ntoskrnl.exe -
PsSetLoadImageNotifyRoutine 0xf895ad06 mrxcls.sys -
PsSetCreateThreadNotifyRoutine 0xb240cc9a PROCMON20.SYS -
PsSetCreateProcessNotifyRoutine 0xf87ad194 vmci.sys -
PsSetLoadImageNotifyRoutine is good to check on... mrxcls.sys?
[root&windows]#volatility -f stuxnet.vmem --profile=$profile callbacks | grep mrxcls
Volatility Foundation Volatility Framework 2.4
GenericKernelCallback 0xf895ad06 mrxcls.sys -
PsSetLoadImageNotifyRoutine 0xf895ad06 mrxcls.sys -
[root&windows]#volatility -f stuxnet.vmem --profile=$profile modules | grep mrxcls
Volatility Foundation Volatility Framework 2.4
0x81f8cb60 mrxcls.sys 0xf895a000 0x5000 \??\C:\WINDOWS\system32\Drivers\mrxcls.sys
[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxcls
[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxcls
DRV 0x02126870 \Driver\MRxCls
---| DEV 0x81bdbeb0 MRxClsDvX FILE_DEVICE_UNKNOWN
[root&windows]#
Another callback..
IoRegisterFsRegistrationChange 0xb21d89ec mrxnet.sys -
[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxnet
Volatility Foundation Volatility Framework 2.4
---------| ATT 0x821354b8 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81fb9680 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x81f0ab90 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x8226ef10 - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x821354b8 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81f0fc58 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81c0a910 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x81fb9680 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81f0ab90 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81c0a910 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x022e54f8 \Driver\MRxNet
---------| ATT 0x81f0fc58 - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x8226ef10 - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81c8b500 - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81dc49c0 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x82125f10 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x81fd59c0 - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------------| ATT 0x81fb9680 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------------| ATT 0x81f0ab90 - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxnet -B 10 | grep Driver
Volatility Foundation Volatility Framework 2.4
DRV 0x0205e5a8 \FileSystem\vmhgfs
---| DEV 0x820f0030 hgfsInternal UNKNOWN
---| DEV 0x821a1030 HGFS FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81f5d020 (?) - \FileSystem\FltMgr FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x821354b8 (?) - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x023ae880 \FileSystem\MRxSmb
---| DEV 0x81da95d0 LanmanDatagramReceiver FILE_DEVICE_NETWORK_BROWSER
---| DEV 0x81ee5030 LanmanRedirector FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81bf1020 (?) - \FileSystem\FltMgr FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x81f0fc58 (?) - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x02476da0 \FileSystem\Cdfs
---| DEV 0x81e636c8 Cdfs FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81fac548 (?) - \FileSystem\FltMgr FILE_DEVICE_CD_ROM_FILE_SYSTEM
---------| ATT 0x8226ef10 (?) - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
DRV 0x0253d180 \FileSystem\Ntfs
---| DEV 0x82166020 FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x8228c6b0 (?) - \FileSystem\sr FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81f47020 (?) - \FileSystem\FltMgr FILE_DEVICE_DISK_FILE_SYSTEM
------------| ATT 0x81fb9680 (?) - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
[root&windows]#volatility -f stuxnet.vmem --profile=$profile driverirp -r mrxnet -v
--------------------------------------------------
DriverName: MRxNet
DriverStart: 0xb21d8000
DriverSize: 0x2980
DriverStartIo: 0x0
0 IRP_MJ_CREATE 0xb21d8486 mrxnet.sys
1 IRP_MJ_CREATE_NAMED_PIPE 0xb21d8486 mrxnet.sys
2 IRP_MJ_CLOSE 0xb21d8486 mrxnet.sys
3 IRP_MJ_READ 0xb21d8486 mrxnet.sys
4 IRP_MJ_WRITE 0xb21d8486 mrxnet.sys
5 IRP_MJ_QUERY_INFORMATION 0xb21d8486 mrxnet.sys
6 IRP_MJ_SET_INFORMATION 0xb21d8486 mrxnet.sys
7 IRP_MJ_QUERY_EA 0xb21d8486 mrxnet.sys
8 IRP_MJ_SET_EA 0xb21d8486 mrxnet.sys
9 IRP_MJ_FLUSH_BUFFERS 0xb21d8486 mrxnet.sys
10 IRP_MJ_QUERY_VOLUME_INFORMATION 0xb21d8486 mrxnet.sys
11 IRP_MJ_SET_VOLUME_INFORMATION 0xb21d8486 mrxnet.sys
12 IRP_MJ_DIRECTORY_CONTROL 0xb21d84ec mrxnet.sys
13 IRP_MJ_FILE_SYSTEM_CONTROL 0xb21d8496 mrxnet.sys
14 IRP_MJ_DEVICE_CONTROL 0xb21d8486 mrxnet.sys
15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xb21d8486 mrxnet.sys
16 IRP_MJ_SHUTDOWN 0xb21d8486 mrxnet.sys
17 IRP_MJ_LOCK_CONTROL 0xb21d8486 mrxnet.sys
18 IRP_MJ_CLEANUP 0xb21d8486 mrxnet.sys
19 IRP_MJ_CREATE_MAILSLOT 0xb21d8486 mrxnet.sys
20 IRP_MJ_QUERY_SECURITY 0xb21d8486 mrxnet.sys
21 IRP_MJ_SET_SECURITY 0xb21d8486 mrxnet.sysnn
22 IRP_MJ_POWER 0xb21d8486 mrxnet.sys
23 IRP_MJ_SYSTEM_CONTROL 0xb21d8486 mrxnet.sys
24 IRP_MJ_DEVICE_CHANGE 0xb21d8486 mrxnet.sys
25 IRP_MJ_QUERY_QUOTA 0xb21d8486 mrxnet.sys
26 IRP_MJ_SET_QUOTA 0xb21d8486 mrxnet.sys
27 IRP_MJ_PNP 0xb21d8486 mrxnet.sys
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |