In a previous article, (http://jphsecurity.blogspot.com/2012/01/developing-baseline-approach-to.html), we reviewed a general approach to analyzing a virtual memory image of a Windows based device using the open source tool Volatility 2.0. Preliminary analysis identified a malicious process named svhost.exe, assigned PID 1936, running from C:\Windows\msagent. The parent process (PPID 1888) had exited.
Note PID 1936, loaded last, started ~ 15 min after system boot:
To provide additional process context I performed the following:
The “pslist” and “pscan” commands were run against the virtual memory image to identify exited processes. PID 1888 was not immediately identified. The “userassist” command was run to print Registry UserAssist entries. A UserAssist entry identified a suspicious file named w6.exe had been executed from %UserProfile%\Desktop one (1) second before the svhost.exe process was created.
Process relational structure:Exited process w6.exe (PID 1888) creates svhost.exe on the volume within C:\Windows\msagent and then runs the file.
Triage identified device compromise and indicators to identify scope; however I wanted to validate my initial assessment that the file w6.exe was responsible for file and process creation of svhost.exe running from C:\Windows\msagent. I obtained a sample of the malware (MD5= 654eef6ff6dbe666c1d9fd1f6049d525) and executed the file w6.exe on a Windows XP VM in an isolated network environment and monitored process/thread activity using Procmon (http://technet.microsoft.com/en-us/sysinternals/bb896645
Protocol for malware execution
- Transfer malware to virtual environment
- Windows XP SP3 VM
- Isolated network environment
- Launch Procmon
- No filters immediately applied
- Launch AutoRuns
- Save output
- Execute malware sample
- Let malware sample “breathe” for a period of five (5) minutes
- Take a snap shot of the VM pre and post infection
- VMWare saves the snapshot as a .vmem file
- Virtual memory image (.vmem) can be analyzed using Volatility
- Save Procmon output as .csv
- Review using MS Excel Apply filters throughout process
Goals of analysis
1. Verify that w6.exe creates C:\Windows\msagent\svhost.exe on the volume
2. Verify that malware sample is responsible for svhost.exe process creation
3. Identify any changes made to the device Registry and File System
Procmon Filter Process
Review overall process/thread activity
Filter on Process Create
Filter on Thread Create
Filter on Load Image
Filter on Reg Create key
Filter on Reg Set value
Filter on Thread exit
Filter on Process exit
Reviewing the overall Process/Thread activity following execution of malware, I identified the creation of our malicious process:
File Name: w6.exe
MD5: 654eef6ff6dbe666c1d9fd1f6049d525
PID: 808
PPID: 324 (Explorer.exe)
PID 808 was executed by Windows user account from Explorer.exe.
Analyst’s Notes: Most user processes are started by Explorer.exe, it’s suspicious when they aren’t.
Within Procmon I then created a filter for Process Name = w6.exe. I wanted to identify all process and thread activity for (PID 808).
Thread Creation
A process is a container, threads do the actual work.
Malware loaded into memory
W6.exe is loaded into memory from %UserProfile%\Desktop -
Windows Prefetch file created
This an artifact left on the file system by our malware. Prefetch files contain information regarding path to the executable. Ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/appendix/hh/appendix/enhancements5_0eecebea-e58b-4c95-8520-9b1dc2bc6196.xml.asp
Loaded DLLs
Wsock32.dll loaded into process address space for PID 808 (w6.exe) -
Windows Sockets API used to handle network connections.
DLLs loaded can be identified with LoadImage (Filter)
Review all other DLLs loaded
Svhost.exe created on the volume
The CreateFile function is used by PID 808 (w6.exe) to create svhost.exe on the volume. Svhost.exe is written to C:\Windows\msagent.
CreateFile Function (MSDN) - Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
Windows Registry Modified
Persistence is established via Windows Registry abuse -
- A 'Run' key is created for C:\Windows\msagent\svhost.exe
- svhost.exe will 'Run' from C:\Windows\msagent upon Windows Login
Svhost.exe Process Creation -
PID 808 (w6.exe) creates process 256 by running "C:\Windows\msagent\svhost.exe" from a command line
This is a user process not started by Explorer.exe. This process was started from a command line.
Most user processes are started by Explorer.exe
It’s suspicious when they are not
Process started from command line parameter? In this case, yes.
PID 808 and TIDs 1404 & 584 exit
Summary of Process/Thread Activity for PID 808
- PID 808 (w6.exe) creates two (2) threads 584 & 1404
- Windows Prefetch file created by PID 808 within %SYSTEMROOT%\Prefetch
- C:\WINDOWS\Prefetch\W6.EXE-1DA168E3.pf
- File System artifact
- DLLs loaded into process address space for w6.exe identified by LoadImage
- Wsock32.dll loaded into process address space for PID 808
- Windows Sockets API used to handle network connections
- PID 808 creates svhost.exe on the volume.
- Svhost.exe is written to C:\Windows\msagent
- PID 808 sets Registry ‘Run’ Key for svhost.exe within Software Hive File (HKLM)
- PID 808 (w6.exe) creates PID 256 by running "C:\Windows\msagent\svhost.exe" from a command line
- PID 808 and TIDs 584 & 1404 exit five (5) seconds after file execution
What about Process/Thread Activity for PID 256 (svhost.exe)?
Following our baseline process, we are able to quickly obtain a basic understanding of Process/Thread activity for PID 256 (svhost.exe).
Summary of Process/Thread Activity for PID 256
- PID 256 (svhost.exe) is created by PID 808 (w6.exe)
- PID 256 (svhost.exe) creates four (4) threads: TIDs 1296, 196, 1096, 1312
- Windows Prefetch file created by PID 256 within %SYSTEMROOM%\Prefetch
- C:\WINDOWS\Prefetch\SVHOST.EXE-01E779D2.pf
- File System artifact
- DLLs loaded into process address space for w6.exe identified by LoadImage
- Wsock32.dll loaded into process address space for PID 808
- Windows Sockets API used to handle network connections
- PID 256 modified Windows Registry settings within the Software Hive file and NTUSER.dat of the logged on user
- PID 256 (svhost.exe) and TIDs 1296, 196, 1096, 1312 did not exit after five (5) minute time period
- Snap shot of VM taken post infection
No comments:
Post a Comment