Thursday, June 23, 2016

Angler Exploit Kit + Volatility Forensic Tool

Volatility is an excellent way for analyzing memory dumps. It can help find artifacts hidden within the memory which is otherwise little cumbersome to find during manual analysis. After fetching a memory dump post exploitation of Angler Exploit Kit, here's steps to get to the malware - which is executed directly from the memory.

I've got hold of a VM snapshot from here (thanks to "Malware don't need Coffee") which was frozen post Angler Kit dropping its malware after exploitation.

Get the running processes list

From the list the process that we need to concentrate is PID - 860 that belongs to "iexplore.exe" (see that it's parent is again iexplore.exe and not explorer.exe)

Later use malfind to find abnormalities within PID : 860.

C:\VOL>vola -f memdump.vmss -p 860 malfind > malfind.txt

Analyzing "malfind.txt" - you will find traces of Angler shellcode. From analysis and the blog its understood that Angler's shellcode most often starts with NOPs "\x90\x90". Here's what malfind has for us in store.

Process: iexplore.exe Pid: 860 Address: 0x6cb0000
Flags: CommitCharge: 41, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x06cb0000  90 90 90 90 e9 00 00 00 00 e8 17 03 00 00 8d 88   ................
0x06cb0010  2c 07 40 00 85 c9 74 05 e8 14 03 00 00 e8 03 03   ,.@...t.........
0x06cb0020  00 00 05 64 07 40 00 b9 4d 5a 00 00 8b 10 83 c0   ...d.@..MZ......
0x06cb0030  04 66 39 08 75 39 8b 48 3c 83 f9 40 72 31 3b ca   .f9.u9.H<..@r1;.

0x6cb0000 90               NOP
0x6cb0001 90               NOP
0x6cb0002 90               NOP
0x6cb0003 90               NOP
0x6cb0004 e900000000       JMP 0x6cb0009
0x6cb0009 e817030000       CALL 0x6cb0325
0x6cb000e 8d882c074000     LEA ECX, [EAX+0x40072c]
0x6cb0014 85c9             TEST ECX, ECX
0x6cb0016 7405             JZ 0x6cb001d
0x6cb0018 e814030000       CALL 0x6cb0331
0x6cb001d e803030000       CALL 0x6cb0325
0x6cb0022 0564074000       ADD EAX, 0x400764
0x6cb0027 b94d5a0000       MOV ECX, 0x5a4d
0x6cb002c 8b10             MOV EDX, [EAX]
0x6cb002e 83c004           ADD EAX, 0x4
0x6cb0031 663908           CMP [EAX], CX
0x6cb0034 7539             JNZ 0x6cb006f
0x6cb0036 8b483c           MOV ECX, [EAX+0x3c]
0x6cb0039 83f940           CMP ECX, 0x40
0x6cb003c 7231             JB 0x6cb006f
0x6cb003e 3bca             CMP ECX, EDX

Make a not of the address where this data is found. We'll then use vaddump on the iexplore PID to dump the shellcode + malware file completely.

C:\VOL>vola -f memdump.vmss vaddump -p 860 -D vaddump

You should end up with multiple ".dmp" files under "vaddump" directory. Based upon the address of the data - "0x06cb0000" we should target the dump starting at this address and we end up with the file - "iexplore.exe.24296b8.0x06cb0000-0x06cd8fff.dmp". Opening the file in hex editor reveals everything.

VT link for malware.

No comments:

Post a Comment