VolDiff, for memory image differential analysis

Published: 2015-05-03
Last Updated: 2015-05-03 04:35:41 UTC
by Russ McRee (Version: 1)
0 comment(s)

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour. 
I had intended to include it in my latest toolsmith article, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time. 
Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean image prior to infection or compromise, and one after buggering your target system.
As you'll note in the article, I compromised a Windows 7 x64 SP1 VM with a PowerShell one-two punch, the vast majority of which occurred in-memory only. While documenting the related activities for the column, I also took before and after images for VolDiff testing as follows:
winpmem_1.6.2.exe baseline.raw, and after pwnzorship, winpmem_1.6.2.exe compromised.raw.
I then ran ./VolDiff.sh baseline.raw compromised.raw Win7SP1x64 on my Ubuntu server and bingo, after much time and ado (VolDiff takes a while to be sure), out popped VolDiff-report.txt.
To summarize briefly from the article, the malfeasance I unleashed against that poor, unsuspecting VM was all executed in the context of powershell.exe. To that end, did the VolDiff results corroborate the findings achieved with Rekall? Absolutely! Note that the suspicious PIDs from the article are 1284 and 2396. You'll spot them prominently in the following snippets of affirmation:

| |  / /___  / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_  
| |/ / /_/ / / /_/ / / __/ __/  
|___/\____/_/_____/_/_/ /_/     

Volatility analysis report generated by VolDiff v0.9.3.
Download the latest version from https://github.com/aim4r/VolDiff/.

Suspicious new netscan entries
===========================================================================

0x13c8993d0        UDPv4    0.0.0.0:0    *:*                                   2396     powershell.exe 2015-04-26 17:56:08 UTC+0000
0x13e81acb0        UDPv4    0.0.0.0:0    *:*                                   1284     powershell.exe 2015-04-26 18:17:33 UTC+0000

Suspicious new pslist entries
===========================================================================

0xfffffa8031da1400 cmd.exe                1676   2396      0 --------      1      0 2015-04-26 18:11:52 UTC+0000   2015-04-26 18:15:50 UTC+0000  
0xfffffa8033b17060 powershell.exe         2604   1676      5      250      1      1 2015-04-26 18:12:58 UTC+0000  
0xfffffa80322c2060 cmd.exe                2912   1284      0 --------      1      0 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0xfffffa8032407460 powershell.exe         1984   2912      6      235      1      0 2015-04-26 19:18:20 UTC+0000                                 

Suspicious new psscan entries
===========================================================================

0x000000013eac2060 cmd.exe            2912   1284 0x0000000055564000 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                                 
0x000000013f6a8060 cmd.exe            2288   1284 0x000000006dd6f000 2015-04-26 19:19:44 UTC+0000   2015-04-26 19:55:20 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                

Suspicious new ldrmodules entries
===========================================================================

 1284 powershell.exe       0x000000006df70000 False  False  False \Windows\SysWOW64\schannel.dll
 2396 powershell.exe       0x000000006e010000 False  False  False \Windows\SysWOW64\credssp.dll
 
Suspicious new executables
===========================================================================

powershell

Suspicious new malfind entries
===========================================================================

Process: powershell.exe Pid: 2396 Address: 0x6400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 216, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06400000  4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 d0   MZ.....[REU.....

Process: powershell.exe Pid: 1284 Address: 0x4ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x04ff0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............

Suspicious new getsids entries
===========================================================================
 
powershell.exe (1284): S-1-5-21-1828531342-1736868966-1560356964-513 (Domain Users)
powershell.exe (1284): S-1-1-0 (Everyone)
powershell.exe (1284): S-1-5-114
powershell.exe (1284): S-1-5-32-544 (Administrators)
powershell.exe (1284): S-1-5-32-545 (Users)
powershell.exe (1284): S-1-5-4 (Interactive)
powershell.exe (1284): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
powershell.exe (1284): S-1-5-11 (Authenticated Users)
powershell.exe (1284): S-1-5-15 (This Organization)
powershell.exe (1284): S-1-5-113
powershell.exe (1284): S-1-5-5-0-194227 (Logon Session)
powershell.exe (1284): S-1-2-0 (Local (Users with the ability to log in locally))
powershell.exe (1284): S-1-5-64-10 (NTLM Authentication)
powershell.exe (1284): S-1-16-12288 (High Mandatory Level) 

Yep, powershell.exe definitely did it. :-) Great memory analysis tool from Houcem Hachicha (@aim4r). Give it a try!

Pop quiz: Under the malfind results, in the ASCII readable output dumped from the hex, what jumps out at you? First right answer to @sans_isc and @holisticinfosec in the same Tweet, one per reader, wins some insignificant yet enjoyable schwag.
Cheers!

Russ McRee | @holisticinfosec

0 comment(s)

Comments


Diary Archives