Volatility Memory Forensics | Federal Trojan aka R2D2

Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.

Fore more info on German State Backdoor go to:
Possible Governmental Backdoor Found

More Info on German State Backdoor

Several German states admit to use of controversial spy software

Here’s a memory image running the malware (Thx to jwcsr): 0zapftis.rar
PW: infected

1.) Image Identification

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem imageinfo


2.) Processes

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem pslist


3.) Networking

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem connscan


One active connection to the IP address on port 6666 is listed. According to the process list, the process ID 1956 don’t belong to a browser process, such as Iexplore.exe or Firefox.exe, but rather to Explorer.exe. What is this system process doing on the internet?

The Chaos Computer Club modified the binary. The original IP address of the proxy is on port 443.

4.) Researching IP Addresses

$ whois


$ whois


5.) Malware Detection
Now, it’s time for the Volatility plug-in malware.py, which was originally developed for the Malware Analyst’s Cookbook. The function ‘apihooks’ looks at the Explorer process with the PID 1956 and finds nothing. No inline hooks!

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 apihooks


6.) Let’s try the function ‘malfind’ and the open source YARA project.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 -Y /home/evild3ad/yara-rules/malware.yara -D /home/evild3ad/Volatility/dump-files malfind


7.) VirusTotal
The plugin ‘malfind’ dropped the suspicious PE file it discovered to my output directory as .dmp file. I submitted it to VirusTotal, and bingo, it is malicious and identified as ‘R2D2′ and ‘Bundestrojaner’. ;-)


8.) Registry
The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem hivelist


Volatility finds HKCU at the virtual address 0xe1bb2b60 and HKLM/Software at the virtual address 0xe1544b60. With this information, we can now use ‘printkey’ to display individual keys and work through the autorun list. After a few dead ends, I notice something suspicious about ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows’.

$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1544b60 -K ‘Microsoft\Windows NT\CurrentVersion\Windows’


All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.
09.) Kernel Objects

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem filescan > filescan.txt


10.) Kernel Drivers

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem modules


Chaos Computer Club analysiert Staatstrojaner

Addendum Staatstrojaner

Piratenpartei Deutschland: Schreiben des bayrischen Justizministeriums als PDF 

轉自 http://www.evild3ad.com/?p=1136 

0 意見: