If you remember from the pcap analysis, the C2 client at 58.64.132.141 was communicating with 172.16.150.20 and after decoding the Gh0st traffic we were able to discern that the localhost name was ENG-USTXHOU-148, so that's where we will pick up.
Loading the memdump.bin file into Volatility's imageinfo module confirms what we saw in the Gh0st data; this machine is running Windows XP Service Pack 3.
vol.py -f memdump.bin imageinfo
Taking a look at the output of connscan, you can see the connection to the C2 client at 58.64.132.141. The process using that connection has a PID of 1024.
vol.py -f memdump.bin --profile=WinXPSP3x86 connscan
Output of pstree show the process with the PID 1024 is svchost.exe so obviously we've got some trouble here. You also see that svchost.exe is the parent process of wc.exe which we saw in part one.
vol.py -f memdump.bin --profile=WinXPSP3x86 pstree
vol.py -f memdump.bin --profile=WinXPSP3x86 dlllist -p 1024
You can dump the suspect file out using the dlldump module.
vol.py -f memdump.bin --profile=WinXPSP3x86 dlldump -p 1024 --dump-dir ./dumpout -r 6to4ex
We'll then get the md5 of the file...
...and see if VirusTotal has seen this before.
Apparently so! Ok, so we've found our backdoor. Running strings against the file also reveals a couple of instances of "Gh0st" to further confirm our suspicions.
So how did this machine become compromised in the first place? I ran the entire memdump.bin file through strings and then grepped that output to look for instances of "58.64.132.141". Adding the -C flag to your grep command will give you x lines of context before and after any occurrences detected. There are several hits, but the most interesting one is listed below.
strings memdump.bin | grep -C 30 58.64.132.141
We were also given a timeline file and we can see both the execution of the trojan and creation of 6to4ex.dll A little further on, we see the same activity that we saw in the pcap file.
Now we have lots of indicators to go on. I'll be making another post soon about using this information to create an IOC signature with Mandiant's IOC editor.
No comments:
Post a Comment