Volatility Script to Extract the Registry Keys where Powelik is Stored

Below is a bash script that will analyze the dllhost.exe process for the registry entries that could contain the Powelik trojan.  If it detects the entry it will attempt to dump the registry keys where the powelik malware would be located.

#!/bin/bash
# Script to collect information by utilizing volatility
# Script is built to quickly identify the Powelik Trojan until the malware changes

####  Configurable Settings #############
homeDir=`pwd`
memImage="$homeDir/mem.dump"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################
date
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $outputDir/vaddump
    mkdir $dumpDir
    mkdir $tempDir
fi

# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`

# Run the following volatility plugins to identify the dllhost.exe process ID and the hivelist
for pluginCommand in pslist hivelist
do
    echo "Running $pluginCommand and saving results to $outputDir/$pluginCommand"
    python $locVolPy -f $memImage --profile=$volProfile $pluginCommand > $outputDir/$pluginCommand
done

# Identify the Process ID of dllhost.exe
processID=`cat output/pslist | grep -i "dllhost.exe" | awk '{print $3}'`
if [ $processID ]; then
    echo "dllhost.exe was found at the following processID: $processID"
else
    echo "dllhost.exe Process ID was not found in the pslist..."
    exit
fi

# With the Process ID of dllhost lets do a vaddump of the process
python $locVolPy -f $memImage --profile=$volProfile vaddump -p $processID -D $outputDir/vaddump

# Search the vaddump of the process for strings that match a clsid regular expression
for regEntry in $(strings $outputDir/vaddump/* | egrep -i -e 'clsid\\\{[0-9A-Fa-f-]{36}\}\\localserver32')
do
    echo "Found the following clsid registry entry in the vaddump: $regEntry"
    #echo ${regEntry:17}
    # Find the virtual offset for the registry hives for the users on the computer
    for virtualOffset in $(cat $outputDir/hivelist | grep -i "UsrClass.dat" | awk '{print $1}')
    do
        echo "Found the virtual offset for the user at $virtualOffset"
        echo "Attempting to dump the registry value using volatility if it exists for the user..."
        python $locVolPy -f $memImage --profile=$volProfile printkey -o $virtualOffset -K "${regEntry:17}"
    done
done

echo ""
echo "If the Powelik was identified you should see a bunch of randomness above..."
echo ""

date

Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3