Below is a bash script that will analyze the dllhost.exe process for the registry entries that could contain the Powelik trojan. If it detects the entry it will attempt to dump the registry keys where the powelik malware would be located.
#!/bin/bash
# Script to collect information by utilizing volatility
# Script is built to quickly identify the Powelik Trojan until the malware changes
#### Configurable Settings #############
homeDir=`pwd`
memImage="$homeDir/mem.dump"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################
date
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $outputDir/vaddump
mkdir $dumpDir
mkdir $tempDir
fi
# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
# Run the following volatility plugins to identify the dllhost.exe process ID and the hivelist
for pluginCommand in pslist hivelist
do
echo "Running $pluginCommand and saving results to $outputDir/$pluginCommand"
python $locVolPy -f $memImage --profile=$volProfile $pluginCommand > $outputDir/$pluginCommand
done
# Identify the Process ID of dllhost.exe
processID=`cat output/pslist | grep -i "dllhost.exe" | awk '{print $3}'`
if [ $processID ]; then
echo "dllhost.exe was found at the following processID: $processID"
else
echo "dllhost.exe Process ID was not found in the pslist..."
exit
fi
# With the Process ID of dllhost lets do a vaddump of the process
python $locVolPy -f $memImage --profile=$volProfile vaddump -p $processID -D $outputDir/vaddump
# Search the vaddump of the process for strings that match a clsid regular expression
for regEntry in $(strings $outputDir/vaddump/* | egrep -i -e 'clsid\\\{[0-9A-Fa-f-]{36}\}\\localserver32')
do
echo "Found the following clsid registry entry in the vaddump: $regEntry"
#echo ${regEntry:17}
# Find the virtual offset for the registry hives for the users on the computer
for virtualOffset in $(cat $outputDir/hivelist | grep -i "UsrClass.dat" | awk '{print $1}')
do
echo "Found the virtual offset for the user at $virtualOffset"
echo "Attempting to dump the registry value using volatility if it exists for the user..."
python $locVolPy -f $memImage --profile=$volProfile printkey -o $virtualOffset -K "${regEntry:17}"
done
done
echo ""
echo "If the Powelik was identified you should see a bunch of randomness above..."
echo ""
date
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment