Nytro Posted December 20, 2011 Report Posted December 20, 2011 [h=1]Analyzing malware using Sysinternals’ VMMap[/h]Posted by Chief Banana on December 19, 2011In May 2011, Sysinternals released a new tool called ‘vmmap’. According to the website: ‘VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process’s committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map’. While analyzing a piece of malware for a chapter in a book, I discovered the great usage of this tool. I already identified that a suspicious connection was using the PID of 1040. Investigating the processes around this PID, it became clear that this PID belonged to one of the ‘svchost’ processes. Another interesting file that was used by this process was called ’6to4ex.dll’Opening VMMap from a forencic cd-rom, the tools asked for the starting process. In this case I selected the option ‘ SVCHOST’ with the PID of 1040. Next the breakdown of this process committed virtual memory types and used files are visible. Under the svchost process overview, the ’6to4ex.dll’ file was also shown.Selecting this file and using the shortcut ‘CTRL+T’, which activates the strings view command, very interesting strings about this file became visible:The interesting strings about the malware used and capabilities:· ‘%s\shell\open\command· Gh0st Update· E:\gh0st\server\sys\i368\RESSDT.pdb· \??\RESSDTDOS· ?AVCScreenmanager· ?AVCScreenSpy· ?AVCKeyboardmanager· ?AVCShellmanager· ?AVCAudio· ?AVCAudiomanager· SetWindowsHookExA· CVideocap· Global\Gh0st %d· \cmd.exe By searching for more details around the term ‘Gh0st’ and backdoor it became clear that this might be a Chinese Remote Access Tool (RAT) that is common known to be used in targeted attacks. Features of this RAT are: capturing audio/video/keystrokes, remote shell, remote command, file-manager, spying the screen and many more.Definately VMMap will be part of my malware IR-kitSursa: Analyzing malware using Sysinternals’ VMMap | securitybananas.com Quote
