Hello All,
This is a brief posting of how I analyze malicious executables. Linked below is a quick overview on my setup, toolkit, and steps.
This script was written to obtain a memory dump and launch Volatility commands against the dump locally. I haven’t updated the code since I made it so, may need to tweak it a bit to work in your environment.
*Note enabling the strings function will more than likely lock up your computer. Powershell will attempt to load the entire memory dump in memory.
############################################ ############################################ ## RAM.ps1 - Remote Acquisition of Memory ## ## v1.0 ## ## James Saunders ## ## 02/25/2013 ## ############################################ ############################################ param([String] $hst, [string] $opt="") $hst = $hst.toUpper() #Date $date = Get-Date -uformat "%y_%m_%d" #Set Directories $bin = ".\bin" $OutputDir = ".\captures\RAM\$hst\" $PDDir = $OutputDir + "Processes and DLLs" $KMODir = $OutputDir + "Kernel Memory and Objects" $NetwDir = $OutputDir + "Networking" $MalDir = $OutputDir + "Malware" $StrDir = $OutputDir + "Strings" ni $OutputDir -type directory -force| out-null ni $PDDir -type directory -force| out-null ni $KMODir -type directory -force| out-null ni $NetwDir -type directory -force| out-null ni $MalDir -type directory -force| out-null ni $StrDir -type directory -force| out-null #Set 3rd party utils $psexec = $bin + "\psexec.exe" $winpmem = $bin + "\winpmem-1.3.1.exe" $volatility = $bin + "\volatility-2.2.standalone.exe" cp $volatility $OutputDir $volEXE = $OutputDir + "\volatility-2.2.standalone.exe" #FileName Creation $DumpName = "c:\" + $hst + ".raw" $RetrievePath = "\\" + $hst + '\c$\' + $hst + ".raw" $DumpFileName = $hst + ".raw" function banner{ write-host '++++++++++++++++++++++++++++++++++++++++++++++++++' -foregroundcolor black -backgroundcolor yellow write-host '+ RAM V1 +' -foregroundcolor black -backgroundcolor yellow write-host "+ Remote Acquisition of Memory +" -foregroundcolor black -backgroundcolor yellow write-host "++++++++++++++++++++++++++++++++++++++++++++++++++" -foregroundcolor black -backgroundcolor yellow write-host "`n" } function FurElise{ [console]::beep(420, 200) [console]::beep(400, 200) [console]::beep(420, 200) [console]::beep(400, 200) [console]::beep(420, 200) [console]::beep(315, 200) [console]::beep(370, 200) [console]::beep(335, 200) [console]::beep(282, 600) [console]::beep(180, 200) [console]::beep(215, 200) [console]::beep(282, 200) [console]::beep(315, 600) [console]::beep(213, 200) [console]::beep(262, 200) [console]::beep(315, 200) [console]::beep(335, 600) [console]::beep(213, 200) [console]::beep(420, 200) [console]::beep(400, 200) [console]::beep(420, 200) [console]::beep(400, 200) [console]::beep(420, 200) [console]::beep(315, 200) [console]::beep(370, 200) [console]::beep(335, 200) [console]::beep(282, 600) [console]::beep(180, 200) [console]::beep(215, 200) [console]::beep(282, 200) [console]::beep(315, 600) [console]::beep(213, 200) [console]::beep(330, 200) [console]::beep(315, 200) [console]::beep(282, 600) } function RAMGrabber{ #Send EXE to dump Memory write-host "[+] " -foregroundcolor green -nonewline; write-host "Dumping Memory on $hst" &$psexec \\$hst -e -c $winpmem $DumpName 2>$null write-host "[+] " -foregroundcolor green -nonewline; write-host "Dump Complete!" #Copy Dump to local host write-host "[+] " -foregroundcolor green -nonewline; write-host "Transferring Dump to $OutputDir" write-host " [+] " -foregroundcolor yellow -nonewline; write-host "Large file may take a while" cp $RetrievePath $OutputDir write-host "[+] " -foregroundcolor green -nonewline; write-host "Transfer Complete!" #Delete dump on remote machine write-host "[+] " -foregroundcolor green -nonewline; write-host "Removing Dump from $hst" ri $RetrievePath write-host "[+] " -foregroundcolor green -nonewline; write-host "Removal Complete!" } function Vol{ write-host "[+] " -foregroundcolor green -nonewline; write-host "Lauching Volatility 2.2" write-host "[+] " -foregroundcolor red -nonewline; write-host "This will take a while (music will play when complete)" #set these as globals so we only call once and can check os version $os = gwmi Win32_OperatingSystem -computername $hst if ($os.version -like "6*") {$profileType = "Win7SP1x86"} else {$profileType = "WinXPSP3x86"} #Runs Commands and saves to respective files ##Gathers image info write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Image Info" &$volEXE -f $DumpFileName imageinfo >> $OutputDir\imageinfo.txt |out-null ##Processes and DLLs write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Processes and DLLs Info" ###pslist write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pslist command" &$volEXE --profile=$profileType -f $DumpFileName pslist >> $PDDir\pslist.txt |out-null ###pslist -P write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pslist -P command" &$volEXE --profile=$profileType -f $DumpFileName pslist -P >> $PDDir\pslist.txt |out-null ###pstree write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing pstree command" &$volEXE --profile=$profileType -f $DumpFileName pstree >> $PDDir\pstree.txt |out-null ###psscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing psscan command" &$volEXE --profile=$profileType -f $DumpFileName psscan >> $PDDir\psscan.txt |out-null ###dlllist write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing dlllist command" &$volEXE --profile=$profileType -f $DumpFileName dlllist >> $PDDir\dlllist.txt |out-null ###handles write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing handles command" &$volEXE --profile=$profileType -f $DumpFileName handles >> $PDDir\handles.txt |out-null ###getsids write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing getsids command" &$volEXE --profile=$profileType -f $DumpFileName getsids >> $PDDir\getsids.txt |out-null ##Kernel Memory and Objects write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Kernel Memory and Objects" ###modules write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modules command" &$volEXE --profile=$profileType -f $DumpFileName modules >> $KMODir\modules.txt |out-null ###modules -P write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modules -P command" &$volEXE --profile=$profileType -f $DumpFileName modules -P >> $KMODir\modules.txt |out-null ###modscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing modscan command" &$volEXE --profile=$profileType -f $DumpFileName modscan >> $KMODir\modscan.txt |out-null ###ssdt write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing ssdt command" &$volEXE --profile=$profileType -f $DumpFileName ssdt >> $KMODir\ssdt.txt |out-null ###driverscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing driverscan command" &$volEXE --profile=$profileType -f $DumpFileName driverscan >> $KMODir\driverscan.txt |out-null ###filescan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing filescan command" &$volEXE --profile=$profileType -f $DumpFileName filescan >> $KMODir\filescan.txt |out-null ###mutantscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing mutantscan command" &$volEXE --profile=$profileType -f $DumpFileName mutantscan >> $KMODir\mutantscan.txt |out-null ###symlinkscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing symlinkscan command" &$volEXE --profile=$profileType -f $DumpFileName symlinkscan >> $KMODir\symlinkscan.txt |out-null ###thrdscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing thrdscan command" &$volEXE --profile=$profileType -f $DumpFileName thrdscan >> $KMODir\thrdscan.txt |out-null ##Networking Info write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Networking Info" ###connections write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connections command" &$volEXE --profile=$profileType -f $DumpFileName connections >> $NetwDir\connections.txt |out-null ###connections -P write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connections -P command" &$volEXE --profile=$profileType -f $DumpFileName connections -P >> $NetwDir\connections.txt |out-null ###connscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing connscan command" &$volEXE --profile=$profileType -f $DumpFileName connscan >> $NetwDir\connscan.txt |out-null ###sockets write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockets command" &$volEXE --profile=$profileType -f $DumpFileName sockets >> $NetwDir\sockets.txt |out-null ###sockets -P write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockets -P command" &$volEXE --profile=$profileType -f $DumpFileName sockets -P >> $NetwDir\sockets.txt |out-null ###sockscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing sockscan command" &$volEXE --profile=$profileType -f $DumpFileName sockscan >> $NetwDir\sockscan.txt |out-null ###netscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing netscan command" &$volEXE --profile=$profileType -f $DumpFileName netscan >> $NetwDir\netscan.txt |out-null ##Malware Info write-host "[+] " -foregroundcolor yellow -nonewline; write-host "Exporting Malware Info" ###malfind write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing malfind command" &$volEXE --profile=$profileType -f $DumpFileName malfind >> $MalDir\malfind.txt |out-null ###svcscan write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing svcscan command" &$volEXE --profile=$profileType -f $DumpFileName svcscan >> $MalDir\svcscan.txt |out-null ###ldrmodules -v write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing ldrmodules -v command" &$volEXE --profile=$profileType -f $DumpFileName ldrmodules -v >> $MalDir\ldrmodules.txt |out-null ###idt write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing idt command" &$volEXE --profile=$profileType -f $DumpFileName idt >> $MalDir\idt.txt |out-null ###gdt write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing gdt command" &$volEXE --profile=$profileType -f $DumpFileName gdt >> $MalDir\gdt.txt |out-null ###psxview write-host " [-] " -foregroundcolor cyan -nonewline; write-host "Executing psxview command" &$volEXE --profile=$profileType -f $DumpFileName psxview >> $MalDir\psxview.txt |out-null #Commands Complete write-host "[+] " -foregroundcolor green -nonewline; write-host "Volatility Commands Complete" #Removed EXE from Dump Path ri $volEXE } function Strings{ #Not Working Runs out of System Memory write-host "[+] " -foregroundcolor green -nonewline; write-host "Executing String Search" #Loads Dump $data = gc $DumpFileName #Searches Dump $pattern = '(((http|https)://)|(www\.))+(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9\&%_\./-~-]*)?' $resultingMatches = [Regex]::Matches($data, $pattern, "IgnoreCase") $resultingMatches|foreach { ac $StrDir\http.txt $_.Value } #Searches Dump $pattern = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b' $resultingMatches = [Regex]::Matches($data, $pattern, "IgnoreCase") $resultingMatches|foreach { ac $StrDir\IPAddresses.txt $_.Value } } banner RAMGrabber Vol FurElise #Strings ##### HISTORY ##### #Created 02/25/2013
To create an effective job portfolio certain steps must be followed.
First you should gather the following:
1) Create the Resume
2) Accumulate best examples of your work
3) Append Honors and Awards
4) Include Professional affiliations
5) Add College Transcript
Finally, you should make a softcopy of the portfolio. Each of the sections should have its own folder contained in a Zip file. Then, make a hard copy of the zip file to your medium of choice.
I do not believe that Google is making us stupid; in fact it helps drives innovation. The vast index database Google has amassed allows a user to find information quickly that can be used for a variety of task s. People no longer try to reinvent the wheel but instead try to make improvements based on the information found. Productivity is saved by an IT staff because Google stores the fixes to complex problems plaguing end users, quickly getting them back to work. In my personal experience Google allows me to move past the trivial and focus on a complex task rather than skim through pages of texts. The only downside of Google is that it drives our attention span down, addicting us to instance information. The critical thinking required for reading long writing is no longer there, we became conditioned to expect quick blurbs of data. The quick access of data can only spread knowledge thus Google cannot make users stupid, just impatient.
This is a quick class writing assignment in response to an article by Nicholas Carr, “Is Google Making Us Stupid?” URL: http://www.theatlantic.com/magazine/archive/2008/07/is-google-making-us-stupid/6868/