P4r4n0id Reversing Lab

MORTO – From a Memory-Dump Point of View

by on Sep.07, 2011, under Malware, Reversing

Hi Guys,

Couple of days ago it was reported that a new worm was spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a never seen before spreading vector – RDP.

For this analysis I have decided to use the famous memory forensics framework - “volatility”.

Dynamic Infection

 In order to analyze Morto with volatility framework you will have first to dump out the full RAM contents. I have used my preferred tool MoonSols win32dd.exe tool.

Once my sandbox was ready I have executed my Morto sample (MD5: 2EEF4D8B88161BAF2525ABFB6C1BAC2B), waited a few seconds till I saw some network activity and some file system modifications, fired up win32dd.exe and saved the memory file as “morto_mem.dmp

The Sample

We are ready, let’s fire up volatility and start the analysis:

[imageinfo]

 

[pslist]

Note: I have used the –P switch to obtain the physical offset.

 

Hmmm, looks like no malicious process / processes are running….

Let’s check for open connections:

[connscan]

Yep, port 3389 (RDP) and looks like PID 1064 is the trouble maker, let’s check the process name:

Hmmm, Svchost.exe

By it’s timestamp (2011-08-30) and it’s PPID (parent pid) we can understand that this process is a legitimate system process.

Let’s check all svchosts processes PPID:

Same timestamp and all have a parent pid of 676, which is services.exe:

If svchost.exe (PID 1064) is a legit process why are the malicious connections?

192.168.164.128:1055 -> 192.168.162.1:3389          (PID:1064)

192.168.164.128:1046 ->  111.68.13.250:80            (PID:1064)

Dll? :)

Let’s see what file system modifications occurred during the infection (regshot output):

We can see that during the infection process Morto creates 4 new files on the infected system and also deletes itself.

Notice the Sens32.dll that was created; let’s check if it is loaded by a specific process:

 

Yep, “Sens32.dll” is loaded by our “malicious” svchost.exe process, let’s dump our malicious process:

It was reported that Morto finds a Remote Desktop server and then it attempts to login as Administrator using a list of hard-coded passwords. Let’s try to get this list:

And here is the list:

After removing duplicates users / passwords the list included 103 items:

It was also reported that Morto “copy itself to the target system by creating a temporary drive under letter A: and copying a file called a.dll”:

Till Next Sample :)

Keep safe,

p4r4n0id


Leave a Reply

What is 12 + 15 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...