Awesome
Volatility Hacking Team Attribution (attributeht) plugin
This plugin searches a memory dump for evidence of the Hacking Team Galileo Remote Control System (RCS), and attempts to attribute the infection to particular Hacking Team client.
Background
The 'elite' level implant maps a region of shared memory using a 7-alphanumeric character name in order to prevent the installation of lower-level implants. This shared memory section is fairly unique, and can be detected using a Regex.
###Attribution In addition, the list of watermarks for Hacking Team clients was leaked, allowing an attempt at attribution to be made by matching the watermark to a client installation.
For more information, see the blog post here: https://www.4armed.com/blog/memory-forensics-detecting-galileo-rcs-windows
##How-to
The folder where the plugin is located should be passed on to Volatility using the --plugins=
parameter.
volatility --plugins=volatility-attributeht --profile=WinXPSP2x86 -f test.raw attributeht
Running by default will attempt to identify any HT implants on the machine. The following flags affect how the plugin runs:
-p PID, --pid=PID Operate on these Process IDs (comma-separated)
-n NAME, --name=NAME Operate on these process names (regex)
-e, --extract Attempt to extract configuration data from memory
-D DUMP_DIR, --dump-dir=DUMP_DIR
Directory in which to dump configuration files
-E, --onlyelite Search for Elite Implants only
-S, --onlyscout Search for Scout Implants only
Extracting configurations.
If the --extract flag is used, then the plugin will attempt to recover configuration information from any implants it finds in memory. This includes AES keys for the scout implants, as well as full JSON configurations for the elite level implants. These are saved to the 'DUMP-DIR' location.
Example Run
An Example run is shown below with the 'extract' option enabled; the memory image for this is available at: http://hyperionbristol.co.uk/uploads/example_WinXPSP2x86.raw
This sample image has two different infections, an elite level infection from one threat actor, and an unmodified development scout infection. The plugin can differentiate between these.
root@4A-JG-Kali:/mnt/ramdisk# volatility --plugins=volatility-attributeht -f example_WinXPSP2x86.raw attributeht --extract --dump-dir=configs
Volatility Foundation Volatility Framework 2.4
Hacking Team Galileo RCS Implant Detection - 4ARMED Ltd
PID Watermark Process Name Implant Type Threat Actor Confidence (Low-Certain) C2 Server Configuration File
300 B3lZ3bup pippopippo.exe Scout VIRGIN Certain 10.0.2.4 configs/scout_configuration_300.json
1852 3OqZ1N5a userinit.exe Elite/Soldier FAE-FURLAN Certain None None
1888 3OqZ1N5a explorer.exe Elite/Soldier FAE-FURLAN Certain None None
228 3OqZ1N5a UsbCipHelper.ex Elite/Soldier FAE-FURLAN Certain None None
212 3OqZ1N5a VBoxTray.exe Elite/Soldier FAE-FURLAN Certain None None
244 3OqZ1N5a 19pivy.exe Elite/Soldier FAE-FURLAN Certain None None
252 3OqZ1N5a ctfmon.exe Elite/Soldier FAE-FURLAN Certain None None
264 3OqZ1N5a msmsgs.exe Elite/Soldier FAE-FURLAN Certain None None
292 3OqZ1N5a rundll32.exe Elite/Soldier FAE-FURLAN Certain 178.62.50.243 configs/configuration_elite_292_0xb03fe8L.json
300 3OqZ1N5a pippopippo.exe Elite/Soldier FAE-FURLAN Certain None None
Configuration Files
Example recovered data is shown below for both levels of implant
####Scout Implant
{
"c2_server": "10.0.2.4",
"watermark": "B3lZ3bup",
"process_name": "pippopippo.exe",
"pid": "300",
"key_data": {
"server_key": "4yeN5zu0+il3Jtcb5a1sBcAdjYFcsD9z",
"evidence_key": "i6gMR84bxvQovzbhtV-if0SdPMu359ax",
"log_key": "uX-o0BOIkiyOyVXH4L3FYhbai-CvMU-_"
},
"threat_actor": "VIRGIN",
"implant_type": "Scout"
}
Elite Implant
{
"s": {
"migrated": false,
"version": 2012041601,
"remove_driver": true,
"collapsed": false,
"quota": {
"max": 4194304000,
"min": 1048576000
},
"nohide": [],
"type": "desktop",
"wipe": false,
"advanced": false
},
"modules": [
{
"module": "addressbook"
},
{
"module": "application"
},
{
"module": "calendar"
},
{
"buffer": 512000,
"record": true,
"compression": 5,
"module": "call"
},
{
"quality": "med",
"module": "camera"
},
{
"module": "chat"
},
{
"module": "clipboard"
},
{
"network": {
"processes": [],
"enabled": false
},
"synchronize": false,
"mic": true,
"module": "crisis",
"hook": {
"processes": [],
"enabled": true
},
"camera": true,
"call": true,
"position": true
},
{
"list": false,
"module": "device"
},
{
"capture": true,
"deny": [
"*\\AppData\\Local*",
"*\\AppData\\Roaming*",
"*\\Skype\\Plugins\\*",
"*\\$RECYCLE.BIN\\*",
"*:\\Windows\\*",
"*.dll",
"*.exe",
"*.ini",
"*.lnk",
"*.ico",
"*.tlb",
"*.clb",
"*.dat",
"*.drv",
"*.ocx",
"*.url",
"\\\\.\\*"
],
"accept": [
"*.doc",
"*.docx",
"*.xls",
"*.xlsx",
"*.ppt",
"*.pptx",
"*.pps",
"*.ppsx",
"*.odt",
"*.ods",
"*.odp",
"*.rtf",
"*.txt",
"*.pdf"
],
"minsize": 1,
"maxsize": 500000,
"module": "file",
"date": "2015-08-06 00:00:00",
"open": false
},
{
"usb": false,
"mobile": false,
"vm": 0,
"module": "infection",
"factory": "",
"local": false
},
{
"module": "keylog"
},
{
"module": "money"
},
{
"mail": {
"filter": {
"dateto": "2100-01-01 00:00:00",
"maxsize": 100000,
"datefrom": "2015-08-06 00:00:00",
"history": true
},
"enabled": true
},
"sms": {
"filter": {
"dateto": "2100-01-01 00:00:00",
"datefrom": "2015-08-06 00:00:00",
"history": true
},
"enabled": true
},
"module": "messages",
"mms": {
"filter": {
"dateto": "2100-01-01 00:00:00",
"datefrom": "2015-08-06 00:00:00",
"history": true
},
"enabled": true
}
},
{
"threshold": 0.22,
"autosense": false,
"silence": 5,
"module": "mic"
},
{
"width": 50,
"module": "mouse",
"height": 50
},
{
"module": "password"
},
{
"module": "photo"
},
{
"cell": true,
"wifi": true,
"module": "position",
"gps": false
},
{
"onlywindow": false,
"quality": "med",
"module": "screenshot"
},
{
"module": "url"
}
],
"events": [
{
"start": 0,
"enabled": true,
"ts": "00:00:00",
"subtype": "loop",
"te": "23:59:59",
"event": "timer",
"desc": "STARTUP"
},
{
"repeat": 1,
"start": 1,
"enabled": true,
"ts": "00:00:00",
"delay": 10,
"subtype": "loop",
"te": "23:59:59",
"event": "timer",
"desc": "SCREENSHOT"
},
{
"repeat": 2,
"start": 2,
"enabled": true,
"ts": "00:00:00",
"iter": 1,
"delay": 120,
"subtype": "loop",
"te": "23:59:59",
"event": "timer",
"desc": "CAMERA"
},
{
"repeat": 3,
"start": 3,
"enabled": true,
"ts": "00:00:00",
"delay": 900,
"subtype": "loop",
"te": "23:59:59",
"event": "timer",
"desc": "POSITION"
},
{
"repeat": 4,
"enabled": true,
"ts": "00:00:00",
"delay": 120,
"subtype": "loop",
"te": "23:59:59",
"event": "timer",
"desc": "SYNC"
}
],
"actions": [
{
"subactions": [
{
"action": "module",
"status": "start",
"module": "device"
},
{
"action": "module",
"status": "start",
"module": "call"
},
{
"action": "module",
"status": "start",
"module": "calendar"
},
{
"action": "module",
"status": "start",
"module": "addressbook"
},
{
"action": "module",
"status": "start",
"module": "messages"
},
{
"action": "module",
"status": "start",
"module": "chat"
},
{
"action": "module",
"status": "start",
"module": "url"
},
{
"action": "module",
"status": "start",
"module": "keylog"
},
{
"action": "module",
"status": "start",
"module": "mouse"
},
{
"action": "module",
"status": "start",
"module": "password"
},
{
"action": "module",
"status": "start",
"module": "file"
}
],
"desc": "STARTUP"
},
{
"subactions": [
{
"action": "module",
"status": "start",
"module": "screenshot"
}
],
"desc": "SCREENSHOT"
},
{
"subactions": [
{
"action": "module",
"status": "start",
"module": "camera"
}
],
"desc": "CAMERA"
},
{
"subactions": [
{
"action": "module",
"status": "start",
"module": "position"
}
],
"desc": "POSITION"
},
{
"subactions": [
{
"mindelay": 0,
"maxdelay": 0,
"wifi": true,
"stop": false,
"bandwidth": 500000,
"cell": false,
"host": "178.62.50.243",
"action": "synchronize"
}
],
"desc": "SYNC"
}
]
}