[Vol-users] SpyEye example illustrating The Mis-leading 'Active' in PsActiveProcessHead

Mike Lambert dragonforen at hotmail.com
Tue May 8 10:10:51 CDT 2012


Skipped content of type multipart/alternative-------------- next part --------------
Volatility 2.0  VM with SpyEye infection (c:\usxxxxxxxx.exe\usxxxxxxxx.exe)
Mike Lambert, 8 May 2012, dragonforen at hotmail.com

YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
          Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\mem\120503\vol\120503b.w32)
                      PAE type : PAE
                           DTB : 0x319000
                          KDBG : 0x80545be0L
                          KPCR : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2012-05-03 22:48:00 
     Image local date and time : 2012-05-03 22:48:00 
          Number of Processors : 1
                    Image Type : Service Pack 3

PSLIST

YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
0x825c8830 System                    4      0     58    271 1970-01-01 00:00:00       
0x824540f0 smss.exe                540      4      3     19 2012-05-03 22:34:14       
0x82080da0 csrss.exe               612    540     12    483 2012-05-03 22:34:17       
0x824e43b8 winlogon.exe            636    540     20    518 2012-05-03 22:34:17       
0x82309020 services.exe            680    636     15    285 2012-05-03 22:34:18       
0x822cbda0 lsass.exe               692    636     22    359 2012-05-03 22:34:18       
0x822b1550 vmacthlp.exe            852    680      2     26 2012-05-03 22:34:19       
0x82453b08 svchost.exe             864    680     18    202 2012-05-03 22:34:20       
0x821f62a0 svchost.exe             944    680     12    279 2012-05-03 22:34:20       
0x82388b10 svchost.exe            1080    680     78   1397 2012-05-03 22:34:21       
0x824c0518 svchost.exe            1124    680      8     86 2012-05-03 22:34:22       
0x822a8da0 svchost.exe            1280    680     12    165 2012-05-03 22:34:22       
0x822fcb28 spoolsv.exe            1384    680     14    149 2012-05-03 22:34:24       
0x82438020 svchost.exe            1520    680      6    109 2012-05-03 22:34:42       
0x823c26f0 PortReporter.ex        1648    680      3     42 2012-05-03 22:34:44       
0x822b87e8 vmtoolsd.exe           1964    680      5    284 2012-05-03 22:34:54       
0x8217fb28 searchindexer.e         148    680     21    781 2012-05-03 22:34:54       
0x8239f980 explorer.exe            408    296     27    640 2012-05-03 22:34:55       
0x82300da0 VMUpgradeHelper         484    680      5    115 2012-05-03 22:34:56       
0x822b2c90 wscntfy.exe             876   1080      2     38 2012-05-03 22:34:57       
0x82323978 VMwareTray.exe         1332    408      2     59 2012-05-03 22:34:59       
0x8246c2e0 VMwareUser.exe         1304    408      8    171 2012-05-03 22:34:59       
0x81fa1658 SpyProtector.ex        1460    408      2     51 2012-05-03 22:34:59       
0x82312da0 ctfmon.exe             1572    408      2     80 2012-05-03 22:35:00       
0x82466658 ShareWatch.exe         1668    408      3     50 2012-05-03 22:35:02       
0x823cc650 TPAutoConnSvc.e        1844    680      6    100 2012-05-03 22:35:09       
0x8232c6b8 alg.exe                2192    680      7    105 2012-05-03 22:35:10       
0x82184a78 TPAutoConnect.e        2552   1844      2     83 2012-05-03 22:35:12       
0x820437e8 wuauclt.exe            3672   1080      5    135 2012-05-03 22:36:05       
0x820255e8 cports.exe             3860    408      2     63 2012-05-03 22:36:29       
0x82041b20 procexp.exe            3948    408      5    258 2012-05-03 22:37:19       
0x8208b650 cmd.exe                4084    408      2     35 2012-05-03 22:38:07       
0x8251d9a0 wmiprvse.exe           2456    864      8    139 2012-05-03 22:43:23       
0x82243020 usxxxxxxxx.exe          124    408      0 ------ 2012-05-03 22:46:58       
0x8204e020 win32dd.exe            2892   4084      2     25 2012-05-03 22:48:00       

PSSCAN

YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
 Offset     Name             PID    PPID   PDB        Time created             Time exited             
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------ 
0x01fa1658 SpyProtector.ex    1460    408 0x097983a0 2012-05-03 22:34:59                              
0x020255e8 cports.exe         3860    408 0x09798420 2012-05-03 22:36:29                              
0x02041b20 procexp.exe        3948    408 0x09798280 2012-05-03 22:37:19                              
0x020437e8 wuauclt.exe        3672   1080 0x097982a0 2012-05-03 22:36:05                              
0x0204e020 win32dd.exe        2892   4084 0x09798440 2012-05-03 22:48:00                              
0x02080da0 csrss.exe           612    540 0x09798040 2012-05-03 22:34:17                              
0x0208b650 cmd.exe            4084    408 0x097981e0 2012-05-03 22:38:07                              
0x0217fb28 searchindexer.e     148    680 0x09798240 2012-05-03 22:34:54                              
0x02184a78 TPAutoConnect.e    2552   1844 0x09798260 2012-05-03 22:35:12                              
0x021f62a0 svchost.exe         944    680 0x09798100 2012-05-03 22:34:20                              
0x02243020 usxxxxxxxx.exe      124    408 0x09798120 2012-05-03 22:46:58      2012-05-03 22:46:59     
0x022a8da0 svchost.exe        1280    680 0x09798180 2012-05-03 22:34:22                              
0x022b1550 vmacthlp.exe        852    680 0x097980c0 2012-05-03 22:34:19                              
0x022b2c90 wscntfy.exe         876   1080 0x09798340 2012-05-03 22:34:57                              
0x022b87e8 vmtoolsd.exe       1964    680 0x09798220 2012-05-03 22:34:54                              
0x022cbda0 lsass.exe           692    636 0x097980a0 2012-05-03 22:34:18                              
0x022fcb28 spoolsv.exe        1384    680 0x097981a0 2012-05-03 22:34:24                              
0x02300da0 VMUpgradeHelper     484    680 0x09798300 2012-05-03 22:34:56                              
0x02309020 services.exe        680    636 0x09798080 2012-05-03 22:34:18                              
0x02312da0 ctfmon.exe         1572    408 0x097983c0 2012-05-03 22:35:00                              
0x02323978 VMwareTray.exe     1332    408 0x09798360 2012-05-03 22:34:59                              
0x0232c6b8 alg.exe            2192    680 0x09798400 2012-05-03 22:35:10                              
0x02388b10 svchost.exe        1080    680 0x09798140 2012-05-03 22:34:21                              
0x0239f980 explorer.exe        408    296 0x097982e0 2012-05-03 22:34:55                              
0x023c26f0 PortReporter.ex    1648    680 0x09798200 2012-05-03 22:34:44                              
0x023cc650 TPAutoConnSvc.e    1844    680 0x097982c0 2012-05-03 22:35:09                              
0x02438020 svchost.exe        1520    680 0x097981c0 2012-05-03 22:34:42                              
0x02453b08 svchost.exe         864    680 0x097980e0 2012-05-03 22:34:20                              
0x024540f0 smss.exe            540      4 0x09798020 2012-05-03 22:34:14                              
0x02466658 ShareWatch.exe     1668    408 0x097983e0 2012-05-03 22:35:02                              
0x0246c2e0 VMwareUser.exe     1304    408 0x09798380 2012-05-03 22:34:59                              
0x024c0518 svchost.exe        1124    680 0x09798160 2012-05-03 22:34:22                              
0x024e43b8 winlogon.exe        636    540 0x09798060 2012-05-03 22:34:17                              
0x0251d9a0 wmiprvse.exe       2456    864 0x09798460 2012-05-03 22:43:23                              
0x025c8830 System                4      0 0x00319000                                                  

PSXVIEW

YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
Offset       Name                 Pid      pslist     psscan     thrdproc   pspcid     csr_hnds   csr_list  
0x822a8da0L  svchost.exe          1280     1          1          1          1          1          1         
0x825c8830L  System               4        1          1          1          1          0          0         
0x822b2c90L  wscntfy.exe          876      1          1          1          1          1          1         
0x8232c6b8L  alg.exe              2192     1          1          1          1          1          1         
0x8239f980L  explorer.exe         408      1          1          1          1          1          1         
0x8217fb28L  searchindexer.e      148      1          1          1          1          1          1         
0x8251d9a0L  wmiprvse.exe         2456     1          1          1          1          1          1         
0x82466658L  ShareWatch.exe       1668     1          1          1          1          1          1         
0x824540f0L  smss.exe             540      1          1          1          1          0          0         
0x82438020L  svchost.exe          1520     1          1          1          1          1          1         
0x82312da0L  ctfmon.exe           1572     1          1          1          1          1          1         
0x82309020L  services.exe         680      1          1          1          1          1          1         
0x822b87e8L  vmtoolsd.exe         1964     1          1          1          1          1          1         
0x821f62a0L  svchost.exe          944      1          1          1          1          1          1         
0x822cbda0L  lsass.exe            692      1          1          1          1          1          1         
0x82323978L  VMwareTray.exe       1332     1          1          1          1          1          1         
0x82388b10L  svchost.exe          1080     1          1          1          1          1          1         
0x81fa1658L  SpyProtector.ex      1460     1          1          1          1          1          1         
0x8204e020L  win32dd.exe          2892     1          1          1          1          1          1         
0x822b1550L  vmacthlp.exe         852      1          1          1          1          1          1         
0x823cc650L  TPAutoConnSvc.e      1844     1          1          1          1          1          1         
0x820437e8L  wuauclt.exe          3672     1          1          1          1          1          1         
0x82300da0L  VMUpgradeHelper      484      1          1          1          1          1          1         
0x82453b08L  svchost.exe          864      1          1          1          1          1          1         
0x824c0518L  svchost.exe          1124     1          1          1          1          1          1         
0x82080da0L  csrss.exe            612      1          1          1          1          0          0         
0x822fcb28L  spoolsv.exe          1384     1          1          1          1          1          1         
0x824e43b8L  winlogon.exe         636      1          1          1          1          1          1         
0x82041b20L  procexp.exe          3948     1          1          1          1          1          1         
0x823c26f0L  PortReporter.ex      1648     1          1          1          1          1          1         
0x8208b650L  cmd.exe              4084     1          1          1          1          1          1         
0x82184a78L  TPAutoConnect.e      2552     1          1          1          1          1          1         
0x820255e8L  cports.exe           3860     1          1          1          1          1          1         
0x82243020L  usxxxxxxxx.exe       124      1          0          0          1          0          0         
0x8246c2e0L  VMwareUser.exe       1304     1          1          1          1          1          1         


More information about the Vol-users mailing list