BlackEnergy Walkthrough — Cyberdefenders

5 min readApr 14, 2023

Scenario:

A multinational corporation has been hit by a cyber attack that has led to the theft of sensitive data. The attack was carried out using a variant of the BlackEnergy v2 malware that has never been seen before. The company’s security team has acquired a memory dump of the infected machine, and they want you to analyze the dump to understand the attack scope and impact.

Challenge: BlackEnery

Tools:

Volatility 3

Which volatility profile would be best for this machine?

In this question, I used both Volatility 2 and Volatility 3, and both tools indicated that the operating system associated with the build string and Service Pack was WinXPSP3x86.

vol.py -f CYBERDEF-567078-20230213-171333.raw kdbgscan

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.info

Here’s the explanation from ChatGPT:

The answer field did not accept ‘WinXPSP3x86’, but it accepted ‘WinXPSP2x86’ as the correct answer.

2. How many processes were running when the image was acquired?

The pslist plugin displays the processes in the memory dump. The ExitTime column indicates the time when a process was terminated, and if the process is still running, it shows N/A.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist

There are 25 processes on the results including the running and terminated processes.

Using grep -v “N/A” to filter out all the processes that are still running.

-v, — invert-match select non-matching lines.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist | grep -v "N/A"

The results indicate that there are 6 processes that have been terminated. We can subtract this number from the total number of processes to obtain the count of running processes.

3. What is the process ID of cmd.exe?

The command grep “cmd.exe” -C 3 will highlight the text “cmd.exe” and display 3 lines before and after “cmd.exe”. The first column of the results represents the Process ID.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pslist | grep "cmd.exe" -C 3

4. What is the name of the most suspicious process?

The pstree plugin generates a process tree view of the running processes in a memory dump.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.pstree

The process ‘rootkit.exe’ is suspicious, not only due to its name but also because of its child-process ‘cmd.exe’.

5. Which process shows the highest likelihood of code injection?

The malfind plugin can be used to detect processes that potentially contain injected code.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.malfind

Multiple processes were detected to potentially contain injected code, but I focused on analyzing svchost.exe due to the presence of the ‘MZ’ header.

The following command will dump the process svchost.exe and save it in /home/remnux/Documents/BlackEnergy/extracted/

-o: Directory in which to output any generated files.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw -o /home/remnux/Documents/BlackEnergy/extracted/ windows.malfind --pid 880 --dump

md5sum pid.880.vad.0x980000-0x988fff.dmp

Scanning the hash in VirusTotal reveals that several security vendors have flagged it as Malicious.

6. There is an odd file referenced in the recent process. Provide the full path of that file.

The following command will extract all strings from “pid.880.vad.0x980000–0x988fff.dmp” that have a minimum length of 10 characters:

strings -n 10 pid.880.vad.0x980000-0x988fff.dmp

We can easily determine the full path since there is only one path in the results.

7. What is the name of the injected dll file loaded from the recent process?

The ldrmodules plugin can be used to list the loaded modules (DLLs) in a process, and it can also be used to detect unlinked/hidden DLLs. We can use this plugin to examine the malicious svchost.exe process, which has a PID of 880.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.ldrmodules --pid 880

The msxml3r.dll does not exist in any of the 3 DLL lists (InLoad, InInit, and InMem). The columns InLoad, InInit, and InMem indicates whether a module has been loaded into memory, initialized, or is currently in the process memory. If all these columns are False, it may indicate the presence of a rootkit or other malicious software that is trying to hide its presence.

8. What is the base address of the injected dll?

The base address is displayed in the 3rd column of the output of the malfind plugin.

python3 vol.py -f /home/remnux/Documents/BlackEnergy/CYBERDEF-567078-20230213-171333.raw windows.malfind

Resources/References:

Book: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
Book: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
https://chat.openai.com/

BlackEnergy Walkthrough — Cyberdefenders

Written by responderj

No responses yet