For the second part of our Volatility project, we wanted to determine whether or not we could find traces of malware in a system that was once put in hibernation mode. When a user puts their computer into hibernation, a hiberfil.sys file is created. If a system has malware running in the background and is then put into hibernation, we hypothesized that hiberfil.sys will have remnants of the malicious code.
http://www.youtube.com/watch?v=NynLqNxJ3Jo
To test our theory, we created a Windows XP SP3 virtual machine. We then sandboxed it so that it would not infect our local machines when we installed malware. The worm Fujacks was given to us for testing. We infected our virtual machine, put it in hibernation mode, and then using FTK Imager on our local machines, we extracted hiberfil.sys.
In order for Volatility to analyze hiberfil.sys, it needs to be converted to a raw image. To do this, we used two tools: Moonsol’s Windows Memory Toolkit and Volatility itself. Both work in the same way, but Volatility was more convenient to use since we were already working with the framework. To convert our hiberfil.sys, we used the imagecopy plugin within Volatility.
Once converted, Dan Doonan ran a number of plugins on the image to see if he could find evidence of Fujacks. The plugins ran were pstree, printkey, and dlllist. The first plugin, pstree, presented Dan with some normal processes and one that seemed suspicious, TXP1atform.exe. When doing a Google search on this process, he was presented with Microsoft’s malware definition which stated that TXP1atform.exe modifies registry keys. It also validated that this process was a part of the worm Fujacks.
To gather more evidence, Dan ran the printkey command which showed him three modified registry keys. He noticed TXP1atform.exe started once the system was turned on, hidden files were not shown in windows explorer, and Autoplay was enabled.
Going back to the original data presented by pstree, TXP1atform.exe was the parent process of iexplore.exe. This was also suspicious as Internet Explorer was never opened during our testing. This was explained in the Microsoft definition as being started in the background by Fujacks to access remote hosts.
The last plugin run was dlllist. This showed evidence of iexplorer.exe attempting to access a website that is known to be associated with Fujacks, as described in Microsoft’s definition. Dan could definitively conclude that using Volatility to analyze hiberfil.sys is successful and does result in traces of any malware running on a system.
More on this research project will follow at a later date. Subscribe to the blog to get the latest on this project.
If you have any comments, questions, and/or suggestions, please feel free to leave a comment here on the blog or feel free to email us at LCDI@champlain.edu, putting “Volatility-Malware Analysis of Hiberfil.sys” in the subject line.