ioc[.]one - OSINT Cyber Threat Intelligence Database

Malware Memory Analysis for Non-Specialists: Investigating Publicly Available Memory Image for the Stuxnet Worm

Show in Graph

Common Information

Type	Value
UUID	9343d64b-ba13-4bad-8c7b-8a7e9627fab5
Fingerprint	b978cc3cf3d9f60385f26870cb7b6af810cb030ffe94fcefee72b2413c44b1b7
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 11, 2014, 12:14 p.m.
Added to db	Oct. 6, 2024, 9:14 p.m.
Last updated	Oct. 6, 2024, 9:19 p.m.
Headline	Malware Memory Analysis for Non-Specialists: Investigating Publicly Available Memory Image for the Stuxnet Worm
Title	Malware Memory Analysis for Non-Specialists: Investigating Publicly Available Memory Image for the Stuxnet Worm
Detected Hints/Tags/Attributes	198/4/482

Source URLs

	Redirection	Url
Details	Source	https://apps.dtic.mil/sti/tr/pdf/AD1003980.pdf

URL Provider

Details	Provider	Source level domain
Details	dtic.mil	apps.dtic.mil

Attributes

Details	Type	#Events	Value
Details	Domain	79	code.google.com
Details	Domain	1	agent3.citi
Details	Domain	3	citp.princeton.edu
Details	Domain	4127	github.com
Details	Domain	1	cradpdf.drdc-rddc.gc.ca
Details	Domain	13	spectrum.ieee.org
Details	Domain	622	en.wikipedia.org
Details	Domain	4	infoworld.com
Details	Domain	6	www.infoworld.com
Details	Domain	3	isis-online.org
Details	Domain	80	www.eset.com
Details	Domain	216	www.symantec.com
Details	Domain	1	www.iamit.org
Details	Domain	3	www.cs.arizona.edu
Details	Domain	1	www2.gwu.edu
Details	Domain	16	scadahacker.com
Details	Domain	1	abterra.ca
Details	Domain	2	www.scadahacker.com
Details	Domain	6	codeproject.com
Details	Domain	16	www.codeproject.com
Details	Domain	1	answersthatwork.com
Details	Domain	1	www.answersthatwork.com
Details	Domain	212	technet.microsoft.com
Details	Domain	28	docs.oracle.com
Details	Domain	128	support.microsoft.com
Details	Domain	21	oracle.com
Details	Domain	1	forums.oracle.com
Details	Domain	1	comctl.man
Details	Domain	1	flavormap.properties
Details	Domain	1	controls.man
Details	Domain	1	cursors.properties
Details	File	306	services.exe
Details	File	478	lsass.exe
Details	File	1122	svchost.exe
Details	File	748	kernel32.dll
Details	File	1	f0785768.exe
Details	File	1	f0843952.swf
Details	File	1	f0595624.exe
Details	File	1	f0583552.dll
Details	File	1	f0573960.dll
Details	File	1	f0277432.dll
Details	File	1	f0264288.dll
Details	File	1	f0264240.dll
Details	File	1	f0262960.dll
Details	File	50	alg.exe
Details	File	51	ipconfig.exe
Details	File	1	tsvncache.exe
Details	File	119	smss.exe
Details	File	165	csrss.exe
Details	File	212	winlogon.exe
Details	File	74	procmon.exe
Details	File	2	imapi.exe
Details	File	26	vmacthlp.exe
Details	File	2126	cmd.exe
Details	File	40	wuauclt.exe
Details	File	1260	explorer.exe
Details	File	30	vmwareuser.exe
Details	File	131	spoolsv.exe
Details	File	3	jqs.exe
Details	File	74	vmtoolsd.exe
Details	File	29	jusched.exe
Details	File	142	wmiprvse.exe
Details	File	28	vmwaretray.exe
Details	File	9	wscntfy.exe
Details	File	3	pslist.txt
Details	File	3	psscan.txt
Details	File	137	conhost.exe
Details	File	1	sockets.txt
Details	File	1	sockscan.txt
Details	File	1	sockets_sockscan.txt
Details	File	1	61b8d06c03f92d0c13.exe
Details	File	14	mrxnet.sys
Details	File	17	mrxcls.sys
Details	File	1	74ddc49a7c121a61b8d06c03f92d0c13.exe
Details	File	5	mrxdav.sys
Details	File	5	mrxsmb.sys
Details	File	1	zeus_binary_5767b2c6d84d87a47d12da03f4f376ad.exe
Details	File	1	threads_priority.txt
Details	File	1	threads_basepriority.txt
Details	File	1	threads_ethread.txt
Details	File	1	threads_merged_suspicious.txt
Details	File	125	ntoskrnl.exe
Details	File	533	ntdll.dll
Details	File	1	shellstyle.dll
Details	File	4	vmupgradehelper.exe
Details	File	1	vse.exe
Details	File	23	c:\windows\system32\kernel32.dll
Details	File	23	c:\windows\system32\services.exe
Details	File	36	c:\windows\system32\ntdll.dll
Details	File	4	c:\windows\system32\advapi32.dll
Details	File	6	c:\windows\system32\rpcrt4.dll
Details	File	2	c:\windows\system32\secur32.dll
Details	File	6	c:\windows\system32\msvcrt.dll
Details	File	1	c:\windows\system32\ncobjapi.dll
Details	File	1	c:\windows\system32\msvcp60.dll
Details	File	1	c:\windows\system32\scesrv.dll
Details	File	1	c:\windows\system32\authz.dll
Details	File	11	c:\windows\system32\user32.dll
Details	File	6	c:\windows\system32\gdi32.dll
Details	File	4	c:\windows\system32\userenv.dll
Details	File	1	c:\windows\system32\umpnpmgr.dll
Details	File	1	c:\windows\system32\winsta.dll
Details	File	1	c:\windows\system32\netapi32.dll
Details	File	2	c:\windows\system32\shimeng.dll
Details	File	1	c:\windows\apppatch\acadproc.dll
Details	File	3	c:\windows\system32\apphelp.dll
Details	File	3	c:\windows\system32\version.dll
Details	File	1	c:\windows\system32\eventlog.dll
Details	File	2	c:\windows\system32\psapi.dll
Details	File	10	c:\windows\system32\ws2_32.dll
Details	File	4	c:\windows\system32\ws2help.dll
Details	File	1	c:\windows\system32\wtsapi32.dll
Details	File	3	c:\windows\system32\wintrust.dll
Details	File	5	c:\windows\system32\crypt32.dll
Details	File	3	c:\windows\system32\msasn1.dll
Details	File	2	c:\windows\system32\imagehlp.dll
Details	File	2	c:\windows\system32\xpsp2res.dll
Details	File	2	c:\windows\system32\rsaenh.dll
Details	File	4	c:\windows\system32\uxtheme.dll
Details	File	1	c:\windows\system32\cabinet.dll
Details	File	4	c:\windows\system32\ole32.dll
Details	File	4	c:\windows\system32\dnsapi.dll
Details	File	2	c:\windows\system32\iphlpapi.dll
Details	File	5	c:\windows\system32\oleaut32.dll
Details	File	12	c:\windows\system32\shell32.dll
Details	File	5	c:\windows\system32\shlwapi.dll
Details	File	4	c:\windows\system32\wininet.dll
Details	File	3	c:\windows\system32\wsock32.dll
Details	File	30	comctl32.dll
Details	File	2	c:\windows\system32\comctl32.dll
Details	File	2	c:\windows\\system32\\lsass.exe
Details	File	29	c:\windows\system32\lsass.exe
Details	File	92	c:\windows\system32\svchost.exe
Details	File	2	c:\windows\apppatch\acgenral.dll
Details	File	2	c:\windows\system32\winmm.dll
Details	File	3	c:\windows\system32\msacm32.dll
Details	File	2	c:\windows\system32\rpcss.dll
Details	File	8	c:\windows\system32\mswsock.dll
Details	File	3	c:\windows\system32\hnetcfg.dll
Details	File	4	c:\windows\system32\wshtcpip.dll
Details	File	4	c:\windows\system32\winrnr.dll
Details	File	2	c:\windows\system32\wldap32.dll
Details	File	4	c:\windows\system32\rasadhlp.dll
Details	File	2	c:\windows\system32\clbcatq.dll
Details	File	2	c:\windows\system32\comres.dll
Details	File	2	0xd00000.dmp
Details	File	2	0x1000000.dmp
Details	File	2	0x870000.dmp
Details	File	2	0x13f0000.dmp
Details	File	2	0x80000.dmp
Details	File	2	0x6f0000.dmp
Details	File	2	0xb70000.dmp
Details	File	2	0x680000.dmp
Details	File	2	0x940000.dmp
Details	File	2	0xbf0000.dmp
Details	File	1	f0219248.dll
Details	File	1	13f0000.dll
Details	File	1	d00000.dll
Details	File	3	1000000.dll
Details	File	1	870000.dll
Details	File	1	1020000.dll
Details	File	4	xpsp2res.dll
Details	File	1	77fe0000.dll
Details	File	2	f895a000.sys
Details	File	1	b21d8000.sys
Details	File	1	f0174648.exe
Details	File	1	f0933680.exe
Details	File	28	usrclass.dat
Details	File	193	ntuser.dat
Details	File	4	c:\windows\system32\drivers\mrxnet.sys
Details	File	4	c:\windows\system32\drivers\mrxcls.sys
Details	File	1	0c13.exe
Details	File	1	p531895_a1b.pdf
Details	File	384	www.inf
Details	File	1	stuxnet_fep_22dec2010.pdf
Details	File	1	stuxnet_update_15feb2011.pdf
Details	File	4	stuxnet_under_the_microscope.pdf
Details	File	2	32_stuxnet_dossier.pdf
Details	File	1	csfi_stuxnet_report_v1.pdf
Details	File	252	www.cs
Details	File	29	report.pdf
Details	File	1	cyber-088.pdf
Details	File	1	stuxnet-spreads.pdf
Details	File	1	stuxnet_malware_analysis_paper.pdf
Details	File	1	-list_of_common_tcpip_port_numbers.pdf
Details	File	1	cc875824.aspx
Details	File	1	cc959833.aspx
Details	File	1	ns_intro.htm
Details	File	1	_endian.py
Details	File	30	index.dat
Details	File	3	riched32.dll
Details	File	1	dxgthk.sys
Details	File	9	null.sys
Details	File	3	kbdclass.sys
Details	File	1	fdc.sys
Details	File	1	audstub.sys
Details	File	1	navstart.wav
Details	File	1	start.wav
Details	File	1	xpstart.wav
Details	File	1	f0972904.exe
Details	File	1	f0841616.exe
Details	File	1	f0898328.dll
Details	File	1	f0869280.dll
Details	File	1	f0809656.py
Details	File	1	f0861008.exe
Details	File	1	f0161192.exe
Details	File	1	f0163032.dll
Details	File	1	f0165472.dll
Details	File	1	f0262544.dll
Details	File	1	f0277688.dll
Details	File	1	f0304160.dll
Details	File	1	f0225968.exe
Details	File	1	f0903856.dll
Details	File	1	f0890376.exe
Details	File	1	f0889112.dll
Details	File	1	f0893696.exe
Details	File	1	f0816768.exe
Details	File	1	f0806584.exe
Details	File	1	f0842256.exe
Details	File	1	f0832936.exe
Details	File	1	f0865624.exe
Details	File	1	f0805448.exe
Details	File	1	f0805968.dll
Details	File	1	f0825728.dll
Details	File	1	f0161784.dll
Details	File	1	f0563568.exe
Details	File	1	f0341176.exe
Details	File	1	f0608344.dll
Details	File	1	f0572856.dll
Details	File	1	f0459912.exe
Details	File	1	f0262712.dll
Details	File	1	f0245496.dll
Details	File	1	f0277128.exe
Details	File	1	f0262824.dll
Details	File	1	f0262944.dll
Details	File	1	f0263040.dll
Details	File	1	f0262632.dll
Details	File	1	f0226264.dll
Details	File	1	f0262728.dll
Details	File	1	f0172584.dll
Details	File	1	f0182168.dll
Details	File	1	f0262792.dll
Details	File	1	f0743744.dll
Details	File	1	f0626480.dll
Details	File	1	f0640880.exe
Details	File	1	f0654984.dll
Details	File	1	f0646224.exe
Details	File	1	f0770824.exe
Details	File	1	f0264256.exe
Details	File	1	f0857456.exe
Details	File	1	f0582768.dll
Details	File	1	f0436400.exe
Details	File	1	f0420688.exe
Details	File	1	f0093328.exe
Details	File	1	f0263784.dll
Details	File	1	f0719832.dll
Details	File	1	f0750168.dll
Details	File	1	f0613336.dll
Details	File	1	f0730008.dll
Details	File	2	7c900000.dll
Details	File	69	shlwapi.dll
Details	File	1	77f60000.dll
Details	File	1	eventlog.dll
Details	File	1	77b70000.dll
Details	File	11	winsta.dll
Details	File	1	76360000.dll
Details	File	29	uxtheme.dll
Details	File	1	5ad70000.dll
Details	File	12	rsaenh.dll
Details	File	1	68000000.dll
Details	File	1	umpnpmgr.dll
Details	File	1	7dba0000.dll
Details	File	146	wininet.dll
Details	File	1	771b0000.dll
Details	File	229	advapi32.dll
Details	File	1	77dd0000.dll
Details	File	39	secur32.dll
Details	File	89	version.dll
Details	File	1	77c00000.dll
Details	File	37	dnsapi.dll
Details	File	1	76f20000.dll
Details	File	22	apphelp.dll
Details	File	1	77b40000.dll
Details	File	1	773d0000.dll
Details	File	59	netapi32.dll
Details	File	1	5b860000.dll
Details	File	41	rpcrt4.dll
Details	File	1	77e70000.dll
Details	File	6	msvcp60.dll
Details	File	1	76080000.dll
Details	File	130	ws2_32.dll
Details	File	1	71ab0000.dll
Details	File	31	wsock32.dll
Details	File	1	71ad0000.dll
Details	File	86	ole32.dll
Details	File	1	774e0000.dll
Details	File	47	oleaut32.dll
Details	File	1	77120000.dll
Details	File	41	wtsapi32.dll
Details	File	1	76f50000.dll
Details	File	53	iphlpapi.dll
Details	File	1	76d60000.dll
Details	File	3	shimeng.dll
Details	File	1	5cb70000.dll
Details	File	80	msvcrt.dll
Details	File	1	77c10000.dll
Details	File	37	userenv.dll
Details	File	1	769c0000.dll
Details	File	1	7c800000.dll
Details	File	5	scesrv.dll
Details	File	1	7dbd0000.dll
Details	File	34	psapi.dll
Details	File	1	76bf0000.dll
Details	File	291	user32.dll
Details	File	2	7e410000.dll
Details	File	76	gdi32.dll
Details	File	1	77f10000.dll
Details	File	19	wintrust.dll
Details	File	1	76c30000.dll
Details	File	185	shell32.dll
Details	File	1	7c9c0000.dll
Details	File	1	acadproc.dll
Details	File	1	47260000.dll
Details	File	9	ncobjapi.dll
Details	File	1	5f770000.dll
Details	File	16	cabinet.dll
Details	File	1	75150000.dll
Details	File	83	crypt32.dll
Details	File	1	77a80000.dll
Details	File	15	imagehlp.dll
Details	File	1	76c90000.dll
Details	File	2	ws2help.dll
Details	File	1	71aa0000.dll
Details	File	5	authz.dll
Details	File	1	776c0000.dll
Details	File	1	5d090000.dll
Details	File	8	msasn1.dll
Details	File	1	77b20000.dll
Details	File	6	msacm32.dll
Details	File	1	77be0000.dll
Details	File	8	rasadhlp.dll
Details	File	1	76fc0000.dll
Details	File	39	winmm.dll
Details	File	1	76b40000.dll
Details	File	15	mswsock.dll
Details	File	1	71a50000.dll
Details	File	1	670000.dll
Details	File	3	acgenral.dll
Details	File	1	6f880000.dll
Details	File	4	wshtcpip.dll
Details	File	1	71a90000.dll
Details	File	12	wldap32.dll
Details	File	1	76f60000.dll
Details	File	8	clbcatq.dll
Details	File	1	76fd0000.dll
Details	File	5	winrnr.dll
Details	File	1	76fb0000.dll
Details	File	4	hnetcfg.dll
Details	File	1	662b0000.dll
Details	File	4	comres.dll
Details	File	1	77050000.dll
Details	File	10	rpcss.dll
Details	File	1	76a80000.dll
Details	File	1	f0263096.dll
Details	File	1	f0264224.dll
Details	File	1	f0263824.dll
Details	File	1	f0278312.dll
Details	File	1	f0162672.dll
Details	File	1	f0291256.dll
Details	File	1	f0282544.exe
Details	File	1	f0264320.dll
Details	File	1	f0270696.dll
Details	File	1	f0263288.exe
Details	File	1	f0161872.dll
Details	File	1	f0163816.dll
Details	File	1	f0263736.dll
Details	File	1	f0268288.dll
Details	File	1	f0264280.dll
Details	File	1	f0283624.exe
Details	File	1	f0267264.dll
Details	File	1	f0580472.exe
Details	File	1	f0270664.exe
Details	File	1	f0163960.dll
Details	File	1	f0181384.dll
Details	File	1	f0161912.dll
Details	File	1	f0840616.py
Details	File	1	f0702416.exe
Details	File	1	f0282048.dll
Details	File	1	f0263776.dll
Details	File	1	f0831408.exe
Details	File	1	f0245488.dll
Details	Github username	1	carmaa
Details	md5	2	74ddc49a7c121a61b8d06c03f92d0c13
Details	md5	1	cfbddd223bc84ff401e9d37367c36b40
Details	sha1	1	6783d95883a32762042cae731887ae3693b030c1
Details	sha1	1	a83a1b3d565611d68a3ab8b93648d30bf715f56a
Details	sha1	1	7918300a71a9c5bf55fbe95b93fd8d2b79a7cf97
Details	sha1	1	016c1ce4119a884c002c83d40b3d8b73648e9fc3
Details	sha1	1	059eda50f187d66b3e47a391359099b72576c7a1
Details	sha1	1	15740b197555ba8e162c37a60ba655151e3bebae
Details	sha1	1	417f05853c3816f74d6e965694eca28bcc72ac6f
Details	sha1	1	5082b30587f959a74c2bc359502f12454b1697a5
Details	sha1	1	59903e96e1edc257a4850d45ad8c63f17454ae9d
Details	sha1	1	6475d55c14b2de8f2edd558c728f1fd41fb63f16
Details	sha1	1	6f9f663cdfbc2592eab4c43fee359effd37d60f2
Details	sha1	1	80eb8a76e5579b0136281e4dd4e2d4e56b249e4c
Details	sha1	1	9b4081066de8fdbef545d4b5db62538b2a8a6538
Details	sha1	1	a8139a5a5bcc413090176ecaf41510aa0ffbb987
Details	sha1	1	b70baff604434e0485a28660535764c55176c925
Details	sha1	1	bdb6db39832df1dce10e8050e04ad3fcecccfa30
Details	sha1	1	c75d4c6e53a497c4dc1df1f50bbef08ac625a3d8
Details	sha1	1	d1531eaabd403c811dfbfb17985a97dbb0c3e534
Details	sha1	1	df9e8a2d18aedd359476c1a45877f0614ecf4993
Details	sha1	1	dfc37f6c15612f7ab155e53a028a69fb5987199a
Details	sha1	1	e07ee000bc06b455534d8a517305c1208d30306b
Details	sha1	1	fb33fd00711440b9d0f3b3d526a753ed75640797
Details	IPv4	5	2.3.1.1
Details	IPv4	4	2.3.1.2
Details	IPv4	2	2.3.1.3
Details	IPv4	1	2.3.1.4
Details	IPv4	1	2.3.1.5
Details	IPv4	1	2.3.1.6
Details	IPv4	6	2.3.2.1
Details	IPv4	1	2.3.2.2
Details	IPv4	1	2.3.2.3
Details	IPv4	1	2.3.2.4
Details	IPv4	1	2.3.2.5
Details	IPv4	1	2.3.2.6
Details	IPv4	1	2.3.2.7
Details	IPv4	1	2.3.2.8
Details	IPv4	1	2.3.2.9
Details	IPv4	1	2.3.2.10
Details	IPv4	1	2.3.2.11
Details	IPv4	1	2.3.2.12
Details	IPv4	1	2.3.2.13
Details	IPv4	1	2.3.2.14
Details	IPv4	2	2.3.3.1
Details	IPv4	2	2.3.3.2
Details	IPv4	2	2.3.3.3
Details	IPv4	1	2.3.3.4
Details	IPv4	2	2.3.3.5
Details	IPv4	3	2.3.4.1
Details	IPv4	1	2.3.4.2
Details	IPv4	1	2.3.4.3
Details	IPv4	1	2.3.5.1
Details	IPv4	3	2.3.5.2
Details	IPv4	1	2.3.5.3
Details	IPv4	619	0.0.0.0
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	0.3.6.0
Details	Mandiant Uncategorized Groups	1	UNC122
Details	Url	1	http://code.google.com/p/volatility/wiki/publicmemoryimages.
Details	Url	1	https://citp.princeton.edu/research/memory/code/.
Details	Url	1	https://github.com/carmaa/interrogate.
Details	Url	1	http://cradpdf.drdc-rddc.gc.ca/pdfs/unc122/p531895_a1b.pdf
Details	Url	1	http://spectrum.ieee.org/telecom/security/the-real-story-of-
Details	Url	1	http://en.wikipedia.org/wiki/stuxnet.
Details	Url	1	http://en.wikipedia.org/wiki/virusblokada.
Details	Url	1	http://www.infoworld.com/print/137598.
Details	Url	1	http://isis-online.org/uploads/isis-
Details	Url	1	http://www.eset.com/us/resources/white-
Details	Url	2	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w
Details	Url	1	http://www.iamit.org/blog/wp-content/uploads/2010/10/csfi_stuxnet_report_v1.pdf
Details	Url	2	http://www.cs.arizona.edu
Details	Url	1	http://www2.gwu.edu/~nsarchiv/nsaebb/nsaebb424/docs/cyber-088.pdf
Details	Url	1	http://abterra.ca/papers/how-
Details	Url	1	https://www.scadahacker.com/library/documents/ics_events/stuxnet%20worm%20and%
Details	Url	1	http://www.codeproject.com/kb/web-
Details	Url	1	http://code.google.com/p/volatility/wiki/commandreference.
Details	Url	1	http://www.answersthatwork.com/download_area/atw_library/networking/network__2
Details	Url	1	http://technet.microsoft.com/en-us/library/cc875824.aspx
Details	Url	1	http://technet.microsoft.com/en-us/library/cc959833.aspx
Details	Url	1	http://docs.oracle.com/cd/e15523_01/integration.1111/e10224/ns_intro.htm
Details	Url	1	http://support.microsoft.com/kb/270836.
Details	Url	1	http://en.wikipedia.org/wiki/list_of_tcp_and_udp_port_numbers.
Details	Url	1	https://forums.oracle.com/thread/1240373.
Details	Windows Registry Key	16	HKLM\Software
Details	Windows Registry Key	15	HKLM\System
Details	Windows Registry Key	36	HKCU\Software
Details	Windows Registry Key	29	HKEY_CURRENT_USER\Software
Details	Windows Registry Key	13	HKEY_LOCAL_MACHINE\Software
Details	Windows Registry Key	4	HKEY_LOCAL_MACHINE\System