In this 6
part series, we will analyze a recent phishing attempt through an email which
was sent to me. In the first
post we looked at the email. The second
post we did an analysis using Wireshark. In the third
post we did some basic static analysis. In the fourth
post we performed some basic dynamic analysis. In this post we perform
some basic memory forensics on a captured memory image.
Previously we dumped the contents of RAM for the infected
system to see what information we can learn about the state of the machine at
that point in time.
Profiling the Image ...
Profiling the Image ...
As we can see this is a Windows XP SP2 System. Let's use
that as the profile along with the KDBG " 0x8054cf60" and DTB " 0x39000".
from the image info we see the UTC date and time as well as the local date and time when the image was created.
from the image info we see the UTC date and time as well as the local date and time when the image was created.
Checking the processes ....
As can be seen above we are seeing the
"invoice1211_pdf" in the process list. The strange thing is my
understand. Because of the various ways malware may hide in memory, I could
have used psxview. However, because I know what I'm looking for and because I
can see it here, I will move on.
1. We see process "invoice1211_pdf" has a PID of 168
2. Process with PID 168 has a Parent PID of 1568
3. We see PID 1568 is related to explorer.exe
4. Process with PID 1568 has a PPID of 1524
1. We see process "invoice1211_pdf" has a PID of 168
2. Process with PID 168 has a Parent PID of 1568
3. We see PID 1568 is related to explorer.exe
4. Process with PID 1568 has a PPID of 1524
Checking the DLLs for PID 168 ....
At this point to me the highlighted section looks suspicious.
All other DLLs are loaded
C:\WINDOWS\System32 while the highlighter one is being called from
C:\WINDOWS\WinSxS. This folder is valid. However, I'm just concerned about the
location from which it is being called as compared to the other DLLs.
Checking the network connections ...
We can see that PID 168 has a network connection from
192.168.56.102 on local port 1615 to remote address 192.168.56.101 port 80
Checking the privileges the program executed with ...
From the above we see the permissions which the executable
had at time of its execution. Of most importance here is the
"Administrators" credentials.
Further look at the privileges ...
We see we have 5 enable 2 by default
Checking the internet history ....
From the above we see base on the IE history, process
"invoice1211_pdf" made downloaded file "miniuk1.html" from
"shahlart.com" and "projectglory.awardspace.com". In both
cases the file was saved as "miniuk1[1].htm"
Dumping the executable in the process ...
Now that we've dumped this executable, we can perform
further analysis on this if needed.
In our final post, we will put it all together using the knowledge we've gained to write rules for our SIEM and IPS.
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
References:
https://code.google.com/p/volatility/
No comments:
Post a Comment