Identifying Running Processes
Once the network information was identified the next step
was to focus on the processes with PID 1056 (svchost.exe) and 1956 (avp.exe).
The command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose
--kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 pstree >
pstree-results.txt” was executed to focus on the processes which were running
at the time the image was taken. The command “cat pstree-results.tx | more” was
then used to learn more about PID 1956.
Figure 5:avp.exe process reportedly belonging to
Kaspersky Internet Security
As PID 1956 (adp.exe) seems to be associated with Kaspersky Internet Security 15.0 the next step was to verify the parent process id (PPID) 804. Process ID 804 seems to be related to “services.exe”
Figure 6:Services.exe being shown as parent for the
process with PID 1956 (adp.exe)
The parent process of 1956 (avp.exe) is 804 (services.exe). The next step was then to see which services is associated with process with PID 1956 (avp.exe). The following command was then executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 svcscan > svcscan-results.txt”. Next the command “cat svcscan-results.txt” was executed.
Figure 7:Above shows process with PID 1956 (avp.exe)
started as a service
At this point the “avp.exe” seemed legitimate. However, a
final check needed to be made to confirm. The next step was to dump the
contents of memory for PID 1056 (avp.exe). This was done using the command “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0
--dtb=0x187000 --profile=Win7SP1x64 memdump --pid=1956 --dump-dir=.”
Once the process memory was dumped, the next step was to
extract any executables which could be found in this process using the command
“foremost -t exe -o tmp/ -v 1956.dmp” This produced a total of 1016 files.
Using the latest version of ClamAV (clamscan) with a
signature update database as of Saturday, October 10, the files were then scanned.
Figure 8:Above shows clamav being updated
The files were then scanned using the following command “clamscan --verbose --infected --recursive=yes --allmatch=yes --scan-pe=yes --enable-stats tmp/*”. According to clamav, no infected files were found as shown below.
Figure 9:Above shows 0 files were found to be
infected from PID 1956 (avp.exe) memory dump.
According to (support.kaspersky.com, 2015), this process seems to be related to Kaspersky products.
According to (support.kaspersky.com, 2015), this process seems to be related to Kaspersky products.
At this point the decision was made to move on to the
process with PID 1056 (svchost.exe) as this seemed more suspicious since it had
an “ESTABLISHED” connection.
Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5
No comments:
Post a Comment