Sunday, November 1, 2015

Volatility Memory Forensics - Investigation a potential virus situation - Part 4

Part 1 | Part 2 | Part 3 | Part 5

Learning about PID 1056 (svchost.exe)

From the list of process information gathered, process ID 1056 had a parent ID of 804. PID 804 was related to “services.exe”

0xfffffa80080eb680 svchost.exe            1056    804     40     1284      0      0 2015-09-04 23:08:02 UTC+0000                              

0xfffffa8007d8a5e0 services.exe            804    728      6      262      0      0 2015-09-04 23:07:51 UTC+0000                              

Using the command “cat svcscan-results.txt | grep --perl-regexp "Process\sID:\s1056" --before-context=3 --after-context=7 > process-1056-service.txt” on the previously created “svscan-results.txt” file, it was determined that there were 16 processes using PID 1056 all of which were in service state “SERVICE_RUNNING”

Using a fresh install of Windows 7 in a virtual machine, the various services were compared using the “SC QC”, “SC QUERY” and “dir” commands. No noticeable differences were identified between the services from the memory image and those from the fresh install to suggest that any of these services were compromised.

Figure 10:Above shows process with PID 1056 started as a  Service on Alyssa’s computer

Figure 11:Above shows a fresh install of Windows 7 services which seems to match those from the memory images

Learning about the IP

A “geoiptool” lookup was performed on the IP and this suggests the IP belongs to

Figure 12:Above shows geoip lookup for

According to information gathered from (Limelight Networks Inc., 2014) Limelight Networks performs Content Delivery Services. As a result, this IP may be a legitimate IP. However, previous checks on VirusTotal did reveal some malicious URLs associated with this IP.

Dumping memory for PID 1056 (svchost.exe)
In order to dump the memory of the process with PID 1056 (svchost.exe), the command “ --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 memdump --pid=1056 --dump-dir=.” was executed.

Once the process memory was dumped, the next step was to extract any executables which could be found in this process using the command “foremost -t exe -o tmp/ -v 1056.dmp”. This produced 953 files. These files were than checked using clamav and no infections were found.

Figure 13:Above shows 0 files were found to be infected from process 1056 memory dump

Checking the strings

The next step was to check the strings in the process with the objective being to identify the specific URL which may have been contacted in an attempt to learn if the process was actually connected to the IP “208\.111\.170\.136”. The first check was to extract the ASCII strings using “strings --encoding=l 1056.dmp > strings-1056.txt” and then the Unicode “strings --encoding=s 1056.dmp >> strings-1056.txt”.

Next the command “grep --ignore-case --perl-regexp "208\.111\.170\.136|llnw\.net" strings-1056.txt” was executed. Based on the query, no entries were found for the IP or

Figure 14:Above shows strings being executed, then the data being grep'd

Testing the site
As a result of no information being returned from the strings, the next step was to connect directly to the site to see what responses would be returned. This was first done on a computer running Firefox on Ubuntu OS and then on another with IE 7 on Windows 7 OS. In both cases the result returned was a “400 Bad Request”. Nothing was returned that I could have worked with.

Figure 15:Above shows Wireshark TCP stream of connection to site

No comments:

Post a Comment