Part 1 | Part 2 | Part 3 | Part 5
Learning about PID 1056 (svchost.exe)
From the list of process information gathered, process ID
1056 had a parent ID of 804. PID 804 was related to “services.exe”
0xfffffa80080eb680 svchost.exe 1056 804
40 1284 0
0 2015-09-04 23:08:02 UTC+0000
0xfffffa8007d8a5e0 services.exe 804 728
6 262 0
0 2015-09-04 23:07:51 UTC+0000
Using the command “cat svcscan-results.txt | grep
--perl-regexp "Process\sID:\s1056" --before-context=3 --after-context=7
> process-1056-service.txt” on the previously created “svscan-results.txt”
file, it was determined that there were 16 processes using PID 1056 all of
which were in service state “SERVICE_RUNNING”
Figure 10:Above shows process with PID 1056 started
as a Service on Alyssa’s computer
Figure 11:Above shows a fresh install of Windows 7
services which seems to match those from the memory images
Learning about the IP 208.111.170.136
Learning about the IP 208.111.170.136
A “geoiptool” lookup was performed on the IP and this
suggests the IP belongs to llwn.net
Figure 12:Above shows geoip lookup for
208.111.170.136
According to information gathered from (Limelight Networks Inc., 2014) Limelight Networks performs Content Delivery Services. As a result, this IP may be a legitimate IP. However, previous checks on VirusTotal did reveal some malicious URLs associated with this IP.
According to information gathered from (Limelight Networks Inc., 2014) Limelight Networks performs Content Delivery Services. As a result, this IP may be a legitimate IP. However, previous checks on VirusTotal did reveal some malicious URLs associated with this IP.
Dumping memory for PID 1056 (svchost.exe)
In order to dump the memory of the process with PID 1056
(svchost.exe), the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw
--verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 memdump
--pid=1056 --dump-dir=.” was executed.
Once the process memory was dumped, the next step was to
extract any executables which could be found in this process using the command
“foremost -t exe -o tmp/ -v 1056.dmp”. This produced 953 files. These files
were than checked using clamav and no infections were found.
Figure 13:Above shows 0 files were found to be
infected from process 1056 memory dump
Checking the strings
The next step was to check the strings in the process with
the objective being to identify the specific URL which may have been contacted in
an attempt to learn if the process was actually connected to the IP “208\.111\.170\.136”.
The first check was to extract the ASCII strings using “strings --encoding=l
1056.dmp > strings-1056.txt” and then the Unicode “strings --encoding=s
1056.dmp >> strings-1056.txt”.
Next the command “grep --ignore-case --perl-regexp
"208\.111\.170\.136|llnw\.net" strings-1056.txt” was executed. Based
on the query, no entries were found for the IP or llnw.net.
Figure 14:Above shows strings being executed, then
the data being grep'd
Testing the site
As a result of no information being returned from the
strings, the next step was to connect directly to the site to see what
responses would be returned. This was first done on a computer running Firefox
on Ubuntu OS and then on another with IE 7 on Windows 7 OS. In both cases the
result returned was a “400 Bad Request”. Nothing was returned that I could have
worked with.
Figure 15:Above shows Wireshark TCP stream of
connection to site cds872.ord.llnw.net
Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5
No comments:
Post a Comment