Sunday, November 1, 2015

Volatility Memory Forensics - Investigation a potential virus situation - Part 3


Part 1 | Part 2 | Part 4 | Part 5
Identifying Running Processes
Once the network information was identified the next step was to focus on the processes with PID 1056 (svchost.exe) and 1956 (avp.exe). The command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 pstree > pstree-results.txt” was executed to focus on the processes which were running at the time the image was taken. The command “cat pstree-results.tx | more” was then used to learn more about PID 1956.
Figure 5:avp.exe process reportedly belonging to Kaspersky Internet Security

As PID 1956 (adp.exe) seems to be associated with Kaspersky Internet Security 15.0 the next step was to verify the parent process id (PPID) 804. Process ID 804 seems to be related to “services.exe”



Figure 6:Services.exe being shown as parent for the process with PID 1956 (adp.exe)


The parent process of 1956 (avp.exe) is 804 (services.exe). The next step was then to see which services is associated with process with PID 1956 (avp.exe). The following command was then executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 svcscan > svcscan-results.txt”. Next the command “cat svcscan-results.txt” was executed.



Figure 7:Above shows process with PID 1956 (avp.exe) started as a service


At this point the “avp.exe” seemed legitimate. However, a final check needed to be made to confirm. The next step was to dump the contents of memory for PID 1056 (avp.exe). This was done using the command “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 memdump --pid=1956 --dump-dir=.”



Once the process memory was dumped, the next step was to extract any executables which could be found in this process using the command “foremost -t exe -o tmp/ -v 1956.dmp” This produced a total of 1016 files.



Using the latest version of ClamAV (clamscan) with a signature update database as of Saturday, October 10, the files were then scanned.

Figure 8:Above shows clamav being updated


The files were then scanned using the following command “clamscan --verbose --infected  --recursive=yes --allmatch=yes --scan-pe=yes --enable-stats tmp/*”. According to clamav, no infected files were found as shown below.


Figure 9:Above shows 0 files were found to be infected from PID 1956 (avp.exe) memory dump.

According to (support.kaspersky.com, 2015), this process seems to be related to Kaspersky products.


At this point the decision was made to move on to the process with PID 1056 (svchost.exe) as this seemed more suspicious since it had an “ESTABLISHED” connection.


Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5

No comments:

Post a Comment