« Previous 1 2
Malware Analysis
Forensic Analysis with Redline and Volatility
Conclusion
After taking a class for GCFA certification [9] and learning how to use the tools described in this article, I started analyzing the malware found by the firewall on our network, along with a known malware variant from Palo Alto Networks. This example was a challenge to analyze because the investigation threw no obvious red flags, demonstrating how you need to dig deep to find threats to your systems. What I learned:
1. The memory image taken before infection showed communication with the Windows box and the forensic workstation, but no other connections.
2. The memory image taken after the infection showed communication with 10.10.3.180 (two instances), which is an internal IP address that does not exist on my test network.
3. The PIDs related to IP address 10.10.3.180 were 1792, a dead process, and 132, svchost.exe
, which was a child of wscript.exe
and had a parent process of PID 1648 (explorer.exe
).
4. svchost.exe
(PID 132) is a generic host process for Windows services and is used to run service DLLs; it should always be a child of services.exe
. Because it showed up as a child process of wscript.exe
, it was a clear indication of wrongdoing (Figure 12).
Infos
- "Acquiring a Memory Image" by David J. Dodd, ADMIN , Issue 20, pg. 8, http://www.admin-magazine.com/Archive/2014/20/Acquiring-a-Memory-Image/(language)/eng-US
- F-Response: https://www.f-response.com/software/tac
- Volatility: http://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6
- Redline: https://www.mandiant.com/resources/download/redline
- PA-5000 series: https://www.paloaltonetworks.com/products/platforms/firewalls/pa-5000/features.html
- WildFire: https://www.paloaltonetworks.com/products/technologies/wildfire.html
- VirusTotal: https://www.virustotal.com/
- SANS DFIR: https://digital-forensics3.sans.org/media/dfir_poster_2014.pdf
- GCFA certification: http://www.giac.org/certification/certified-forensic-analyst-gcfa
« Previous 1 2
Buy this article as PDF
(incl. VAT)