Test Case Description:
This Ram dump of a computer which is under attack and attacker is accessing it with reverse TCP connection.
Answer of these following question we have to find?
- Name of malicious process and its Process ID?
- Malicious payload’s Reverse IP and port number?
- Testing the Virus on online sandbox and online Antiviruses?
Setup our lab:
- Kali Linux (recommended)
- Volatility Ram Analysis Tool https://github.com/volatilityfoundation/volatility
- Sample Ram Dump: https://www.mediafire.com/file/1ufporja2jgz0pc/ramdump.zip/file
Starting with Image info:
python3 vol.py -f /media/sf_share_me/dump.raw windows.info.Info
It displays the information about the ram captured.
Displaying all the processes running:
python3 vol.py -f /media/sf_share_me/dump.raw windows.pslist
See all the processes very carefully to identify any malicious process is running or not.
Yes I Found the malicious process:
lsasss.exe is not a legitimate process and we can put this in our suspicious list of process running. I think the name is just to trick the user because lsass.exe is a legitimate process. There is “s” extra in our founded process.
The process ID is 8140
Founding the IP address and Port Number of the Malicious process.
python3 vol.py -f /media/sf_share_me/dump.raw windows.netscan.NetScan
Now, we found that reverse connection is going on
IP address: 10.0.2.4
Port number: 6969
Analyze the Process on Sandbox and online tools
To analyse that firstly, we need to dump the process.
python3 vol.py -f /media/sf_share_me/dump.raw windows.pslist --pid 8140 --dump
Secondly, Upload the process dump or the hash of process on https://www.virustotal.com/gui/ to check the process by various antiviruses softwares.
we were correct IT IS A MALWARE
princep4 - Overview
Cyber Security Enthusiast. princep4 has 19 repositories available. Follow their code on GitHub.