In the previous post, the memory image of a Windows 2003SP2 machine was dumped. Now that we have the memory image, let's use volatility to analyze its contents.
First, let look at the memory image to see what OS volatility thinks it may be. Do remember, I already stated this is a Windows2003SP2 but let's see what volatilty says.
To identify the image, we use following volatility command.
./vol.py -f SECURITYNIK-SRV-20140613-015002.raw imageinfo
As can be seen above, the imageinfo plugin gave us some suggested profiles. From the additional information, we can see we also have the time the image was aquired. We will also use the KDBG address information as we continue to analyze our image.
Let's move on to the connections plugin to see what network connections may have been established at the time this memory image was acquired.
To find the network connections we use:
./vol.py -f SECURITYNIK-SRV-20140613-015002.raw connections
There seems to have been a connection from the localhost on port 1033 to host 192.168.0.15 on port 4444. We also see this connection reports it was using PID 4712.
Let's look at the process tree to see what we can find using command:
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw pstree
Name Pid PPid Thds Hnds Time
0x812923e8:rundll32.exe 4712 4700 2 35 2014-06-13 01:49:51 UTC+0000
. 0x81292b70:cmd.exe 4728 4712 1 30 2014-06-13 01:49:51 UTC+0000
It seems process 4712 also had a child process with PID 4728 (cmd.exe). From this perspective, I would say someone at IP 192.168.0.15 had access to the command prompt. We also see that process 4712 parent is reported as PID 4700.
Let's see what we can learn about PID 4700
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw pslist --pid=4700
Hmmmmmm!! This is strange, PID 4700 does not seem to exist.
Let's move on. What privileges was PID 4712 (rundll32.exe) and PID 4728 (cmd.exe) running with? Let's find out.
From the above, it seems these 2 processes were also running with Local System and Administrator privileges.
Since, were unable to find anything relating to PID 4700, let's see what DLLs may be in use by PID 4712 (rundll32.exe)
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw dlllist -p 4712
... and now for PID 4728 (cmd.exe)
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw dlllist -p 4728
Let's go back to process rundll32.dll (PID 4712) and see if there may be any malware in there.
vol.py --profile=Win2003SP2x86 --kdbg=0x808993d8 -f SECURITYNIK-SRV-20140613-015002.raw malfind -p 4712 --dump-dir /tmp
The above command created the file process.0x812923e8.0x90000.dmp in the /tmp directory
Let's post this file up to virustotal and see what we get.
Looks like the file was detected as containing malware by 2 out of the 54 AV engines.
As the above shows, we can use tools like volatility to analyze the contents of memory to draw conclusions.
Reference and Additional Readings: