Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - Volatility



In this 6 part series, we will analyze a recent phishing attempt through an email which was sent to me. In the first post we looked at the email. The second post we did an analysis using Wireshark. In the third post we did some basic static analysis. In the fourth post we performed some basic dynamic analysis. In this post we perform some basic memory forensics on a captured memory image.


Previously we dumped the contents of RAM for the infected system to see what information we can learn about the state of the machine at that point in time.

Profiling the Image ...



As we can see this is a Windows XP SP2 System. Let's use that as the profile along with the KDBG " 0x8054cf60" and DTB " 0x39000".
from the image info we see the UTC date and time as well as the local date and time when the image was created.

Checking the processes ....

As can be seen above we are seeing the "invoice1211_pdf" in the process list. The strange thing is my understand. Because of the various ways malware may hide in memory, I could have used psxview. However, because I know what I'm looking for and because I can see it here, I will move on.
1.            We see process "invoice1211_pdf" has a PID of 168
2.            Process with PID 168 has a Parent PID of 1568
3.            We see PID 1568 is related to explorer.exe
4.            Process with PID 1568 has a PPID of 1524


Checking the DLLs for PID 168 ....
At this point to me the highlighted section looks suspicious. All other DLLs are loaded  C:\WINDOWS\System32 while the highlighter one is being called from C:\WINDOWS\WinSxS. This folder is valid. However, I'm just concerned about the location from which it is being called as compared to the other DLLs.

Checking the network connections ...

We can see that PID 168 has a network connection from 192.168.56.102 on local port 1615 to remote address 192.168.56.101 port 80

Checking the privileges the program executed with ...

From the above we see the permissions which the executable had at time of its execution. Of most importance here is the "Administrators" credentials.

Further look at the privileges ...

We see we have 5 enable 2 by default


Checking the internet history ....


From the above we see base on the IE history, process "invoice1211_pdf" made downloaded file "miniuk1.html" from "shahlart.com" and "projectglory.awardspace.com". In both cases the file was saved as "miniuk1[1].htm"

Dumping the executable in the process ...

Now that we've dumped this executable, we can perform further analysis on this if needed.

In our final post, we will put it all together using the knowledge we've gained to write rules for our SIEM and IPS.



.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.

adp.pcap - 4cfd352a3c890873d20a33d35fffed25  
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53 

References:
https://code.google.com/p/volatility/



No comments:

Post a Comment