I want to check to see if my test computer is infected with Stuxnet.
I have not finished the forensics on it and do not want to know any answers. I don't want to check the behaviorial data yet because that would give too much away.
My hash and signature analysis says it is not infected. I don't want to waste time if it is not infected.
I think the simplest way to determine if it is infected is to see if the "Are you there?" mutant is there. If you know the mutant, please let me know.
There is a lot of analysis of it on the internet and I have kept away from it. No fun to get the answer from someone else.
Thanks,
Mike
I am looking at a sample of the Pilleuz worm that infects USB.
I ran malfind and was not successful extracting a sample
Is there another option for extracting injected code?
Is there a way to dump threads?
Thanks,
Mike
I've used 1.3 and 2.0 but neither gives me any "old" UDP artifacts. I know they are there because I have the pcap, so I am looking for them in memory.
Can someone tell me the format of a UDP artifact in memory please?
For example I'm looking for
from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600
I'm looking at
11 83 89 CO A8 88 81 CC 0D A1 64 04 14 19 C8
that looks like
UDP Unk Unk 192.168.136.129 204.13.161.100 1044 6600
The "Unk" means I don't know what they are (the 83 (seems to be constant) and 89 (changes slightly)).
I've found this in the kernel
01fb5017 [kernel:2180730903] UDP to 204.13.161.100
This may just be a parameter block that is passed to the OS, but it does show that there was such a packet sent.
Tell me what I need to be looking for if I am in the wrong place.
Thanks,
Mike
Hi All,
I presented a topic on "malware memory forensics" using Volatility.....the
ppt and video can be found in the below link....i hope you will like it :-)
http://goo.gl/7bRFK
Thanks,
Monnappa
Just curious whether the Volatility 2.0.1 branch is a bugfix for the
stable 2.0 branch, or is it something else entirely?
-Roman
Please cc: this address in addition to the mailing list, as I'm not
normally a subscriber.
Hi all,
I did not use apihooks for a while. Now I am playing around with that flame
sample from Mike Lambert (THX a lot!!) and miss that plugin.
It may have gone with the integration of the malware plugin directly to the
Volatility core.
Is it still available somewhere for 2.1a or do I have to reuse an older
version?
Regards
Michael
Hallo all,
According to a hint from Andreas Schuster (THX!!) I have tried to access the
_SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS.
SeAuditProcessCreationInfo:
>>> for proc in win32.tasks.pslist(self.addrspace):
... if proc.UniqueProcessId in (172, 528, 1560):
... print "SeAuditProcessCreationInfo:
{0:#x}".format(proc.SeAuditProcessCreationInfo)
...
SeAuditProcessCreationInfo: 0x82014964
SeAuditProcessCreationInfo: 0x81c8e6ac
SeAuditProcessCreationInfo: 0x81cc1214
So I have displayed the pointers to the
_SE_AUDIT_PROCESS_CREATION_INFO-structure.
I hoped to find a Unicode-string somewhere containing the path to the
imagefile.
Sadly a hexdump seems to be useless::
>>> db(0x82014964, length=256)
0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00
....@.'.........
0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00
^...........2...
0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81
Y....0..d<".....
0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
...
But that's OK, because there should be a only another pointer again:
>>> dt("_SE_AUDIT_PROCESS_CREATION_INFO")
'_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes)
0x0 : ImageFileName ['pointer',
['_OBJECT_NAME_INFORMATION']]
How can I access this structure via object.method?
CU
Mic
