1:58 p.m.
Hi again,
I'd like to add some details.
First the attachment is the apihooks plugin output log and second:
# vol idt | grep UNKNOWN
Volatility Foundation Volatility Framework 2.3.1
0 2 0x58 0x00000000 UNKNOWN
0 8 0x50 0x00000000 UNKNOWN
0 20 0x8 0x00000000 UNKNOWN
0 21 0x8 0x00000000 UNKNOWN
0 22 0x8 0x00000000 UNKNOWN
0 23 0x8 0x00000000 UNKNOWN
0 24 0x8 0x00000000 UNKNOWN
0 25 0x8 0x00000000 UNKNOWN
0 26 0x8 0x00000000 UNKNOWN
0 27 0x8 0x00000000 UNKNOWN
0 28 0x8 0x00000000 UNKNOWN
0 29 0x8 0x00000000 UNKNOWN
0 51 0x8 0x89af9bec UNKNOWN
0 52 0x8 0x89b25044 UNKNOWN
0 72 0x8 0x89f32bec UNKNOWN
0 93 0x8 0x89c0f8bc UNKNOWN
0 A2 0x8 0x89b01044 UNKNOWN
0 A3 0x8 0x89f3fbec UNKNOWN
0 B1 0x8 0x89f688bc UNKNOWN
0 B3 0x8 0x89b262fc UNKNOWN
1 2 0x58 0x00000000 UNKNOWN
1 8 0x50 0x00000000 UNKNOWN
1 20 0x8 0x00000000 UNKNOWN
1 21 0x8 0x00000000 UNKNOWN
1 22 0x8 0x00000000 UNKNOWN
1 23 0x8 0x00000000 UNKNOWN
1 24 0x8 0x00000000 UNKNOWN
1 25 0x8 0x00000000 UNKNOWN
1 26 0x8 0x00000000 UNKNOWN
1 27 0x8 0x00000000 UNKNOWN
1 28 0x8 0x00000000 UNKNOWN
1 29 0x8 0x00000000 UNKNOWN
1 51 0x8 0x89af9e54 UNKNOWN
1 52 0x8 0x89b252ac UNKNOWN
1 72 0x8 0x89f32e54 UNKNOWN
1 93 0x8 0x89c0fb24 UNKNOWN
1 A2 0x8 0x89b012ac UNKNOWN
1 A3 0x8 0x89f3fe54 UNKNOWN
1 B1 0x8 0x89f68b24 UNKNOWN
1 B3 0x8 0x89b26564 UNKNOWN
This should not be normal, right ?
Thank you
2014-04-04 20:28 GMT+00:00 mediomen27 <mediomen27(a)gmail.com>:
Hi Michael,
yes, the server has installed Kaspersky AV.
and here u can see that it should be kaspersky component:
http://www.shouldiblockit.com/klogon.dll-41922.aspx
I have tried to dump the dll but I have got the following error:
# vol dlldump -r klogon -D /root/dump/
Volatility Foundation Volatility Framework 2.3.1
Process(V) Name Module Base Module Name Result
---------- -------------------- ----------- -------------------- ------
0x8967d158 winlogon.exe 0x010000000 klogon.dll Error:
DllBase is paged
Also, I have tried the following:
# vol dlldump -b 0x10000000 -D /root/dump/
and the dumped files are all *clean*.
and the follwoing looks clean:
# vol dlldump -r winlogon -D /root/dump/
Volatility Foundation Volatility Framework 2.3.1
Process(V) Name Module Base Module Name Result
---------- -------------------- ----------- -------------------- ------
0x8967d158 winlogon.exe 0x001000000 winlogon.exe OK:
module.412.967d158.1000000.dll
0x88ea0918 winlogon.exe 0x001000000 winlogon.exe OK:
module.9088.8ea0918.1000000.dll
and here I have done (vol psscan |grep k):
0x090e2a98 adskflex.exe 4992 2200 0x434f3000 2013-10-04 17:33:14
UTC+0000
0x09463d88 klnagent.exe 12352 468 0x32385000 2013-06-26 00:01:15
UTC+0000 2013-06-26 09:15:42 UTC+0000
0x09b5bb08 klserver.exe 10004 460 0x677a3000 2013-10-24 00:01:19
UTC+0000
0x09bcdaf0 jucheck.exe 884 2596 0x660cb000 2013-02-08 18:01:52
UTC+0000 2013-02-08 18:09:58 UTC+0000
0x09d95d88 adskflex.exe 2448 2200 0x62e6f000 2013-06-26 09:16:31
UTC+0000 2013-10-04 17:33:10 UTC+0000
and the PIDs 10004,4992 are clean (virustotal).
the 2448 is paged
and the pid 12352 cannot give me any dump with
$ vol procexedump -u -p 12352 -D /root/dump/
But maybe now I have found something:
# vol modules|grep -i pdf
0x8987a688 pdfsd.sys 0xb9770000 0x11000
\SystemRoot\system32\drivers\pdfsd.sys
# vol moddump -r pdf -D /root/dump/
Module Base Module Name Result
----------- -------------------- ------
0x0b9770000 pdfsd.sys OK: driver.b9770000.sys
# sha256sum /root/dump/driver.b9770000.sys
09fd121fd79ebbda9dcd8fe259d3e57028ef5e908250ab91d1371282611a3926
/root/dump/driver.b9770000.sys
https://www.virustotal.com/en/file/09fd121fd79ebbda9dcd8fe259d3e57028ef5e90…
virustotal says Trojan/Win32.Genome..
and now ?
2014-04-01 5:23 GMT+00:00 Michael Ligh <michael.ligh(a)mnin.org>:
What about the klogon.dll looks like Kaspersky? Is Kaspersky installed on
the system? If you upload klogon.dll to
VirusTotal, does it get any hits? I
would do the same thing with the winlogon executables. I can't see the
names of the hooked API functions from your gmer screenshot, they're
truncated, so can't give any advice there. You can run the apihooks plugin
in Volatility and see where the hooks are pointing.
HTH,
MHL
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Mar 29, 2014, at 7:19 PM, mediomen27 <mediomen27(a)gmail.com> wrote:
Hi,
gmer has found something of suspicious. I have a screenshot of partial
logs, here:
http://postimg.org/image/bgx0u5xt9/
Now the server looks mysteriously clean thus the only clues I have are
that screenshot and the vmware snapshot.
Anyone could help me to investigate more deeply ?
The following is what I have done alone:
# vol pslist|grep logon
Volatility Foundation Volatility Framework 2.3.1
0x8967d158 winlogon.exe 412 332 18 535 0
0 2013-06-26 09:16:14 UTC+0000
0x88ea0918 winlogon.exe 9088 332 19 258 1
0 2013-10-30 14:33:34 UTC+0000
# vol dlllist -p 412|grep -i klogon
0x10000000 0x36000 0x1 C:\WINDOWS\system32\klogon.dll
klogon looks a kaspersky logon module
# vol dlldump -b 0x10000000 -D /root/dumpprocess/
and the dumped dll looks really something about kaspersky..
# vol filescan|grep VC80
Volatility Foundation Volatility Framework 2.3.1
0x08d295d8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x08e684f0 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x08f0b920 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0905a530 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x090822d0 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09175a90 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09181e50 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09496250 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09509cc8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09555808 1 0 R--r-d
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
0x0958f860 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x095cd168 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x095f76a0 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x0960b668 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0961d9d8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0961e6c8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096cda10 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096f1db0 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x096f2d10 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x097c52d0 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x097fbb10 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09809e90 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09836350 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09843c68 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0985aa50 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09872738 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x0987b340 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09a0fea8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09a3ada8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09a82f90 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09bf9ef8 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86
0x09d95428 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
0x09dadd18 1 1 R--rw-
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952
Thanks for any help.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users