3:09 a.m.
Hey,
In images (tigger.vmem, sality.vmem and black energy) the connscan plugin gives an
output which shows these images are making connection with some IP and also tells the PID
of process which are making such connections but when I used PSLIST, PSSCAN and PSXVIEW
plugins then none of them shows the process which is having such PID(which is making
connection).
P.S: In all the above mentioned images the process id is same i.e. PID=1260
So the problem is why its not showing any detail about PID=1260???
3:21 p.m.
Hello,
connscan performs scanning of physical memory to find connection
structures. These structures can correspond to connections that
previously closed, but whose structures have not yet been overwritten by
a new connection.
What you are seeing is that a process with PID 1260 performed some
network activity and then later exited. The process structure (EPROCESS)
related to the process was later overwritten while the connection
structure was not.
Thanks,
Andrew (@attrc)
On 3/27/2014 2:09 AM, Nouman Zia wrote:
Hey,
In images (tigger.vmem, sality.vmem and black energy) the
connscan plugin gives an output which shows these images are making
connection with some IP and also tells the PID of process which are
making such connections but when I used PSLIST, PSSCAN and PSXVIEW
plugins then none of them shows the process which is having such
PID(which is making connection).
P.S: In all the above mentioned images the process id is same i.e. PID=1260
So the problem is why its not showing any detail about PID=1260???
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:02 p.m.
Yeah most likely the tigger, sality, and black energy memory samples came from the same VM
that once had pid 1260 running. In other words, the baseline state for the VM once had
that process running, so every time we reverted the VM to install another malware sample,
the connection came back.
MHL
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Apr 6, 2014, at 2:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello,
connscan performs scanning of physical memory to find connection
structures. These structures can correspond to connections that
previously closed, but whose structures have not yet been overwritten by
a new connection.
What you are seeing is that a process with PID 1260 performed some
network activity and then later exited. The process structure (EPROCESS)
related to the process was later overwritten while the connection
structure was not.
Thanks,
Andrew (@attrc)
On 3/27/2014 2:09 AM, Nouman Zia wrote:
Hey,
In images (tigger.vmem, sality.vmem and black energy) the
connscan plugin gives an output which shows these images are making
connection with some IP and also tells the PID of process which are
making such connections but when I used PSLIST, PSSCAN and PSXVIEW
plugins then none of them shows the process which is having such
PID(which is making connection).
P.S: In all the above mentioned images the process id is same i.e. PID=1260
So the problem is why its not showing any detail about PID=1260???
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3875
days inactive
3885
days old
vol-users@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
Andrew Case -
Michael Ligh -
Nouman Zia