From 36544668288807d8628019009f240484d3e9bdd3 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 6 Jun 2014 16:38:34 +0200 Subject: [PATCH] More Malware proofs --- report3/content.tex | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/report3/content.tex b/report3/content.tex index c575f34..48a4396 100644 --- a/report3/content.tex +++ b/report3/content.tex @@ -82,12 +82,12 @@ Offset(P) PID Port Proto Protocol Address Create Time \end{lstlisting} - \subsection{Can you find traces of Malware?} -\begin{itemize} -\item\emph{\textbf{rundll32.exe}} could hint that the system has been compromised, but no definite proof could be found. -\item\emph{\textbf{AcroRd32Info.ex(e)}} is also known to cause problems sometimes. -\end{itemize} +emph{\textbf{rundll32.exe}} could hint that the system has been compromised. + +Extracting screenshots with \ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 screenshot --dump-dir screenshots} brings an image named \emph{\textbf{IMAGE1:/screenshots/session\_0.WinSta0.Default.png}} containing an outline with a Message where DEP is closing Acrobat with an open file named \emph{\textbf{navy procurement.pdf}}.\\ +This could hint at a compromised PDF. + @@ -247,8 +247,8 @@ Cmd #0 @ 0xe31050: telnet towel.blinkenlights.nl \newpage\section{Details} \subsection{Sources} -\subsubsection{image1.vmem} -Image 1 +\subsubsection{image1.vmem (IMAGE1)} +Image1 \begin{quote} \textbf{size}: 536870912 byte\\ \textbf{''file''-output}: data\\ @@ -267,6 +267,16 @@ Image2 71bd0e862c7cc2f13c491189b8c401c017baef32836a8e96f575c3c9b2d6755b} \end{quote} +\subsubsection{IMAGE1:/screenshots/session\_0.WinSta0.Default.png} +Screenshot extracted from \emph{\textbf{IMAGE1}} containing an outline of the Desktop and an error-message wehre DEP is closing Acrobat Reader. +\begin{quote} +\textbf{size}: 8081 byte\\ +\textbf{''file''-output}: PNG image data1025 769 8-bit/color RGB, non-interlaced\\ +\textbf{sha512}\\\ttfamily{ +8097897b4793b416116876a0a8a827d54a56ac619ca7673a4f37851ebfdeaa03\\ +05805f0395e9cd0a30ad1da212c3ce407a31b4ce5d049d20b94eefbd645b2ccf} +\end{quote} + \subsection{Used tools on Host} Tools that were used for analysis (-{}-version): -- 2.43.0