[Vol-users] Sample error or real module? (and other questions)

Gregory Pendergast greg.pendergast at gmail.com
Thu May 14 11:54:34 CDT 2015

Thanks for the reply Jared. The reason for the investigation was an alert
regarding download of an executable from a suspicious domain. I have the
executable extracted from PCAP, and it's detected as adware/malware by
multiple engines:

Due to timing of the event, memory sample and other data was acquired the
next day.

I've seen no evidence (keep in mind, I'm relatively new to this) of the
executable running. The file no longer exists on disk, and there's no
reference to it in the $MFT on disk. (Need to go back and grab UsnJrnl.)

So, among the questions I need to answer are:
Did it execute?
What happened to the file? (Note, there's no indication of AV
detection/quarantine. We get those alerts.)
Why do certain strings from the executable (such as author & company)
appear in Kernel space? (For example: [kernel:f9805ba44800] - there are 30
different hits like this, as well as numerous in [FREE MEMORY].

So, I haven't tied this back to any specific module, and am not sure how to
go about doing so, if in fact it's in a module. I'll give the shimcache and
timeliner plugins a go to see if anything new appears. In the meantime, I'm
particularly interested in how to answer that 3rd question, as it's
relevant for a couple of other unrelated incidents as well.

Thanks again for the help.
On Thu, May 14, 2015 at 12:35 PM, Jared Greenhill <jared703 at gmail.com>

> Hey Greg,
> A couple thoughts/ideas:
> What was the initial reason for investigation- the suspect EXE? Do you
> have a timeframe of the suspect activity?
> What was the context around the suspect EXE download, just the PCAP or? If
> so, did the memory capture occur when there was still an active connection?
> Sometimes this can be a dealbreaker when the connection isn't there.
> Does moddump work on the module with that base address? If so, what type
> of strings are you seeing?
> As far as execution goes, does the shimcache plugin provide any results
> around the time of interest? Assuming you have a time of interest, you
> could also try the timeliner plugin to pull in other temporal artifacts to
> hone in around that suspect time.
> hope this helps,
> Jared - @jared703
> On Tue, May 12, 2015 at 3:36 PM, Gregory Pendergast <
> greg.pendergast at gmail.com> wrote:
>> Greeting,
>> I'm examining a memory sample (captured locally with winpmem_1.6.2)
>> <yeah...i know...>
>> Modscan shows one apparently strange module that has no name and no
>> file listed. The base address space also seems way out of whack for
>> the rest of the sample.
>> So all i have are offset, base, and size:
>> 0x000000023a80b540 0x48706657040b0003 0xf3a54f0
>> In particular, that base address seems way out of range compared to
>> everything else in 0xfffff8.... space
>> How can I tell if this is an error of some kind in the captured sample
>> versus a legitimate anomaly that bears investigation?
>> Lastly, and pardon me if this is a n00b question, but how can I
>> determine why specific strings appear in kernel memory (based on
>> strings plugin output)? For context, I have a suspicious executable
>> download, but there appears to be no evidence of the file in $MFT (I
>> don't have access to UsnJrnl) and I'm trying to find out what happened
>> to it and whether it ran. Strings from the executable (ontained from
>> pcap) do appear in Free Memory and Kernel memory, but I'm not clear
>> whether that's a symptom of the download or a sign of execution.
>> Thanks,
>> greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20150514/5122d1db/attachment.html

More information about the Vol-users mailing list