When using the netscan module of Volatility, you may find a suspicious connection, but unfortunately the process ID is “-1”. How can we find a process that was communicating with a suspicious connection? Monnappa briefly mentioned this at BlackHat Asia 2019.
- Investigating Malware Using Memory Forensics — A Practical Approach — Black Hat Asia 2019 | Briefings Schedule
https://www.blackhat.com/asia-19/briefings/schedule/#investigating-malware-using-memory-forensics---a-practical-approach-14413
How to Identify a Process ID That Has Been Communicated
Check netscan for suspicious communication. You see a process connecting to a suspicious IP address. According to Whois, it seems to be the IP addresses of Bolivia and Mexico. We would like to identify the process that was connected to this suspicious IP address, but unfortunately we cannot identify it because the process ID column is “-1”.
vol.py -f memory.dmp --profile=Win7SP1x86_24000 netscan
Yarascan works well in this case. You can use yarascan to find the process that contains this IP address. ( The IP address is defanged. )
vol.py -f memory.dmp --profile=Win7SP1x86_24000 yarascan -Y "200[.]58.171.51"
Both were found, and you can see that the process with the suspicious name “813.exe” (PID 1944) was probably connected. (As you can see by examining the destination IP address, this sample seems to be related to Emotet.)
Thanks.
Appendix
813.exe
MD5:
1c6c24ea6c046a1a0e1a2ec66d68beecSHA-1:
a0bd3ca87cf824aad686b1b207abf35a2be22c23 SHA256:
7aafdd9cb1883904de67682d59c492e9883fa39e93a5d7077a5aa6252bf3c13c
Update History
- 2019/06/04 New.
- 2019/06/14 Change title.
- 2020/03/03 Revised.
