8/11/2023 0 Comments Grep ip address out of malware exe![]() Take note that this will not always be the case. With some luck it could be the case that grepping for your suspicious IP within the strings output, that you can already spot the source without the need to use Volatility. ![]() The output of strings is written to the file out-linux-strings: You will later need this offset for Volatility. You set the parameter -td strings to include the byte offset in decimal format for every string. You can use Linux strings for this with 2 passes to include both ASCII and (little endian) Unicode strings ( -el). You have to start off by locating all physical memory address locations of the IP 35.178.122.152 within your memory dump (remember that this was the IP related to the suspicious beaconing pattern). Instead of strings you could also use another utility, as long as the output contains the decimal byte offset and its corresponding string. Let's have a look how to pinpoint a particular IP address to a process using Volatility and strings. The Volatility plugin netscan will show similar output from which it seems that all outgoing connections are to internal hosts 172.31.0.250: Therefore all external communications seems to be going to the internal host 172.31.0.250 (the internal proxy server) over port 8080: But this time all external connections are going through a proxy. These are the same network connections using the same applications. However, when dealing with a non-transparent proxy you will see something completely different. Chrome.exe communicates to the external IP 108.177.126.138 over port 443). In the above netstat output it is pretty easy to identify which process did setup a connection to which exact external IP and port (e.g. That is why you will not see something like the following within your network connections: It will ask the internal web proxy server to connect to the external host and send back the results.Īpplications communicating to the internet over a non-transparent proxy are not directly communicating with the host on the internet, but ask the proxy to do that. When an endpoint wants to communicate to internet within a IT infrastructure that requires all internet traffic have to pass a proxy. If you want to have more details about this topic, I can recommend reading the following blog post: -part-6-how-https-proxies-work/. The goal for this blog is not to explain in detail how a web proxy works. The problem: The effect of a non-transparent proxy on network connections ![]() The intention is to identify which process is responsible for communicating with this IP. One of these applications is connecting to IP 35.178.122.152. To make it as realistic as possible, the endpoint 172.31.16.50 is used to setup multiple connections to hosts on the internet using different applications. ![]() The endpoint with IP 172.31.16.50 is used to perform our memory forensics on. This server forwards the traffic to the gateway and sends back the result to the client. The host with IP 172.31.0.250 is the internal web proxy server. I have created a small lab setup to simulate an infrastructure where communications to the internet need to go through a web proxy. In this blog post I will explain how you can solve this with Volatility and strings. No other sources, except a memory dump, are available to you where you could find this information.An IT infrastructure where a non-transparent proxy is used for all outgoing network traffic (this is the case in many enterprise networks).However, answering this question is challenging when you have to deal with the following: It can really help your investigation when you know which process (or sometimes processes) are involved. One of the questions you will have is what is causing this traffic. malware calling home to its C2 server for new instructions). For example, because the IP is showing a suspicious beaconing traffic pattern (i.e. When dealing with an incident it can often happen that your starting point is a suspicious IP. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |