volatility dump fil...
 
Notifications
Clear all

volatility dump files

10 Posts
4 Users
0 Likes
3,783 Views
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

Hello
I've been doing a memory dump analysis with volatility on a infected machine

I dumpfiles from a registry key that I found was running on startup but the files are downloaded with .dat and .img extensions, the original file is a jar I read on another forum that you can change the extesion of the file and will get the original file, I tried that but didn't work

I would like to analyze the file in my cuckoo sandbox, is it possible to do this?

This is the registry

when I do the dump I get this files
file.4320.0xfffffa800e193340.javaw.exe.dat
file.4320.0xfffffa800e194630.javaw.exe.img

Thanks in advance )

 
Posted : 28/05/2018 12:14 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

Your number one tool when encountering the unexpected is a hex-editor. Open the file with a hex-editor and look at it, particularly the header, in order to identify the file type.

 
Posted : 30/05/2018 6:20 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

… the original file is a jar …

A jar file is a java executable file https://en.wikipedia.org/wiki/JAR_(file_format)

But you dumped the interpreter file java.exe which runs the jar file. Start over again and search for the jar file. Isn`t a copy left in the original location or did it really run only in memory? Search the file image (if you have one) again for the jar file, especially in all %temp% locations.

good hunting!
Robin

 
Posted : 31/05/2018 10:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To be picky, there is no jar file at all, there is (was) a file with extension .txt that the Registry entry posted attempts to run as a jar file, a jar file being nothing but a ZIP archive.

If you prefer, if you can find the .txt file, good, if you are going to do some carving, you'd better carve for ZIP files, i.e. header 504B0304.

jaclaz

 
Posted : 31/05/2018 2:01 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Usually i start with the lowest hanging fruit and this is a search for a file called "whatsoever.jar" in this case. Pretty high chance to find the complete file name with extension somewhere in %temp%.

I could find the matching jar file, their extracted content and evidence for the execution of java.exe in several cases in the user`s temp folder, after they clicked on the wrong email from Amazon 😉

And yes, have a look at the prefetch folder for java.exe.***.pf to complete the picture.

regards,
Robin

 
Posted : 31/05/2018 2:37 pm
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

Thanks for your replies.
I know the name of the file both .jar and .txt but this is my first dump analysis so I'm having troubles with the extraction of the file.

How can I search in temp files? All I know is that the file was in the user folder in c, should I do a filescan to list the files and that would give me the location?

I'm not with the computer now so I can't try but I reply because my timezone is different so I didn't want to wait until tomorrow when I have it

Thanks again

 
Posted : 31/05/2018 3:04 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Thanks for your replies.
I know the name of the file both .jar and .txt but this is my first dump analysis so I'm having troubles with the extraction of the file.

How can I search in temp files?

I assumed you do not only have the mem dump, but a forensic image of the file system, too. If you do not have it, there is a way to read the MFT from a memory dump with volatility.

Link 1

Link 2

And you can use another way…use strings.exe or better Eric Zimmerman`s bstrings.exe to search the full dump for the file name. Or use a hex editor to do that. Might give you the right direction where to go with your search.

regards,
Robin

 
Posted : 31/05/2018 4:54 pm
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

I was able to get the .txt file , I'm now trying to determine how it get to the computer

Using creation date from mftparser I couldn't find any created files around that time. I've used timeliner also

Are there any other ways to search for this.

Thanks!

 
Posted : 01/06/2018 8:35 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I was able to get the .txt file , I'm now trying to determine how it get to the computer

In which path did you find the file? In general which evidence do you have? Only the mem dump?

 
Posted : 01/06/2018 10:04 am
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

I was able to get the .txt file , I'm now trying to determine how it get to the computer

In which path did you find the file? In general which evidence do you have? Only the mem dump?

I have the dump and access to proxy logs

The file was in the user folder

 
Posted : 01/06/2018 10:51 am
Share: