Hello
I've been doing a memory dump analysis with volatility on a infected machine
I dumpfiles from a registry key that I found was running on startup but the files are downloaded with .dat and .img extensions, the original file is a jar I read on another forum that you can change the extesion of the file and will get the original file, I tried that but didn't work
I would like to analyze the file in my cuckoo sandbox, is it possible to do this?
This is the
when I do the dump I get this files
file.4320.0xfffffa800e193340.javaw.exe.dat
file.4320.0xfffffa800e194630.javaw.exe.img
Thanks in advance )
Your number one tool when encountering the unexpected is a hex-editor. Open the file with a hex-editor and look at it, particularly the header, in order to identify the file type.
… the original file is a jar …
A jar file is a java executable file
But you dumped the interpreter file java.exe which runs the jar file. Start over again and search for the jar file. Isn`t a copy left in the original location or did it really run only in memory? Search the file image (if you have one) again for the jar file, especially in all %temp% locations.
good hunting!
Robin
To be picky, there is no jar file at all, there is (was) a file with extension .txt that the Registry entry posted attempts to run as a jar file, a jar file being nothing but a ZIP archive.
If you prefer, if you can find the .txt file, good, if you are going to do some carving, you'd better carve for ZIP files, i.e. header 504B0304.
jaclaz
Usually i start with the lowest hanging fruit and this is a search for a file called "whatsoever.jar" in this case. Pretty high chance to find the complete file name with extension somewhere in %temp%.
I could find the matching jar file, their extracted content and evidence for the execution of java.exe in several cases in the user`s temp folder, after they clicked on the wrong email from Amazon 😉
And yes, have a look at the prefetch folder for java.exe.***.pf to complete the picture.
regards,
Robin
Thanks for your replies.
I know the name of the file both .jar and .txt but this is my first dump analysis so I'm having troubles with the extraction of the file.
How can I search in temp files? All I know is that the file was in the user folder in c, should I do a filescan to list the files and that would give me the location?
I'm not with the computer now so I can't try but I reply because my timezone is different so I didn't want to wait until tomorrow when I have it
Thanks again
Thanks for your replies.
I know the name of the file both .jar and .txt but this is my first dump analysis so I'm having troubles with the extraction of the file.How can I search in temp files?
I assumed you do not only have the mem dump, but a forensic image of the file system, too. If you do not have it, there is a way to read the MFT from a memory dump with volatility.
And you can use another way…use strings.exe or better Eric Zimmerman`s bstrings.exe to search the full dump for the file name. Or use a hex editor to do that. Might give you the right direction where to go with your search.
regards,
Robin
I was able to get the .txt file , I'm now trying to determine how it get to the computer
Using creation date from mftparser I couldn't find any created files around that time. I've used timeliner also
Are there any other ways to search for this.
Thanks!
I was able to get the .txt file , I'm now trying to determine how it get to the computer
In which path did you find the file? In general which evidence do you have? Only the mem dump?
I was able to get the .txt file , I'm now trying to determine how it get to the computer
In which path did you find the file? In general which evidence do you have? Only the mem dump?
I have the dump and access to proxy logs
The file was in the user folder