Join Us!

Silly_P2P.H - whati...
 
Notifications
Clear all

Silly_P2P.H - whatislove.zip  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Hello colleagues,

I am running Windows 10 Professional Edition build 18363 (64-bit) using Boot Camp on a MacBook Pro ("Laptop").

After wiping the Windows partition and installing Windows 10 Pro, I installed Immunet's CLAM AV software.

I then used Magnet Forensics' RAM capture tool to dump the 16GB of RAM on my Laptop as a .RAW file.

I used OSForensics to extract all strings from the .RAW file and came accross the below string:

TO DECRYPT FILES\r\nNobody can help you - even don't try\r\nWe can help to solve this task for $120 via wire transfer\r\nBancos.XQ.\r\nSilly_P2P.H\r\nAAnderson\r\nchatwnd.sendfile\r\nmsgplus.scriptfilespath\r\nwhatislove.zip

QUESTION:

Is the aforementioned string referencing "Silly_P2P.H" and the ransom ware language the direct result of Microsoft Defender and/or the Immunet CLAM AV antivirus software, or is my MacBook Pro potentially infected by malware?  I have been informed that "whatislove.zip" is a common keylogger delivery file name.

Neither Microsoft Defender nor the Immunet antivirus software are generating any warnings on my MacBook.

Before wiping my MacBook's Windows partition and reinstalling Windows, I had definitely used the same MacBook to perform forensic analysis of an E01 forensic image of a different laptop in which not only the aforementioned Silly_P2P reference appears in the pagefile.sys but also many other references to malware.

So basically I am trying to determine if my MacBook has been infected as a direct result of analyzing another computer infected by the Silly_P2P/Stuxnet worm malware, or, if Microsoft Defender and/or Immunet CLAM AV generates references to Silly_P2P in a given computer's RAM.

Ketchup or Blood?

Thoughts and advice please.

Quote
Posted : 21/05/2020 11:54 pm
Share: