.jpg)
Incident Overview
Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.
1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
9. Are there any related registry entries associated with the payload? (4pts)
10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)
Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.
1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
9. Are there any related registry entries associated with the payload? (4pts)
10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)
Sumber : Case
ANALISA 5 W 1 H
Who : Seseorang yang berasal dari hxxp://search-network-plus.com, dia adalah seorang pembuat malware.
What : Komputer korban terinfeksi zeus dari file pdf yang diterima melalui e-mail. Komputer korban inginmendownload exploit dari alamat hxxp://search-network-plus.com. Jika terdownload berpotensi untuk membuka pertahanan komputer dari dalam dan mengirim file-file bank ke luar. Malware ini meng inject file-file windows, sehingga semua process komputer terganggu, dan terinfeksi.
When : Waktu kejadian adalah Fri Feb 26 03:34:02 201
Where : Di komputer karyawan bank of america.
Why : Uang sebagai motifnya
How : Seorang karyawan bank of America menerima email rekan kerjanya yang berisi file pdf, ternyata file ini terdapat malware zeus yang diinject kedalamnya, malware ini menginfeksi file-file windows dan mencoba untuk membuka akses keamanan komputer dan mengirim file-file bank.
Who : Seseorang yang berasal dari hxxp://search-network-plus.com, dia adalah seorang pembuat malware.
What : Komputer korban terinfeksi zeus dari file pdf yang diterima melalui e-mail. Komputer korban inginmendownload exploit dari alamat hxxp://search-network-plus.com. Jika terdownload berpotensi untuk membuka pertahanan komputer dari dalam dan mengirim file-file bank ke luar. Malware ini meng inject file-file windows, sehingga semua process komputer terganggu, dan terinfeksi.
When : Waktu kejadian adalah Fri Feb 26 03:34:02 201
Where : Di komputer karyawan bank of america.
Why : Uang sebagai motifnya
How : Seorang karyawan bank of America menerima email rekan kerjanya yang berisi file pdf, ternyata file ini terdapat malware zeus yang diinject kedalamnya, malware ini menginfeksi file-file windows dan mencoba untuk membuka akses keamanan komputer dan mengirim file-file bank.