Volatility3 Exercise 3
Last updated
Last updated
You are given a memorydump of a machine which was infected by a malware. All you know is the IP address of the C&C (command&control) server the malware connects to.
Requirements:
the memory dump (see resources)
Volatility
the IP of the C&C server: 80.74.140.117
Resources:
We will see the given suspicious IP address and its port its connecting to 80.74.140.117:5555
. After the line we also see that a service pid 1892
is listed.
Process ID is 1892 and Remoteport 5555
1892;5555