# Volatility2 Exercise 1

### 1. Introduction > At the company of concern, internal data was found in data leaks. The computer is currently running and you have been able to create a RAM image. The computer identified computer is an older computer of an industrial control system. You have to analyse the ram image with volatility. Ressources: {% embed url="" %} Memory Image {% endembed %} {% embed url="" %} Volatilty Cheatsheet {% endembed %} The basic use of Volatility2 works as follows: `volatility [plugin-optionen] [plugin-parameter] -f --profile=` With the following command you will get the Volatility profile: `volatility_2.6 -f imageinfo` Please answer the following questions: 1. Which volatility profile should be used for the image? 2. How many processes were active at the time of the backup? 3. Are there any hidden processes? 4. What network connections exist or existed? Is anything noticeable? 5. Which processes started the connections? 6. Examine the input in the command line. Which commands were executed? Do you notice anything suspicious? 7. Which suspicious services are currently active? ### 2. Analysis and Answers 1. Profile detection: `volatility.exe -f doomed.vmem imageinfo` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FpjlGBJdcHaR2T98udWYy%2Fvol01.png?alt=media\&token=3480c7ef-731e-4595-908e-ab1a5c09f537) 2\. Detect active processes: (22 in total) `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pslist` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F4njwdy2WvAcbwISBgfC3%2Fvol02.png?alt=media\&token=1cf10e7a-ae13-4bdf-aca3-01b08be0f536) Process tree view: (parten-child relationship) `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pstree` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F62KzvZto4x68xBHNE92f%2Fvol04.png?alt=media\&token=0b34958b-ef10-49f9-9368-f7600947e0ec) 3\. Scan for hidden and terminated processes: `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psscan` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F2H5QyNZzURQGXasrTtlE%2Fvol03.png?alt=media\&token=dba100c6-482b-40ec-8bd9-a1dfd0b02b2e) `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psxview` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FjI3o1h0kXLZ2fRq9LXap%2Fvol05.png?alt=media\&token=4acc270d-cdf9-48e0-989e-995d776bf655) Nothing suspiscious detected so far! 4\. Check network connections: `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connscan`\ `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connections`\ `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 sockscan` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fn5FOqmX26LF6YJp0vqNT%2Fvol06.png?alt=media\&token=6fbbd347-b125-49d9-974b-e6e00c60a7ab) 5\. The process id 1956 belongs to `explorer.exe` which initiates a remote connection to `172.16.98.1:6666` 6\. Get command line history A service check was executed: `sc query malware` `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 cmdscan`\ `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 consoles` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Ft9AuT1ljIW7o78t98ljM%2Fvol07.png?alt=media\&token=7d9136b8-8b7a-4aca-be05-d57134313118) Check active services: `volatility.exe -f doomed.vmem --profile=WinXPSP2x86 svcscan` There are a lot of active services on that machine. Searching for `malware` shows that this service is still running:

Binary path is \Driver\Malware