Detailed Malware Investigation Report: Analysis of Lab 6 Scenario
VerifiedAdded on 2022/09/28
|4
|1125
|29
Report
AI Summary
This report details a malware investigation conducted on a client's computer, Mr. ImaVictim, who suspected a malware attack after downloading and running a file named "server.exe." The investigation involved live forensic analysis using tools like Wireshark and command prompt commands to gather...
LAB 6 REPORT
OVERVIEW:
Mr ImaVictim, one of my clients, has contacted me about a possible malware attack. I arrived at Mr
ImaVictim's house to discover Wireshark capturing data on his PC. After speaking with Mr ImaVictim
in further depth, I understand that when he was browsing the internet he came across an
application named "server.exe." Mr ImaVictim saved and executed "server.exe," and a message
displayed on his screen right away, but nothing seemed to change after that strange message.
While talking, around 5 minutes passed before an internet browser window opens without anybody
touching the device. Mr ImaVictim states that he's worried that a sensitive business proposal he was
working on at the time is in the hands of a third party, and he wants me to look for any evidence that
might point to a malicious third party at work so he can report it to the police.
INVESTIGATION:
On Wednesday, May 18th, at around 1:30 p.m., I arrive at Mr ImaVictim's residence. We talk about
the specific nature of the problem he's having, his concerns, and what he's done before and after the
suspicious behaviour happened when we first meet. Mr ImaVictim has been using Wireshark to
monitor and capture data on his network, according to my sources.
At 1:44 p.m., I utilise a forensic programme on the command prompt to take down important
information about the client's PC. Because this is a live examination, I gather as much information
about the operating system as possible to enhance my research. This is accomplished by writing
down important information for Mr ImaVictim's computer. I record the time, the operating system,
the user account, and the IP address as shown below
TIME DETAILS:
System Date: Wed 18/05/2022
System Time: 01:44pm
System Time zone: GMT+10:00 Canberra, Melbourne
Current Date: Wed 18/05/2021
Current Time: 01:44pm
Time Variation (+/-): GMT+10:00
OS DETAILS:
OS Name: Microsoft Windows XP professional
OS Version: 5.1.2600 service pack 3 build 2600
System Uptime: 2 hours, 36mins 44 seconds
OVERVIEW:
Mr ImaVictim, one of my clients, has contacted me about a possible malware attack. I arrived at Mr
ImaVictim's house to discover Wireshark capturing data on his PC. After speaking with Mr ImaVictim
in further depth, I understand that when he was browsing the internet he came across an
application named "server.exe." Mr ImaVictim saved and executed "server.exe," and a message
displayed on his screen right away, but nothing seemed to change after that strange message.
While talking, around 5 minutes passed before an internet browser window opens without anybody
touching the device. Mr ImaVictim states that he's worried that a sensitive business proposal he was
working on at the time is in the hands of a third party, and he wants me to look for any evidence that
might point to a malicious third party at work so he can report it to the police.
INVESTIGATION:
On Wednesday, May 18th, at around 1:30 p.m., I arrive at Mr ImaVictim's residence. We talk about
the specific nature of the problem he's having, his concerns, and what he's done before and after the
suspicious behaviour happened when we first meet. Mr ImaVictim has been using Wireshark to
monitor and capture data on his network, according to my sources.
At 1:44 p.m., I utilise a forensic programme on the command prompt to take down important
information about the client's PC. Because this is a live examination, I gather as much information
about the operating system as possible to enhance my research. This is accomplished by writing
down important information for Mr ImaVictim's computer. I record the time, the operating system,
the user account, and the IP address as shown below
TIME DETAILS:
System Date: Wed 18/05/2022
System Time: 01:44pm
System Time zone: GMT+10:00 Canberra, Melbourne
Current Date: Wed 18/05/2021
Current Time: 01:44pm
Time Variation (+/-): GMT+10:00
OS DETAILS:
OS Name: Microsoft Windows XP professional
OS Version: 5.1.2600 service pack 3 build 2600
System Uptime: 2 hours, 36mins 44 seconds
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
USER ACCOUNT DETAILS:
Logon time: 18/05/2022 12:23:02 PM
Logged on user: LAB6-VICTIM\ImaVictim
IP ADDRESS DETAILS:
IP Address: 192.168.6.2
Subnet Mask: 255.255.255.0
MAC Address: 08-00-27-57-D9-9A
Around 1:55 p.m., I opened the task manager to see if there are any suspicious processes on Mr
ImaVictim's computer. I was able to find a suspicious process called server.exe using the task
manager. I take down the PID of this suspicious process right away. server.exe has a PID of 1208.
Around 2:00 p.m. I utilise a forensic tool to locate open connections on the client's PC to validate
that this suspicious process is malware. On the client's machine, I discover a foreign address entry
with the same PID of 1208 as the suspicious process server.exe, the specifics are as follows:
Foreign Address: 192.168.6.1
State: Established
PID: 1208
Around 2:10 p.m., after utilising a forensic tool to find the aforementioned information, I am able to
discover the malware on Mr ImaVictim's machine and record the following information:
File Name: server.exe
Path: C:\Documents and Settings\Desktop\server.exe
Size: 57.8KB
Created: Today, 18th May 2022, 1:26:29pm
Modified: Today, 18th May 2022, 1:26:29pm
Accessed: Today, 18th May 2022, 1:26:29pm
Logon time: 18/05/2022 12:23:02 PM
Logged on user: LAB6-VICTIM\ImaVictim
IP ADDRESS DETAILS:
IP Address: 192.168.6.2
Subnet Mask: 255.255.255.0
MAC Address: 08-00-27-57-D9-9A
Around 1:55 p.m., I opened the task manager to see if there are any suspicious processes on Mr
ImaVictim's computer. I was able to find a suspicious process called server.exe using the task
manager. I take down the PID of this suspicious process right away. server.exe has a PID of 1208.
Around 2:00 p.m. I utilise a forensic tool to locate open connections on the client's PC to validate
that this suspicious process is malware. On the client's machine, I discover a foreign address entry
with the same PID of 1208 as the suspicious process server.exe, the specifics are as follows:
Foreign Address: 192.168.6.1
State: Established
PID: 1208
Around 2:10 p.m., after utilising a forensic tool to find the aforementioned information, I am able to
discover the malware on Mr ImaVictim's machine and record the following information:
File Name: server.exe
Path: C:\Documents and Settings\Desktop\server.exe
Size: 57.8KB
Created: Today, 18th May 2022, 1:26:29pm
Modified: Today, 18th May 2022, 1:26:29pm
Accessed: Today, 18th May 2022, 1:26:29pm
TIMELINE OF INFECTION:
Around 2.30 p.m., Mr ImaVictim had Wireshark running in the background, so I utilised this forensic
tool to track down the precise moment the infection started. Using Wireshark to analyse the
internet traffic on Mr ImaVictim's computer, I discover the original HTTP request that initiated the
malware download. Finding the original packet helped me to track down the malware-infected reply.
A copy of the malware has been downloaded so that we can analyse any suspects' computers to see
if they have the same file. The results are as follows:
Time of download: May 18, 2022 13:26:01
Full request URI for malware: http://192.168.6.1/server.exe
Server.exe File Size: 57.8KB
About 2:40 pm, I was able to discover the HTTP request created when the suspected hacker
remotely entered and accessed Mr ImaVictim's computer by continuing to analyse the packets and
internet traffic information. We were able to identify when the webpage was open as well as the
full request URI, which is detailed below:
Time webpage opened: May 18, 2022 13:32:05
Full request URI for Webpage: http://192.168.6.1/index.html
At around 2:50 p.m., after determining that the accused attacker was on a local network, I was able
to utilise a forensic tool to determine the suspected attacker's MAC address. This will help us to
determine where our attacker's device is physically located. The following are the specifics of these
findings:
MAC address of attacker: 08:00:27:7b:ba:a9
At around 3:00 p.m., I discovered a packet containing sensitive information on Mr ImaVictim's
business proposal that had been captured by the accused attacker via keylogging. Wireshark was
used to filter and monitor internet traffic for this. We were able to pinpoint the precise time the
attacker recorded the data. The following are the findings of this:
Keylogging time: May 18, 2022 13:35:20
At 3:05 p.m., I saved all of the evidence from Mr ImaVictim's Computer in a CSV format to a text file
named "packets.csv." I then transferred this file to my computer, where I would submit it to the
authorities. The following is a list of the contents of this file:
Around 2.30 p.m., Mr ImaVictim had Wireshark running in the background, so I utilised this forensic
tool to track down the precise moment the infection started. Using Wireshark to analyse the
internet traffic on Mr ImaVictim's computer, I discover the original HTTP request that initiated the
malware download. Finding the original packet helped me to track down the malware-infected reply.
A copy of the malware has been downloaded so that we can analyse any suspects' computers to see
if they have the same file. The results are as follows:
Time of download: May 18, 2022 13:26:01
Full request URI for malware: http://192.168.6.1/server.exe
Server.exe File Size: 57.8KB
About 2:40 pm, I was able to discover the HTTP request created when the suspected hacker
remotely entered and accessed Mr ImaVictim's computer by continuing to analyse the packets and
internet traffic information. We were able to identify when the webpage was open as well as the
full request URI, which is detailed below:
Time webpage opened: May 18, 2022 13:32:05
Full request URI for Webpage: http://192.168.6.1/index.html
At around 2:50 p.m., after determining that the accused attacker was on a local network, I was able
to utilise a forensic tool to determine the suspected attacker's MAC address. This will help us to
determine where our attacker's device is physically located. The following are the specifics of these
findings:
MAC address of attacker: 08:00:27:7b:ba:a9
At around 3:00 p.m., I discovered a packet containing sensitive information on Mr ImaVictim's
business proposal that had been captured by the accused attacker via keylogging. Wireshark was
used to filter and monitor internet traffic for this. We were able to pinpoint the precise time the
attacker recorded the data. The following are the findings of this:
Keylogging time: May 18, 2022 13:35:20
At 3:05 p.m., I saved all of the evidence from Mr ImaVictim's Computer in a CSV format to a text file
named "packets.csv." I then transferred this file to my computer, where I would submit it to the
authorities. The following is a list of the contents of this file:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
CONCLUSION:
At around 3:20 p.m. on Wednesday, May 18th, 2022, I completed my investigation into the claimed
attack on Mr ImaVictim . Mr ImaVictim was infected with a malicious application labeled
"server.exe," according to the information I gathered throughout my research. Mr ImaVictim
downloaded and ran this software, which allowed the attacker to monitor his activities, including the
aforementioned sensitive business proposal. We were able to locate and stop the malicious
application, as well as establish the attacker's location. This report will be sent to the authorities as
evidence in the case.
At around 3:20 p.m. on Wednesday, May 18th, 2022, I completed my investigation into the claimed
attack on Mr ImaVictim . Mr ImaVictim was infected with a malicious application labeled
"server.exe," according to the information I gathered throughout my research. Mr ImaVictim
downloaded and ran this software, which allowed the attacker to monitor his activities, including the
aforementioned sensitive business proposal. We were able to locate and stop the malicious
application, as well as establish the attacker's location. This report will be sent to the authorities as
evidence in the case.
1 out of 4
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.