Forensic

Well, it looks like I have found the connections that had been established but none of the IPs seems correct.

Can someone help me ? I am looking for connections made by the malware, no ? Also, there are like on 3 programs that generated any traffic what so ever, right ?

I’m on the same boat as you. From the last one, C&C3 I know the PID of the malicious software, (Starts and ends with "2" if I’m right), so I use the netscan tool on Volatility and look for that PID. I find it, but its wrong apparently. =C The IP should be an internal one since this is an "internal server" but no luck yet !

Im stuck like Liam . anyone help us pls

I’ve reengineered the malware and I ḱnow exactly what it does (one of 4 destinations exists), but the IP:PORT doesn’t validate. The "internal server"-thing is bit confusing. All I can see is an internal gateway (avast) on port 12080.

Edit : nvm. I found it finally

I spend time stuck on the network traffic analysis, try to change perspective and focus on IDs...

Dump malicious process and use strings to search IP.