SlideShare ist ein Scribd-Unternehmen logo

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Als PPTX, PDF herunterladen
securityxploded
securityxploded

This presentation is part of our Advanced Malware Analysis Training Series program. For more details refer our Security Training page http://securityxploded.com/security-training.php

Technologie
1 von 43
www.SecurityXploded.com Advanced Malware Analysis Training Series
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
www.SecurityXploded.com Who am I Monnappa (m0nna)  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  GREM, CEH  Email: monnappa22@gmail.com  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
Contents  Why Memory Forensics?  Steps in Memory Forensics  Volatility Quick Overview  Volatility help and plugins  Demo 1  Demo 2 www.SecurityXploded.com
Why Memory Forensics?  Finding and extracting forensic artefacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering www.SecurityXploded.com
Steps in Memory Forensics  Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd, Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use .vmem file  Memory analysis - Analyzing the memory dump for forensic artefacts - tools: Volatility, Memoryze www.SecurityXploded.com
Volatility Quick Overview  Advanced memory Forensics Framework written in python  Installation details: - http://code.google.com/p/volatility/wiki/FullInstallation  Use -h or --help option to get list of command-line switches - example: python vol.py –h  Use -f <filename> and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86  To know the --profile info use below command: example: python vol.py -f mem.dmp imageinfo www.SecurityXploded.com
Volatility help and plugins www.SecurityXploded.com -h or –help option displays help and available plug-in commands in volatility.
Demo-Scenario 1 Your security device alerts on a malicious irc connection to ip address 192.168.1.2 on port 1865 from a source ip 192.168.1.100 (shown below). you are asked to investigate and perform memory forensics on the machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition tools (like Dumpit or win32dd) - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
Step 1 – Start With what you know www.SecurityXploded.com Volatility’s connscan module shows connection to the malicious ip on port 1865 by pid 1984
Step 2 – Who is Pid 1984? www.SecurityXploded.com “psscan” shows pid 1984 belongs to explorer.exe
Step 3 – apihooks in explorer.exe www.SecurityXploded.com apihooks module show, inline api hooks in explorer.exe (pid 1984) and jump to an unknown location
Step 4 – Embedded exe in explorer.exe www.SecurityXploded.com Printing the bytes show the presence of embedded executable in explorer.exe
Step 5 – dumping the embedded exe www.SecurityXploded.com vaddump dumps the embedded exe from explorer.exe
Step 6 – embedded exe by malfind plugin www.SecurityXploded.com Malfind plugin can also be used to detect embedded exe and dump it as shown below
Step 7 – VirusTotal submission www.SecurityXploded.com Submission to virustotal, confirms the dumped executable to be malicious
Step 8 – getting more information www.SecurityXploded.com Strings extracted from the dumped executable, show reference to interesting artifacts (domains and the registry key)
Step 9 – explorer.exe handles www.SecurityXploded.com Handles in the explorer.exe (pid 1984) shows the presence of the run registry key
Step 10 – Printing the registry key www.SecurityXploded.com Malware adds values to registry key to survive the reboot
Step 11 – examining the infected system www.SecurityXploded.com Malware hides the registry value and the malicious file on the infected system
Step 12 – Finding the malware on infected system www.SecurityXploded.com Rootkit detection tool detects the hidden file and the registry entry
Step 13 – VirusTotal submission www.SecurityXploded.com Submitting the malicious file from the infected system to virustotal confirms the file to be malicious
Demo-Scenario 2 Your security device alerts on malicious http connection to the domain “web3inst.com” which resolves to 192.168.1.2, communication is detected from a source ip 192.168.1.100 (shown below)..you are asked to investigate and perform memory forensics on the machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition tools (like Dumpit or win32dd) - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
Step 1 – Network connections www.SecurityXploded.com Volatility’s connscan module shows connection to the malicious http connection by pid 888
Step 2 – process determination and YARA scan www.SecurityXploded.com Volatility’s psscan shows pid 888 is associated with svchost.exe and YARA scan shows that malicious domain is found in the address space of pid 888 (svchost.exe)
Step 3 – Suspicious mutex in svchost.exe www.SecurityXploded.com Volatility’s mutantscan shows suspicious mutex
Step 4 – malicious mutex www.SecurityXploded.com Google search shows that this suspicious mutex is associated with TDSS rootkit
Step 5 – File handles www.SecurityXploded.com Examining file handles in svchost.exe (pid 888) shows handles to suspicious files (starting with TDSS)
Step 6 – Hidden DLL www.SecurityXploded.com Volatility’s dlllist module couldn’t find the DLL starting with “TDSS” whereas ldrmodules plugin was able to find it. This confirms that the DLL (TDSSoiqh.dll) was hidden, malware hides the DLL by unlinking from the 3 PEB lists
Step 7– Dumping the hidden DLL www.SecurityXploded.com Volatility’s dlldump module dumps the hidden dll
Step 8– VirusTotal submission of DLL www.SecurityXploded.com Submitting the dumped dll to VirusTotal confirms that it is malicious
Step 9 – Suspicious DLL loaded by msiexec www.SecurityXploded.com dlllist shows suspicious dll loaded by msiexec.exe
Step 10– Dumping DLL and VT submission www.SecurityXploded.com Dumping the suspicious DLL (dll.dll) and submitting to VirusTotal confirms that this is associated with TDSS rootkit
Step 11– Hidden Kernel driver www.SecurityXploded.com Volatility’s modules plugin couldn’t find the drivers starting with “TDSS” whereas driverscan plugin was able to find it. This confirms that the kernel driver (TDSSserv.sys) was hidden
Step 12– Kernel Callbacks www.SecurityXploded.com Callbacks were set by an unknown driver. The below screenshot shows that this unknown driver falls under the address range of TDSSserv.sys
Step 13– Kernel API hooks www.SecurityXploded.com Malware hooks the Kernel API and the hook address falls under the address range of TDSSserv.sys
Step 14– Dumping the kernel driver www.SecurityXploded.com Dumping the kernel driver and submitting it to VirusTotal confirms that it is TDSS (Alureon) rootkit
Reference Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com
Thank You ! www.SecurityXploded.com www.SecurityXploded.com

Empfohlen

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 

Empfohlen

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
n|u - The Open Security Community
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
securityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
Cysinfo Cyber Security Community
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Return address
Return addressReturn address
Return address
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
Return address
Return addressReturn address
Return address
 

Ähnlich wie Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
Soya Aoyama
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Ähnlich wie Advanced Malware Analysis Training Session 7 - Malware Memory Forensics (20)

Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009
 
App locker
App lockerApp locker
App locker
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 

Mehr von securityxploded

Mehr von securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
MalwareNet Project
MalwareNet ProjectMalwareNet Project
MalwareNet Project
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. www.SecurityXploded.com Who am I Monnappa (m0nna)  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  GREM, CEH  Email: monnappa22@gmail.com  Twitter: @monnappa22  LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 6. Contents  Why Memory Forensics?  Steps in Memory Forensics  Volatility Quick Overview  Volatility help and plugins  Demo 1  Demo 2 www.SecurityXploded.com
  • 7. Why Memory Forensics?  Finding and extracting forensic artefacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering www.SecurityXploded.com
  • 8. Steps in Memory Forensics  Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd, Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use .vmem file  Memory analysis - Analyzing the memory dump for forensic artefacts - tools: Volatility, Memoryze www.SecurityXploded.com
  • 9. Volatility Quick Overview  Advanced memory Forensics Framework written in python  Installation details: - http://code.google.com/p/volatility/wiki/FullInstallation  Use -h or --help option to get list of command-line switches - example: python vol.py –h  Use -f <filename> and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86  To know the --profile info use below command: example: python vol.py -f mem.dmp imageinfo www.SecurityXploded.com
  • 10. Volatility help and plugins www.SecurityXploded.com -h or –help option displays help and available plug-in commands in volatility.
  • 11.
  • 12. Demo-Scenario 1 Your security device alerts on a malicious irc connection to ip address 192.168.1.2 on port 1865 from a source ip 192.168.1.100 (shown below). you are asked to investigate and perform memory forensics on the machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition tools (like Dumpit or win32dd) - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
  • 13. Step 1 – Start With what you know www.SecurityXploded.com Volatility’s connscan module shows connection to the malicious ip on port 1865 by pid 1984
  • 14. Step 2 – Who is Pid 1984? www.SecurityXploded.com “psscan” shows pid 1984 belongs to explorer.exe
  • 15. Step 3 – apihooks in explorer.exe www.SecurityXploded.com apihooks module show, inline api hooks in explorer.exe (pid 1984) and jump to an unknown location
  • 16. Step 4 – Embedded exe in explorer.exe www.SecurityXploded.com Printing the bytes show the presence of embedded executable in explorer.exe
  • 17. Step 5 – dumping the embedded exe www.SecurityXploded.com vaddump dumps the embedded exe from explorer.exe
  • 18. Step 6 – embedded exe by malfind plugin www.SecurityXploded.com Malfind plugin can also be used to detect embedded exe and dump it as shown below
  • 19. Step 7 – VirusTotal submission www.SecurityXploded.com Submission to virustotal, confirms the dumped executable to be malicious
  • 20. Step 8 – getting more information www.SecurityXploded.com Strings extracted from the dumped executable, show reference to interesting artifacts (domains and the registry key)
  • 21. Step 9 – explorer.exe handles www.SecurityXploded.com Handles in the explorer.exe (pid 1984) shows the presence of the run registry key
  • 22. Step 10 – Printing the registry key www.SecurityXploded.com Malware adds values to registry key to survive the reboot
  • 23. Step 11 – examining the infected system www.SecurityXploded.com Malware hides the registry value and the malicious file on the infected system
  • 24. Step 12 – Finding the malware on infected system www.SecurityXploded.com Rootkit detection tool detects the hidden file and the registry entry
  • 25. Step 13 – VirusTotal submission www.SecurityXploded.com Submitting the malicious file from the infected system to virustotal confirms the file to be malicious
  • 26.
  • 27. Demo-Scenario 2 Your security device alerts on malicious http connection to the domain “web3inst.com” which resolves to 192.168.1.2, communication is detected from a source ip 192.168.1.100 (shown below)..you are asked to investigate and perform memory forensics on the machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition tools (like Dumpit or win32dd) - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
  • 28. Step 1 – Network connections www.SecurityXploded.com Volatility’s connscan module shows connection to the malicious http connection by pid 888
  • 29. Step 2 – process determination and YARA scan www.SecurityXploded.com Volatility’s psscan shows pid 888 is associated with svchost.exe and YARA scan shows that malicious domain is found in the address space of pid 888 (svchost.exe)
  • 30. Step 3 – Suspicious mutex in svchost.exe www.SecurityXploded.com Volatility’s mutantscan shows suspicious mutex
  • 31. Step 4 – malicious mutex www.SecurityXploded.com Google search shows that this suspicious mutex is associated with TDSS rootkit
  • 32. Step 5 – File handles www.SecurityXploded.com Examining file handles in svchost.exe (pid 888) shows handles to suspicious files (starting with TDSS)
  • 33. Step 6 – Hidden DLL www.SecurityXploded.com Volatility’s dlllist module couldn’t find the DLL starting with “TDSS” whereas ldrmodules plugin was able to find it. This confirms that the DLL (TDSSoiqh.dll) was hidden, malware hides the DLL by unlinking from the 3 PEB lists
  • 34. Step 7– Dumping the hidden DLL www.SecurityXploded.com Volatility’s dlldump module dumps the hidden dll
  • 35. Step 8– VirusTotal submission of DLL www.SecurityXploded.com Submitting the dumped dll to VirusTotal confirms that it is malicious
  • 36. Step 9 – Suspicious DLL loaded by msiexec www.SecurityXploded.com dlllist shows suspicious dll loaded by msiexec.exe
  • 37. Step 10– Dumping DLL and VT submission www.SecurityXploded.com Dumping the suspicious DLL (dll.dll) and submitting to VirusTotal confirms that this is associated with TDSS rootkit
  • 38. Step 11– Hidden Kernel driver www.SecurityXploded.com Volatility’s modules plugin couldn’t find the drivers starting with “TDSS” whereas driverscan plugin was able to find it. This confirms that the kernel driver (TDSSserv.sys) was hidden
  • 39. Step 12– Kernel Callbacks www.SecurityXploded.com Callbacks were set by an unknown driver. The below screenshot shows that this unknown driver falls under the address range of TDSSserv.sys
  • 40. Step 13– Kernel API hooks www.SecurityXploded.com Malware hooks the Kernel API and the hook address falls under the address range of TDSSserv.sys
  • 41. Step 14– Dumping the kernel driver www.SecurityXploded.com Dumping the kernel driver and submitting it to VirusTotal confirms that it is TDSS (Alureon) rootkit
  • 42. Reference Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools] www.SecurityXploded.com