SlideShare a Scribd company logo

Reversing & malware analysis training part 8 malware memory forensics

Abdulrahman Bassam
Abdulrahman Bassam
Technology
1 of 27
Download to read offline
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & MalwareAnalysis Training program.Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, MalwareAnalysis, Memory Forensics  GREM, CEH  Email: monnappa22@gmail.com www.SecurityXploded.com
Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
Contents  Why Memory Forensics?  Steps in Memory Forensics  Volatility Quick Overview  Volatility help and plugins  Demo www.SecurityXploded.com
Why Memory Forensics?  Finding and extracting forensic artefacts  Helps in malware analysis  Determining process, network,registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detectionand reverse engineering www.SecurityXploded.com
Steps in Memory Forensics  Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd,Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use .vmem file  Memory analysis - Analyzing the memory dump for forensic artifacts - tools: Volatility, Memoryze www.SecurityXploded.com
Volatility Quick Overview  Advanced memory Forensics Framework written in python  Installation details: - http://code.google.com/p/volatility/wiki/FullInstallation  Use -h or --help option to get list of command-line switches - example:python vol.py –h  Use -f <filename> and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86  To know the --profile info use below command: example:python vol.py -f mem.dmp imageinfo www.SecurityXploded.com
Volatility help and plugins www.SecurityXploded.com -h or –help option displays help and available plug-in commands in volatility.
http://youtu.be/YcVusDjnBxw
Demo-Scenario Your security device alerts, show malicious http connection to ip address 208.91.197.54 from a source ip 192.168.1.100 on 8th june 2012 at around 13:30hrs...you are asked to investigate and do memory forensics on that machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquistion tools (win32dd) command: win32dd.exe /f infected.dmp - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
Step 1 – Start With what you know www.SecurityXploded.com Volatility’s connectionsmodule shows connection to the malicious ip by pid 1748
Step 2 – Info about 208.91.197.54 www.SecurityXploded.com Google search shows 208.91.197.54 associated with malware, probably “spyeye”, we need to confirm that yet.
Step 3 – Who is Pid 1748? www.SecurityXploded.com “psscan” shows pid 1748 belongs to explorer.exe, also two process created during same time reported by security device (i.e june 8th 2012)
Step 4 – Process handles of explorer.exe www.SecurityXploded.com Explorer.exeopensa handleto theB6232F3A9F9.exe, indicatingexplorer.execreated thatprocess, which might bemalicious…focusingon explorer.exefor now.
Step 5 – apihooks in explorer.exe www.SecurityXploded.com apihooks module show, inline api hooks in explorer.exe and jump to an unknown location
Step 6 – exploring the hooks www.SecurityXploded.com Disassembled hookedfunction(TranslateMessage), showsa shortjump and thena longjump to malwarelocation
Step 7 – Embedded exe in explorer.exe www.SecurityXploded.com Printingthe bytes show the presence of embedded executable in explorer.exe
Step 8 – dumping the embedded exe www.SecurityXploded.com vaddumpdumpstheembedded exefrom explorer.exe
Step 9 – virustotal submission www.SecurityXploded.com Submissionto virustotal, confirmsthedumpedexecutableas componentof“spyeye”
Step 10 – Can we get more info? www.SecurityXploded.com Strings extracted from thedumped executable, show referenceto interestingartifacts(executableand theregistry key)
Step 11 – Printing the registry key www.SecurityXploded.com Malwarecreates registry key to survivethereboot
Step 12 – Finding the malicious exe on infected machine www.SecurityXploded.com Findingmalicious samplefrom infected host and virustotal submissionconfirms spyeyeinfection
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Recommended

Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
Seminar1
Seminar1Seminar1
Seminar1
Satish Padnani
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
securityxploded
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
Matthew Bricker
 

Recommended

Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
Seminar1
Seminar1Seminar1
Seminar1
Satish Padnani
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
securityxploded
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
Matthew Bricker
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
securityxploded
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
Investigating Malware using Memory Forensics
Investigating Malware using Memory ForensicsInvestigating Malware using Memory Forensics
Investigating Malware using Memory Forensics
Cysinfo Cyber Security Community
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
Kirill Ermakov
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Continuous Security - TCCC
Continuous Security - TCCCContinuous Security - TCCC
Continuous Security - TCCC
Wendy Istvanick
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Cysinfo Cyber Security Community
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
Cysinfo Cyber Security Community
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheel
Kirill Ermakov
 
Web Servers
Web ServersWeb Servers
Web Servers
webhostingguy
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
Cysinfo Cyber Security Community
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
E Hacking
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
securityxploded
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
What is pcaui.exe?
What is pcaui.exe?What is pcaui.exe?
What is pcaui.exe?
FileInspect
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
Cysinfo Cyber Security Community
 
Failure Of DEP And ASLR
Failure Of DEP And ASLRFailure Of DEP And ASLR
Failure Of DEP And ASLR
n|u - The Open Security Community
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 

More Related Content

What's hot

What's hot (20)

Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Investigating Malware using Memory Forensics
Investigating Malware using Memory ForensicsInvestigating Malware using Memory Forensics
Investigating Malware using Memory Forensics
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security team
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Continuous Security - TCCC
Continuous Security - TCCCContinuous Security - TCCC
Continuous Security - TCCC
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheel
 
Web Servers
Web ServersWeb Servers
Web Servers
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
What is pcaui.exe?
What is pcaui.exe?What is pcaui.exe?
What is pcaui.exe?
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 

Viewers also liked

Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)
Abdulrahman Bassam
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
FFRI, Inc.
 

Viewers also liked (7)

Failure Of DEP And ASLR
Failure Of DEP And ASLRFailure Of DEP And ASLR
Failure Of DEP And ASLR
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
 
YEAR 5 TEACHER'S RESOURCE BOOK
YEAR 5 TEACHER'S RESOURCE BOOKYEAR 5 TEACHER'S RESOURCE BOOK
YEAR 5 TEACHER'S RESOURCE BOOK
 

Similar to Reversing & malware analysis training part 8 malware memory forensics

Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
ricagip499
 

Similar to Reversing & malware analysis training part 8 malware memory forensics (20)

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Reversing & malware analysis training part 8 malware memory forensics

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & MalwareAnalysis Training program.Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, MalwareAnalysis, Memory Forensics  GREM, CEH  Email: monnappa22@gmail.com www.SecurityXploded.com
  • 6. Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
  • 7. Contents  Why Memory Forensics?  Steps in Memory Forensics  Volatility Quick Overview  Volatility help and plugins  Demo www.SecurityXploded.com
  • 8. Why Memory Forensics?  Finding and extracting forensic artefacts  Helps in malware analysis  Determining process, network,registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detectionand reverse engineering www.SecurityXploded.com
  • 9. Steps in Memory Forensics  Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd,Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use .vmem file  Memory analysis - Analyzing the memory dump for forensic artifacts - tools: Volatility, Memoryze www.SecurityXploded.com
  • 10. Volatility Quick Overview  Advanced memory Forensics Framework written in python  Installation details: - http://code.google.com/p/volatility/wiki/FullInstallation  Use -h or --help option to get list of command-line switches - example:python vol.py –h  Use -f <filename> and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86  To know the --profile info use below command: example:python vol.py -f mem.dmp imageinfo www.SecurityXploded.com
  • 11. Volatility help and plugins www.SecurityXploded.com -h or –help option displays help and available plug-in commands in volatility.
  • 13. Demo-Scenario Your security device alerts, show malicious http connection to ip address 208.91.197.54 from a source ip 192.168.1.100 on 8th june 2012 at around 13:30hrs...you are asked to investigate and do memory forensics on that machine 192.168.1.100 - To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquistion tools (win32dd) command: win32dd.exe /f infected.dmp - Analyze the memory dump “infected.dmp” www.SecurityXploded.com
  • 14. Step 1 – Start With what you know www.SecurityXploded.com Volatility’s connectionsmodule shows connection to the malicious ip by pid 1748
  • 15. Step 2 – Info about 208.91.197.54 www.SecurityXploded.com Google search shows 208.91.197.54 associated with malware, probably “spyeye”, we need to confirm that yet.
  • 16. Step 3 – Who is Pid 1748? www.SecurityXploded.com “psscan” shows pid 1748 belongs to explorer.exe, also two process created during same time reported by security device (i.e june 8th 2012)
  • 17. Step 4 – Process handles of explorer.exe www.SecurityXploded.com Explorer.exeopensa handleto theB6232F3A9F9.exe, indicatingexplorer.execreated thatprocess, which might bemalicious…focusingon explorer.exefor now.
  • 18. Step 5 – apihooks in explorer.exe www.SecurityXploded.com apihooks module show, inline api hooks in explorer.exe and jump to an unknown location
  • 19. Step 6 – exploring the hooks www.SecurityXploded.com Disassembled hookedfunction(TranslateMessage), showsa shortjump and thena longjump to malwarelocation
  • 20. Step 7 – Embedded exe in explorer.exe www.SecurityXploded.com Printingthe bytes show the presence of embedded executable in explorer.exe
  • 21. Step 8 – dumping the embedded exe www.SecurityXploded.com vaddumpdumpstheembedded exefrom explorer.exe
  • 22. Step 9 – virustotal submission www.SecurityXploded.com Submissionto virustotal, confirmsthedumpedexecutableas componentof“spyeye”
  • 23. Step 10 – Can we get more info? www.SecurityXploded.com Strings extracted from thedumped executable, show referenceto interestingartifacts(executableand theregistry key)
  • 24. Step 11 – Printing the registry key www.SecurityXploded.com Malwarecreates registry key to survivethereboot
  • 25. Step 12 – Finding the malicious exe on infected machine www.SecurityXploded.com Findingmalicious samplefrom infected host and virustotal submissionconfirms spyeyeinfection
  • 26. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com