Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The memory remains


Published on

Fileless malware makes cyber attacks even more difficult to detect nowadays.Simple signatures are too easy for an intruder to circumvent. Cyber criminals can also program fileless malware to gain persistence after it was written directly to RAM. Fileless malware is not a revolutionary approach, However 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. This talk is about triage a system potentially impacted by fileless malware by memory analysis.

Published in: Technology
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here

The memory remains

  1. 1. How do I know I’m secure?
  2. 2. Are my devices Infected?
  3. 3. What if!
  4. 4. Incident Response
  5. 5. What if!?!
  6. 6. Or…
  7. 7. We need to analyze malware
  8. 8. Malware become smarter Encrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus
  9. 9. Fileless Malware
  10. 10. Case Study
  11. 11. We need a sample Contagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required Free; registration required MalShare: Free; registration required’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free
  12. 12. Let's get infected
  13. 13. Win7x86/64
  14. 14. Before infected 1.Regshot 2.Memory dump
  15. 15. After infection Compare regshot
  16. 16. But....
  17. 17. The memory remains.
  18. 18. Memory dump Vmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the entire amount of memory assigned to the virtual machine.
  19. 19. Volatility
  20. 20. Shellcode loading….
  21. 21. But....
  22. 22. The memory remains.
  23. 23. -f afterinfected.raw --profile=Win7SP1x86 printkey -- key="SoftwareMicrosoftWindowsCurrentVersionRun" -f afterinfected.raw --profile=Win7SP1x86 pslist -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 -f infected.raw --profile=Win7SP1x86 envars -p 3276 -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 -f infected.raw --profile=Win7SP1x86 hivelist
  24. 24. Yara
  25. 25. dump the memory.
  26. 26. Writing code for fun and food. Security enthusiastic. @nahidupa Nahidul Kibria Co-Founder, Beetles