Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Malware Artifacts.
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
Operating System Security : David Phillips A Study of Windows Rootkits.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Memory Forensics During Incident Response
V0.01 © 2009 Research In Motion Limited Introduction to Java Application Development for the BlackBerry Smartphone Trainer name Date.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Automated Malware Analysis
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Defeating public exploit protections (EMET v5.2 and more)
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Debugging Print And Imaging Drivers. Print driver team philosophy on driver quality There are tools to detect violations Wrongful development assumptions.
Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
1 Outspect: Unified Memory Forensic Toolset for Virtual Machines AVTokyo, 31-10/2009 Nguyen Anh Quynh, Kuniyasu Suzaki, Ruo Ando.
Deeper research never hurts! Check out the following links: Our tools:  Tools - Benjamin Delpy
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Amit Malik SecurityXploded Research Group FireEye Labs.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Advanced Website Training: June, 2010 Insert Images as Your Background Using Google Docs for Document Hosting Custom Contact Forms on Your Website.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
: Information Retrieval อาจารย์ ธีภากรณ์ นฤมาณนลิณี
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
By Adam Reimel. Outline Introduction Platform Architecture Future Conclusion.
February 2016 Meeting. Web Defacement and Spear Phishing.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
© 2013 IBM Corporation IBM UrbanCode Deploy v6.0 Support Enablement Training Jenkins plug-in 1 November 2013.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Responder Field Edition & Pro
Malware Reverse Engineering Process
Rootkit Detection and Mitigation
Defeat Tomorrow’s Threats Today
Malware Reverse Engineering Process
Responder Field Edition & Pro
Microsoft /6/ :30 PM BRK3293 Explore adventures in the underland: Forensic techniques against hackers evading the hook Paula Januszkiewicz.
Steps to Troubleshoot Norton 360 Error Norton 360 security software is all in one solution that combined online protection and performance tuning.
Malware Analysis with Volatility
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
1Y0-203 Dumps PDF Are You Worried About Citrix XenApp and XenDesktop 7.15 Administration 1y0-203 dumps1y0-203 braindumps1y0-203 study material1y0-203 dumps.
GCED Exam Braindumps
CMSC 491/691 Malware Analysis
Basic Dynamic Analysis VMs and Sandboxes
Setup a VM to use for analyzing malware
Talking Malware Analysis with MITRE
Memory Forensics Josh Mpere.
Presentation transcript:

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.

Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page.Security Training page

Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  GREM, CEH 

Contents  Why Memory Forensics?  Steps in Memory Forensics  Volatility Quick Overview  Volatility help and plugins  Demo

Why Memory Forensics?  Finding and extracting forensic artefacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering

Steps in Memory Forensics  Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd, Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use.vmem file  Memory analysis - Analyzing the memory dump for forensic artifacts - tools: Volatility, Memoryze

Volatility Quick Overview  Advanced memory Forensics Framework written in python  Installation details:  Use -h or --help option to get list of command-line switches - example: python vol.py –h  Use -f and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86  To know the --profile info use below command: example: python vol.py -f mem.dmp imageinfo

Volatility help and plugins -h or –help option displays help and available plug-in commands in volatility.

Demo-Scenario Your security device alerts, show malicious http connection to ip address from a source ip on 8th june 2012 at around 13:30hrs...you are asked to investigate and do memory forensics on that machine To start with, acquire the memory image “infected.dmp” from , using memory acquistion tools (win32dd) command: win32dd.exe /f infected.dmp - Analyze the memory dump “infected.dmp”

Step 1 – Start With what you know Volatility’s connections module shows connection to the malicious ip by pid 1748

Step 2 – Info about Google search shows associated with malware, probably “spyeye”, we need to confirm that yet.

Step 3 – Who is Pid 1748? “psscan” shows pid 1748 belongs to explorer.exe, also two process created during same time reported by security device (i.e june 8 th 2012)

Step 4 – Process handles of explorer.exe Explorer.exe opens a handle to the B6232F3A9F9.exe, indicating explorer.exe created that process, which might be malicious…focusing on explorer.exe for now.

Step 5 – apihooks in explorer.exe apihooks module show, inline api hooks in explorer.exe and jump to an unknown location

Step 6 – exploring the hooks Disassembled hooked function (TranslateMessage), shows a short jump and then a long jump to malware location

Step 7 – Embedded exe in explorer.exe Printing the bytes show the presence of embedded executable in explorer.exe

Step 8 – dumping the embedded exe vaddump dumps the embedded exe from explorer.exe

Step 9 – virustotal submission Submission to virustotal, confirms the dumped executable as component of “spyeye”

Step 10 – Can we get more info? Strings extracted from the dumped executable, show reference to interesting artifacts (executable and the registry key)

Step 11 – Printing the registry key Malware creates registry key to survive the reboot

Step 12 – Finding the malicious exe on infected machine Finding malicious sample from infected host and virustotal submission confirms spyeye infection

Reference  Complete Reference Guide for Reversing & Malware Analysis Training Complete Reference Guide for Reversing & Malware Analysis Training

Thank You !