Download presentation
Presentation is loading. Please wait.
1
Malware Artifacts
2
Agenda Quick Introduction Quick overview of artifacts Walk-through lab
3
Introduction Edgar Sevilla Ken Warren CIO, Kyrus Technology
15 years software development, reverse engineering, computer forensics, & information security Ken Warren Director of training, AccessData 15 years of experience in law enforcement and computer forensic examinations
4
Today’s Goal Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes Walkthrough of a memory image, disk image, and live systems to find artifacts This lab will NOT go into the reverse engineering, no matter how much I want to!
5
Where can we find artifacts?
Memory Processes enumeration Driver enumeration Module enumeration Open Registry keys Open File Handles Synchronization events Communications Content
6
Where can we find artifacts?
Disk Files Prefetch files Registry Files File Attributes File Times Restore points pagefile
7
Where can we find artifacts?
Live Systems Hidden Files Hidden Processes Repetitive actions Registry activity Communications Processes Hidden Registry Entries
8
Processes/Drivers Process enumeration Driver enumeration
9
Files Prefetch file File times File Attributes Hidden files
Open Handles Loaded Modules
10
Registry Autoruns entries Windows Firewall modifications
Check autoruns entries in registry Windows Firewall modifications
11
Synchronization Methods
Mutants/Mutex Semaphores Events
12
Communications Sockets Named Pipes
Listening sockets Connected sockets Named Pipes Inter-process communication Communication content, urls, headers
13
Getting Started Finding the first artifact is sometimes the toughest
Process listing Anomalous files System autoruns Prefetch artifacts Good news there are a lot of artifacts, the bad news there are a lot of artifacts
14
List of tools that can be used
Disk FTK Encase Memory Volatility Memoryze Live System FTK Enterprise Microsoft Sysinternals Tools GEMR
15
Questions prior to the lab
?
16
Lab Red = Possible starting points Blue = Artifacts Process Listing
Prefetch File Anomalous File Read only Attrib File Properties Owner: Administrator Unusual Create Time File Properties Autoruns Entry Bot.exe File Properties sdra64.exe Registry File Autoruns tool Open Handle Prefetch file Restore point A exe Rootkit Revealer Restore point Userint entry Active Connections Lowsec directory Lowsec\local.ds Open Handle Open Handle Active sockets Open Handle Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Domain: m4ht.com Socket lists Socket Listing Memory Scan IP Address Open Handle Open Handle Get HTTP Request Avira_2109 Open Handle Memory Scan Memory Scan Open Handle Memory Scan Lowsec\local.ds Lowsec\user.ds.ll Avira_2109 URLs Post HTTP Request
17
Summary Initial Thread Found Installer file, and dropped file
Found bad process in Process Listing Anomalous file listing Autoruns entries Prefetch file Found Installer file, and dropped file Identified data files Linked data files to winlogon & svchost Svchost had active sockets IP address linked: to domain m4ht.com Get HTTP request to download configuration file Post HTTP request to upload data
18
Remediation Remove artifacts that have been found Delete sdra64.exe
Can we delete a file that we can’t access Remove entry from userinit registry entry While Zeus is running this entry is checked every few seconds Delete data files from lowsec directory Can we delete files that are hidden and in use Re-enable Windows Firewall
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.