the memory remains
TRANSCRIPT
How do I know I’m secure?
Are my devices Infected?
What if!
Incident Response
What if!?!
Or…
We need to analyze malware
Malware become smarterEncrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus
Fileless Malware
Case Study
We need a sampleContagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required KernelMode.info: Free; registration required MalShare: Free; registration required Malware.lu’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free
Let's get infected
Win7x86/64
Before infected1.Regshot 2.Memory dump
After infectionCompare regshot
But....
The memory remains.
Memory dumpVmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain
memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the
entire amount of memory assigned to the virtual machine.
Volatility
Shellcode loading….
But....
The memory remains.
vol.py -f afterinfected.raw --profile=Win7SP1x86 printkey --key="Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f afterinfected.raw --profile=Win7SP1x86 pslist vol.py -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 vol.py -f infected.raw --profile=Win7SP1x86 envars -p 3276 vol.py -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 vol.py -f infected.raw --profile=Win7SP1x86 hivelist
Yara
dump the memory.
Writing code for fun and food. Security enthusiastic.
@nahidupaNahidul Kibria
Co-Founder, Beetles