The memory remains
-
Upload
nahidul-kibria -
Category
Technology
-
view
271 -
download
0
Transcript of The memory remains
![Page 1: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/1.jpg)
How do I know I’m secure?
![Page 2: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/2.jpg)
Are my devices Infected?
![Page 3: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/3.jpg)
What if!
![Page 4: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/4.jpg)
![Page 5: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/5.jpg)
Incident Response
![Page 6: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/6.jpg)
What if!?!
![Page 7: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/7.jpg)
Or…
![Page 8: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/8.jpg)
We need to analyze malware
![Page 9: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/9.jpg)
Malware become smarterEncrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus
![Page 10: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/10.jpg)
Fileless Malware
![Page 11: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/11.jpg)
Case Study
![Page 12: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/12.jpg)
![Page 13: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/13.jpg)
![Page 14: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/14.jpg)
We need a sampleContagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required KernelMode.info: Free; registration required MalShare: Free; registration required Malware.lu’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free
![Page 15: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/15.jpg)
Let's get infected
![Page 16: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/16.jpg)
Win7x86/64
![Page 17: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/17.jpg)
Before infected1.Regshot 2.Memory dump
![Page 18: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/18.jpg)
After infectionCompare regshot
![Page 19: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/19.jpg)
![Page 20: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/20.jpg)
![Page 21: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/21.jpg)
But....
![Page 22: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/22.jpg)
The memory remains.
![Page 23: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/23.jpg)
Memory dumpVmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain
memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the
entire amount of memory assigned to the virtual machine.
![Page 24: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/24.jpg)
Volatility
![Page 25: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/25.jpg)
![Page 26: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/26.jpg)
![Page 27: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/27.jpg)
![Page 28: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/28.jpg)
![Page 29: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/29.jpg)
![Page 30: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/30.jpg)
![Page 31: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/31.jpg)
![Page 32: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/32.jpg)
Shellcode loading….
![Page 33: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/33.jpg)
But....
![Page 34: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/34.jpg)
The memory remains.
![Page 35: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/35.jpg)
![Page 36: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/36.jpg)
![Page 37: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/37.jpg)
![Page 38: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/38.jpg)
![Page 39: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/39.jpg)
![Page 40: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/40.jpg)
![Page 41: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/41.jpg)
vol.py -f afterinfected.raw --profile=Win7SP1x86 printkey --key="Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f afterinfected.raw --profile=Win7SP1x86 pslist vol.py -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 vol.py -f infected.raw --profile=Win7SP1x86 envars -p 3276 vol.py -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 vol.py -f infected.raw --profile=Win7SP1x86 hivelist
![Page 42: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/42.jpg)
Yara
![Page 43: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/43.jpg)
dump the memory.
![Page 44: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/44.jpg)
![Page 45: The memory remains](https://reader035.fdocuments.in/reader035/viewer/2022062503/58a2cfa41a28ab692e8b4c77/html5/thumbnails/45.jpg)
Writing code for fun and food. Security enthusiastic.
@nahidupaNahidul Kibria
Co-Founder, Beetles