the memory remains

How do I know I’m secure?

Are my devices Infected?

What if!

Incident Response

What if!?!

Or…

We need to analyze malware

Malware become smarterEncrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus

Fileless Malware

Case Study

We need a sampleContagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required KernelMode.info: Free; registration required MalShare: Free; registration required Malware.lu’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free

Let's get infected

Win7x86/64

Before infected1.Regshot 2.Memory dump

After infectionCompare regshot

But....

The memory remains.

Memory dumpVmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain

memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the

entire amount of memory assigned to the virtual machine.

Volatility

Shellcode loading….

But....

The memory remains.

vol.py -f afterinfected.raw --profile=Win7SP1x86 printkey --key="Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f afterinfected.raw --profile=Win7SP1x86 pslist vol.py -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 vol.py -f infected.raw --profile=Win7SP1x86 envars -p 3276 vol.py -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 vol.py -f infected.raw --profile=Win7SP1x86 hivelist

Yara

dump the memory.

Writing code for fun and food. Security enthusiastic.

@nahidupaNahidul Kibria

Co-Founder, Beetles