complex malware forensic investigation
play

Complex malware & forensic investigation RMLL 2016 Paul - PowerPoint PPT Presentation

May 22, 2023 •11 likes •501 views

Complex malware & forensic investigation RMLL 2016 Paul Rascagnres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher at CERT

  1. Complex malware & forensic investigation RMLL 2016 – Paul Rascagnères & Sebastien Larinier

  2. Complex malware & forensics investigation | about us Me: Paul Rascagnères Twitter account: @r00tbsd Senior threat researcher at CERT SEKOIA Author of the French books "Malwares - Identification, analyse et eradication" (ISBN: 978-2746079656) "Sécurité informatique et Malwares - Analyse des menaces et mise en oeuvre des contre-mesures (2e édition) " (ISBN: 978-2409000737) Co-Organizer of Botconf (2-4 December – Paris) Located in our offices in Luxembourg & Paris SEKOIA 2

  3. Complex malware & forensics investigation | about us Me: Sebastien Larinier Twitter account: @sebdraven Digital Forensics and Incidence Response at CERT SEKOIA Member of the Honeynet Project Co-Organizer of Botconf (2-4 December – Paris) Located in Paris SEKOIA 3

  4. What is FastIR Collector? SEKOIA 4

  5. Complex malware & forensics investigation | What is FastIR Collector? FastIR Collector: - Open Source project sponsored by SEKOIA - http://github.com/SekoiaLab/FastIR_Collector - release at HES 2015 - configurable forensic collector - standalone - 32/64b - Windows XP -> 10 (Workstation & Server) SEKOIA 5

  6. Complex malware & forensics investigation | What is FastIR Collector? FastIR Collector: SEKOIA 6

  7. Complex malware & forensics investigation | What is FastIR Collector? Collected artefacts in userland: - MFT - drives - MBR - browsers history - RAM - recycle bin - HDD - startups - processes - shellbags - named pipes + FileCatcher - MRU - files collect - recent docs - hashes - … - event logs - … - prefetch SEKOIA 7

  8. Complex malware & forensics investigation | What is FastIR Collector? Filecatcher description [filecatcher] recursively =True path =c:\tmp|*,c:\temp|*,c:\recycler|*,%WINDIR%|*,%USERPROFILE%|* mime_filter =application/msword;application/octet-stream;application /xarchive;application/x-ms-pe;application/x-ms-dosexecutable;applica tion/x-lha;application/x-dosexec;application/xelc;application/x-exec utable, statically linked, stripped;application/x-gzip;application/x -object, not stripped;application/x-zip; mime_zip =application/x-ms-pe;application/x-ms-dosexecutable;applica tion/x-dosexec;application/x-executable, statically linked, stripped compare =AND size_min =6k size_max =100M ext_file =* zip_ext_file =* zip =True SEKOIA 8

  9. Complex malware & forensics investigation | What is FastIR Collector? Filecatcher description + signature filter SEKOIA 9

  10. What is the goal of this talk? SEKOIA 10

  11. Complex malware & forensics investigation | What is the goal of this talk? Use on real cases such as: - rootkit - bootkit - userland RAT - … You can check our wiki documentation on GitHub: https://github.com/SekoiaLab/FastIR_Collector/wiki/ SEKOIA 11

  12. Case studies SEKOIA 12

  13. Case 1: Uroburos/Turla/Snake SEKOIA 13

  14. Complex malware & forensics investigation | Uroburos/Turla/Snake Malware description: - rootkit publicly released in 02/2014 - probably state sponsored - it uses 2 Virtual File Systems - hides itself (driver file .sys + registry) Live forensics collect on this kind of case is always complicated: we cannot trust the system behavior SEKOIA 14

  15. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Driver identification via the filecatcher (.zip + _Filecatcher.csv): paul@lab:~$ unzip -l HES-demo_files_.zip Archive: HES-demo_files_.zip Length Date Time Name --------- ---------- ----- ---- 210944 2015-10-08 11:07 WINDOWS/$NtuninstallQ817473$/fdisk.sys 224768 2007-11-06 19:23 WINDOWS/WinSxS/x86_Microsoft.VC90/msvcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft.VC90/mfcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft.VC90/mfcm90u.dll --------- ------- 555520 4 files "HES-demo","Filecatcher","2015-10-08 11:07:40.763156", "C:\WINDOWS\$NtuninstallQ817473$\fdisk.sys", "50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed ", "application/x-ms-dosexecutable","True","False", http://www.virustotal.com/en/file/50edc955a6e8e431[...]929653d289ed/analysis SEKOIA 15

  16. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Persistence identification (_startup.csv): "HES-demo","registry_services","2015-10-15 10:28:32", "HKEY_LOCAL_MACHINE", "System\CurrentControlSet\Services\Ultra3","ImagePath", "VALUE","REG_SZ", "\SystemRoot\$NtuninstallQ817473$\fdisk.sys" SEKOIA 16

  17. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Named pipe identification (_named_pipes.csv): "HES-demo","named_pipes","\\.\pipe\isapi_http2" "HES-demo","named_pipes","\\.\pipe\isapi_dg2" "HES-demo","named_pipes","\\.\pipe\isapi_http" "HES-demo","named_pipes","\\.\pipe\isapi_dg" SEKOIA 17

  18. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: VFS identification (_prefetch.csv): \DEVICE\RAWDISK1\KLOG \DEVICE\RAWDISK1\$MFT \DEVICE\RAWDISK1\QUEUE SEKOIA 18

  19. Case 2: ComRAT SEKOIA 19

  20. Complex malware & forensics investigation | ComRAT Malware description: - user land RAT - developed by the same author than Uroburos - uncommon persistence (COM Object hijack) SEKOIA 20

  21. Complex malware & forensics investigation | ComRAT FastIR Collector: Malware identification (.zip): paul@lab:~$ unzip -l HES-demo_files_.zip Length Date Time Name --------- ---------- ----- ---- 260096 2008-04-14 14:00 Documents and Settings/demo /Application Data/Microsoft/credprov.tlb 51200 2008-04-14 14:00 Documents and Settings/demo /Application Data/Microsoft/shdocvw.tlb 224768 2007-11-06 19:23 WINDOWS/WinSxS/x86_Microsoft .VC90/msvcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft .VC90/mfcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft .VC90/mfcm90u.dll SEKOIA 21

  22. Complex malware & forensics investigation | ComRAT FastIR Collector: Persistence identification not visible… HKCU\Software\CLSID\{42aedc87-2188-41fd-b9a30c966feabec1}\InprocServer32 SEKOIA 22

  23. Complex malware & forensics investigation | ComRAT FastIR Collector: Library injection (_processes_dll.csv): "HES-demo","processes_dll","1420","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\demo\Application Data\Microsoft \shdocvw.tlb" "HES-demo","processes_dll","1420","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\demo\Application Data\Microsoft \credprov.tlb" SEKOIA 23

  24. Case 3: Babar SEKOIA 24

  25. Complex malware & forensics investigation | Babar Malware description: - user land RAT - probably developed by a French intel agency SEKOIA 25

  26. Complex malware & forensics investigation | Babar FastIR Collector: Persistence identification (_startup.csv) "HES-demo","startup","2015-10-08 11:20:21", "HKEY_LOCAL_MACHINE","Software\Microsoft\Windows \CurrentVersion\Run ","MSSecurity","VALUE","REG_SZ", """regsvr32.exe"" /s /n /i ""C:\Documents and Settings \All Users\Application Data\perf_585.dll""" SEKOIA 26

  27. Complex malware & forensics investigation | Babar FastIR Collector: Process identification (_processes.csv) "HES-demo","processes","1828","regsvr32.exe", """C:\WINDOWS\system32\regsvr32.exe"" /s /n /i ""C:\Documents and Settings\All Users\Application Data \perf_585.dll""","C:\WINDOWS\system32\regsvr32.exe" SEKOIA 27

  28. Complex malware & forensics investigation | Babar FastIR Collector: Library injection (_processes_dll.csv) "HES-demo","processes_dll","1440","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\All Users\Application Data\ perf_585.dll" "HESdemo","processes_dll","1788","C:\WINDOWS\system32\ VBoxTray.exe","C:\Documents and Settings\All Users\ Application Data\perf_585.dll" "HESdemo","processes_dll","1848","C:\WINDOWS\system32\ ctfmon.exe","C:\Documents and Settings\All Users\ Application Data\perf_585.dll" SEKOIA 28

  29. Case 4: Casper SEKOIA 29

  30. Complex malware & forensics investigation | Casper Malware description: - user land RAT - probably developed by the same team than Babar SEKOIA 30

  31. Complex malware & forensics investigation | Casper FastIR Collector: Persistence identification (_startup.csv) "HES-demo","startup","2015-10-08 11:30:07", "HKEY_LOCAL_MACHINE","Software\Microsoft\Windows \CurrentVersion\Run ","VBOX Audio Interface Device Manager","VALUE","REG_SZ","""C:\Program Files\ Fichiers communs\VBOX Audio Interface Device Manager \aiomgr.exe"" 3071006457" SEKOIA 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

Complex malware & forensic investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher

442 views • 43 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010

Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010

Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010 Jason Garman CTO, Kyrus Technology New directions for malware Malicious code used in APT attacks are usually: Not sexy the

409 views • 24 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov

Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov

Introduction Background Sample Case Conclusion Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov Joey Paquet Mourad Debbabi Department of Computer Science and Software Engineering Faculty of

720 views • 46 slides
Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A

Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A

Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A smartwatch is a wristband with sensors. Sensor information from the wristband is send to a mobile telephone. Furthermore, notifications from the

449 views • 21 slides
Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel,

Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel,

Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel, Christian Payne College of Science, Health, Engineering and Education Murdoch University, Perth, Australia The Australasian Information Security

341 views • 22 slides
National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded

National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded

National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded From 2012 Friday, 14 October 2016 Disclaimer This presentation has been provided solely for purposes of giving a synopsis of our final draft

901 views • 43 slides
Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2

Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2

Motivation P2P Overview Investigations and Legal Issues Results and Tool Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2 Thomas Kerle 3 Brian Neil Levine 1 Clay Shields 4 1 University of

575 views • 19 slides
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015 Who am I? 2 Forensic Investigator & Malware

796 views • 27 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings

Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings

Topic Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings Analysis of Police Crime Forensic Investigation Evidence EXPECTATIONS Timely Seamless & Evidences get Integrable putrefied, e.g. to

138 views • 9 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Memory System Design Chapter 16 S. Dandamudi Outline Introduction Building larger

Memory System Design Chapter 16 S. Dandamudi Outline Introduction Building larger

Memory System Design Chapter 16 S. Dandamudi Outline Introduction Building larger memories A simple memory block Mapping memory Memory design with D flip Full mapping flops Partial mapping Problems with the

500 views • 15 slides
CBOP3203 A class library is a set of classes that supports the development of

CBOP3203 A class library is a set of classes that supports the development of

CBOP3203 A class library is a set of classes that supports the development of programs. Java contains an extensive library of pre- written classes you can use in your programs. These classes are divided into groups called packages

277 views • 13 slides
Concepts of Higher Programming Languages Chapter 1: Introduction Jonathan Thaler Department of

Concepts of Higher Programming Languages Chapter 1: Introduction Jonathan Thaler Department of

Concepts of Higher Programming Languages Chapter 1: Introduction Jonathan Thaler Department of Computer Science 1 / 39 Introduction The limits of my language are the limits of my world. Ludwig Wittgenstein Tractatus Logico-Philosophicus

986 views • 39 slides
Information hiding Receivers and behavior Messages differ from traditional function

Information hiding Receivers and behavior Messages differ from traditional function

Information hiding Receivers and behavior Messages differ from traditional function Notice how a user of a service being calls in two very important respects: provided by an object, need only know the a) A designated receiver accepts

233 views • 6 slides
Street lighting monitoring at cabinet level using open-source tools: a real scenario Adamo Ferro

Street lighting monitoring at cabinet level using open-source tools: a real scenario Adamo Ferro

IEEE Second International Smart Cities Conference (ISC2 2016) Trento, 14/09/2016 Street lighting monitoring at cabinet level using open-source tools: a real scenario Adamo Ferro adamo_ferro@comune.trento.it Outline Introduction and

344 views • 15 slides
Status of Krell Tools Built using Dyninst/MRNet Paradyn Week

Status of Krell Tools Built using Dyninst/MRNet Paradyn Week

Status of Krell Tools Built using Dyninst/MRNet Paradyn Week 2013 Madison, Wisconsin April 30, 2013 LLNL-PRES-503431 Paradyn Week 2013 04/30/2013

515 views • 28 slides
Relay : a high level differentiable IR Jared Roesch TVMConf December 12th, 2018 1 This

Relay : a high level differentiable IR Jared Roesch TVMConf December 12th, 2018 1 This

Relay : a high level differentiable IR Jared Roesch TVMConf December 12th, 2018 1 This represents months of joint work with lots of great folks: 2 TVM Stack Optimization High-Level Differentiable IR Relay AutoTVM Tensor Expression

634 views • 36 slides
Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal

Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal

Computer Science Laboratory, SRI International Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal Methods FLoC Workshop Seattle, August 21st 2006. Computer Science Laboratory, SRI International

470 views • 10 slides

More recommend