complex malware forensic investigation
play

Complex malware & forensic investigation RMLL 2016 Paul - PowerPoint PPT Presentation

May 22, 2023 •11 likes •501 views

Complex malware & forensic investigation RMLL 2016 Paul Rascagnres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher at CERT

  1. Complex malware & forensic investigation RMLL 2016 – Paul Rascagnères & Sebastien Larinier

  2. Complex malware & forensics investigation | about us Me: Paul Rascagnères Twitter account: @r00tbsd Senior threat researcher at CERT SEKOIA Author of the French books "Malwares - Identification, analyse et eradication" (ISBN: 978-2746079656) "Sécurité informatique et Malwares - Analyse des menaces et mise en oeuvre des contre-mesures (2e édition) " (ISBN: 978-2409000737) Co-Organizer of Botconf (2-4 December – Paris) Located in our offices in Luxembourg & Paris SEKOIA 2

  3. Complex malware & forensics investigation | about us Me: Sebastien Larinier Twitter account: @sebdraven Digital Forensics and Incidence Response at CERT SEKOIA Member of the Honeynet Project Co-Organizer of Botconf (2-4 December – Paris) Located in Paris SEKOIA 3

  4. What is FastIR Collector? SEKOIA 4

  5. Complex malware & forensics investigation | What is FastIR Collector? FastIR Collector: - Open Source project sponsored by SEKOIA - http://github.com/SekoiaLab/FastIR_Collector - release at HES 2015 - configurable forensic collector - standalone - 32/64b - Windows XP -> 10 (Workstation & Server) SEKOIA 5

  6. Complex malware & forensics investigation | What is FastIR Collector? FastIR Collector: SEKOIA 6

  7. Complex malware & forensics investigation | What is FastIR Collector? Collected artefacts in userland: - MFT - drives - MBR - browsers history - RAM - recycle bin - HDD - startups - processes - shellbags - named pipes + FileCatcher - MRU - files collect - recent docs - hashes - … - event logs - … - prefetch SEKOIA 7

  8. Complex malware & forensics investigation | What is FastIR Collector? Filecatcher description [filecatcher] recursively =True path =c:\tmp|*,c:\temp|*,c:\recycler|*,%WINDIR%|*,%USERPROFILE%|* mime_filter =application/msword;application/octet-stream;application /xarchive;application/x-ms-pe;application/x-ms-dosexecutable;applica tion/x-lha;application/x-dosexec;application/xelc;application/x-exec utable, statically linked, stripped;application/x-gzip;application/x -object, not stripped;application/x-zip; mime_zip =application/x-ms-pe;application/x-ms-dosexecutable;applica tion/x-dosexec;application/x-executable, statically linked, stripped compare =AND size_min =6k size_max =100M ext_file =* zip_ext_file =* zip =True SEKOIA 8

  9. Complex malware & forensics investigation | What is FastIR Collector? Filecatcher description + signature filter SEKOIA 9

  10. What is the goal of this talk? SEKOIA 10

  11. Complex malware & forensics investigation | What is the goal of this talk? Use on real cases such as: - rootkit - bootkit - userland RAT - … You can check our wiki documentation on GitHub: https://github.com/SekoiaLab/FastIR_Collector/wiki/ SEKOIA 11

  12. Case studies SEKOIA 12

  13. Case 1: Uroburos/Turla/Snake SEKOIA 13

  14. Complex malware & forensics investigation | Uroburos/Turla/Snake Malware description: - rootkit publicly released in 02/2014 - probably state sponsored - it uses 2 Virtual File Systems - hides itself (driver file .sys + registry) Live forensics collect on this kind of case is always complicated: we cannot trust the system behavior SEKOIA 14

  15. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Driver identification via the filecatcher (.zip + _Filecatcher.csv): paul@lab:~$ unzip -l HES-demo_files_.zip Archive: HES-demo_files_.zip Length Date Time Name --------- ---------- ----- ---- 210944 2015-10-08 11:07 WINDOWS/$NtuninstallQ817473$/fdisk.sys 224768 2007-11-06 19:23 WINDOWS/WinSxS/x86_Microsoft.VC90/msvcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft.VC90/mfcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft.VC90/mfcm90u.dll --------- ------- 555520 4 files "HES-demo","Filecatcher","2015-10-08 11:07:40.763156", "C:\WINDOWS\$NtuninstallQ817473$\fdisk.sys", "50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed ", "application/x-ms-dosexecutable","True","False", http://www.virustotal.com/en/file/50edc955a6e8e431[...]929653d289ed/analysis SEKOIA 15

  16. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Persistence identification (_startup.csv): "HES-demo","registry_services","2015-10-15 10:28:32", "HKEY_LOCAL_MACHINE", "System\CurrentControlSet\Services\Ultra3","ImagePath", "VALUE","REG_SZ", "\SystemRoot\$NtuninstallQ817473$\fdisk.sys" SEKOIA 16

  17. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: Named pipe identification (_named_pipes.csv): "HES-demo","named_pipes","\\.\pipe\isapi_http2" "HES-demo","named_pipes","\\.\pipe\isapi_dg2" "HES-demo","named_pipes","\\.\pipe\isapi_http" "HES-demo","named_pipes","\\.\pipe\isapi_dg" SEKOIA 17

  18. Complex malware & forensics investigation | Uroburos/Turla/Snake FastIR Collector: VFS identification (_prefetch.csv): \DEVICE\RAWDISK1\KLOG \DEVICE\RAWDISK1\$MFT \DEVICE\RAWDISK1\QUEUE SEKOIA 18

  19. Case 2: ComRAT SEKOIA 19

  20. Complex malware & forensics investigation | ComRAT Malware description: - user land RAT - developed by the same author than Uroburos - uncommon persistence (COM Object hijack) SEKOIA 20

  21. Complex malware & forensics investigation | ComRAT FastIR Collector: Malware identification (.zip): paul@lab:~$ unzip -l HES-demo_files_.zip Length Date Time Name --------- ---------- ----- ---- 260096 2008-04-14 14:00 Documents and Settings/demo /Application Data/Microsoft/credprov.tlb 51200 2008-04-14 14:00 Documents and Settings/demo /Application Data/Microsoft/shdocvw.tlb 224768 2007-11-06 19:23 WINDOWS/WinSxS/x86_Microsoft .VC90/msvcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft .VC90/mfcm90.dll 59904 2007-11-06 21:51 WINDOWS/WinSxS/x86_Microsoft .VC90/mfcm90u.dll SEKOIA 21

  22. Complex malware & forensics investigation | ComRAT FastIR Collector: Persistence identification not visible… HKCU\Software\CLSID\{42aedc87-2188-41fd-b9a30c966feabec1}\InprocServer32 SEKOIA 22

  23. Complex malware & forensics investigation | ComRAT FastIR Collector: Library injection (_processes_dll.csv): "HES-demo","processes_dll","1420","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\demo\Application Data\Microsoft \shdocvw.tlb" "HES-demo","processes_dll","1420","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\demo\Application Data\Microsoft \credprov.tlb" SEKOIA 23

  24. Case 3: Babar SEKOIA 24

  25. Complex malware & forensics investigation | Babar Malware description: - user land RAT - probably developed by a French intel agency SEKOIA 25

  26. Complex malware & forensics investigation | Babar FastIR Collector: Persistence identification (_startup.csv) "HES-demo","startup","2015-10-08 11:20:21", "HKEY_LOCAL_MACHINE","Software\Microsoft\Windows \CurrentVersion\Run ","MSSecurity","VALUE","REG_SZ", """regsvr32.exe"" /s /n /i ""C:\Documents and Settings \All Users\Application Data\perf_585.dll""" SEKOIA 26

  27. Complex malware & forensics investigation | Babar FastIR Collector: Process identification (_processes.csv) "HES-demo","processes","1828","regsvr32.exe", """C:\WINDOWS\system32\regsvr32.exe"" /s /n /i ""C:\Documents and Settings\All Users\Application Data \perf_585.dll""","C:\WINDOWS\system32\regsvr32.exe" SEKOIA 27

  28. Complex malware & forensics investigation | Babar FastIR Collector: Library injection (_processes_dll.csv) "HES-demo","processes_dll","1440","C:\WINDOWS\ Explorer.EXE“ ,"C:\Documents and Settings\All Users\Application Data\ perf_585.dll" "HESdemo","processes_dll","1788","C:\WINDOWS\system32\ VBoxTray.exe","C:\Documents and Settings\All Users\ Application Data\perf_585.dll" "HESdemo","processes_dll","1848","C:\WINDOWS\system32\ ctfmon.exe","C:\Documents and Settings\All Users\ Application Data\perf_585.dll" SEKOIA 28

  29. Case 4: Casper SEKOIA 29

  30. Complex malware & forensics investigation | Casper Malware description: - user land RAT - probably developed by the same team than Babar SEKOIA 30

  31. Complex malware & forensics investigation | Casper FastIR Collector: Persistence identification (_startup.csv) "HES-demo","startup","2015-10-08 11:30:07", "HKEY_LOCAL_MACHINE","Software\Microsoft\Windows \CurrentVersion\Run ","VBOX Audio Interface Device Manager","VALUE","REG_SZ","""C:\Program Files\ Fichiers communs\VBOX Audio Interface Device Manager \aiomgr.exe"" 3071006457" SEKOIA 31

Recommend

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

Complex malware & forensic investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher

442 views • 43 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010

Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010

Combating Malware in the age of APT SANS Digital Forensic and Incident Response Summit July 2010 Jason Garman CTO, Kyrus Technology New directions for malware Malicious code used in APT attacks are usually: Not sexy the

409 views • 24 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov

Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov

Introduction Background Sample Case Conclusion Reasoning About a Simulated Printer Case Investigation with Forensic Lucid 1 Serguei A. Mokhov Joey Paquet Mourad Debbabi Department of Computer Science and Software Engineering Faculty of

720 views • 46 slides
Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A

Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A

Forensic investigation of Chinese smartwatches Renee Witsenburg & Kasper van Brakel 1 A smartwatch is a wristband with sensors. Sensor information from the wristband is send to a mobile telephone. Furthermore, notifications from the

449 views • 21 slides
Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel,

Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel,

Automatic Event Log Abstraction to Support Forensic Investigation Hudan Studiawan, Ferdous Sohel, Christian Payne College of Science, Health, Engineering and Education Murdoch University, Perth, Australia The Australasian Information Security

341 views • 22 slides
National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded

National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded

National Treasury Forensic Investigation To Verify Prasa Contracts Above R10 Million Rand Awarded From 2012 Friday, 14 October 2016 Disclaimer This presentation has been provided solely for purposes of giving a synopsis of our final draft

901 views • 43 slides
Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2

Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2

Motivation P2P Overview Investigations and Legal Issues Results and Tool Forensic Investigation of Peer-to-Peer File Sharing Networks Marc Liberatore 1 Robert Erdely 2 Thomas Kerle 3 Brian Neil Levine 1 Clay Shields 4 1 University of

575 views • 19 slides
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015 Who am I? 2 Forensic Investigator & Malware

796 views • 27 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings

Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings

Topic Smart Forensic Solutions Role of Forensics in Criminal Justice System Court Proceedings Analysis of Police Crime Forensic Investigation Evidence EXPECTATIONS Timely Seamless & Evidences get Integrable putrefied, e.g. to

138 views • 9 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
A Systemic Investigation of Complex IS Framing and Specification Dr. Susan Gasson Assistant

A Systemic Investigation of Complex IS Framing and Specification Dr. Susan Gasson Assistant

A Systemic Investigation of Complex IS Framing and Specification Dr. Susan Gasson Assistant Professor College of IS & T Drexel University The Design Process Traditional model of decomposition Observed strategy of opportunism

570 views • 19 slides
Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis

Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis

Comparison of DNA Stability Using Various Sample Collection Devices for forensic DNA analysis Criminal Investigation Laboratory, Oita Prefectural Police, Japan Seiki Nakao Todays Presentation 1. Introduction 2. Materials and Methods 3.

609 views • 27 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides

More recommend