(W30M00) Pre-Course


Forensics Malware Analysis

Forensics malware analysis could be static or dynamic, in a classical view. In a real world, the difficult to perform malware dynamic analysis can be very hard and depend on the scenario. This difficult growth in ransomware analysis is because we are faced with network traffic aside from artifacts evidence.

Artifacts evidence depends on EFO (encryption file order) elements. Although encryption is a common ransomware procedure, the EFO can be different in every ransomware.

We are investigating EFO in Windows 7 and Windows 10 architecture virtual hosts. What are EFO evidences in these two architectures?

Forensics Ransomware Analysis

This course will work with a memory dump file created in VMware virtual machine infected with several ransomware files. Infected virtual machines are available and we expect that you explore them carefully.

In this course, we will adopt the live approach because we do not share the executable file. But, even in a virtual machine, we can get the real behavior of the malware and an idea of the IOC (indicators of compromise) level.

Another important element is obtained in TOR network evidence. The figure below shows the basic encryption network communication (https://www.torproject.org/about/overview.html.en).

What is the quality of tracked data from a random path? This is the question when we are focusing on a TOR network.

Ransomware belongs to a special class of malware development: the cyber offensive security class. In this class, we found artifacts whose main function is to retrieve/block data for payment purpose.

Retrieve/block uses a cypher algorithm to encryption data. When ransomware infected a host, we don't know the size of the key (32, 56, 128, 158 bits and/or 26 characters permutations).

To understand and discover the size of the key, it’s essential to break cyphers. A cypher with 26! permutations takes an average time of 6.4x106 years to break it. EFO depends on the key size.

Memory dump files

This course uses the memory dumped file captured directly from the virtual machine (Windows 7 and Windows 10).

This technical approach is very appropriate because we can open these files with Volatility or Rekall.

Memory analysis is a modern forensic investigation. Plugins can be developed to analyze a malware behavior (see Volatility Project) or, when possible, we can use an Incident Response tool in a range of machines and prompt a report (see Rekall Project).

Despite our choice, these two approach can help us to understand Malware behavior. If we searching for a modular behavior, for example, and we seek for patterns, a plugin (or various plugins) could be a optimal choice. Incident Response tools may not recognize a pattern when there is more than one attack vector involved in an infection node. But it is my hypothesis and must be tested (not in this course).

Volatility framework is a powerful tool that can be used to read memory dump. In my opinion, it’s easy to work with if you put all files in the same folder that Volatility is running.

Then, you can export profile and location of the file that we will analyze.

You must do this for every image (memory dump file). This procedure will make the file analysis easier. But, this is optional. You can:

  • Identify rogue processes
  • Analyze process DLLs and handles  
  • Review network artifacts
  • Look for evidence of code injection
  • Check for signs of rootkit
  • Dump suspicious processes and drivers


SEE ALL Add a note
Add your Comment

Certificate Validation

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023