A Practical Approach To Malware Analysis, Hunting And Memory Forensics (HKT)

TIME: 09:00 to 17:00 ICT/GMT+7

This hands-on training teaches concepts, techniques and tools to understand the behavior and characteristics of malware by combining two powerful techniques, malware analysis and memory forensics.

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. Adversaries are becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations. This makes detecting, responding and investigating such intrusions increasingly critical for information security professionals. Malware analysis and memory forensics have become a must-have skill for fighting advanced malwares, targeted attacks and security breaches.

This course will introduce attendees to basics of malware analysis,reverse engineering, Windows internals and memory forensics. It will then gradually progress deeper into more advanced concepts of memory forensics.

This course uses hands-on labs using real world malware samples and infected memory images (Crimewares, APT malwares, Rootkits etc) to help attendees gain better understanding of the subject. The training also shows how these techniques can be incorporated in a sandbox to automate malware analysis. After taking this course attendees will be equipped with skill to analyze, investigate and respond to malware related incidents.

Students will be provided with:

• Course material
• Lab solution material
• Videos used in the course
• Malware samples used in the course/labs
• Memory Images used in the course/labs
• Custom Scripts
• Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples

Agenda

Day 1

Introduction to Malware Analysis

• What is Malware
• What they do
• Why malware analysis
• Types of malware analysis
• Setting up an isolated lab environment

Static Analysis

• Fingerprinting the malware
• Extracting strings
• Determining File obfuscation
• Pattern matching using YARA
• Fuzzing hashing & comparison
• Understanding PE File characteristics
• Disassembly
• Hands-on lab exercise involves analyzing a real malware sample

Dynamic Analysis/Behavioural analysis

• Dynamic Analysis Steps
• Understanding Dynamic Analysis tools
• Simulating services
• Performing Dynamic Analysis
• Monitoring process, filesystem, registry, and network activity
• Determining the Indicators of compromise (host and network indicators)
• Hands-on lab exercise involves analyzing a real malware sample

 Automating Malware Analysis(sandbox)

• Custom Sandbox Overview
• Working of Sandbox
• Sandbox Features
• Demo – Analyzing malware in the custom sandbox

Malware Persistence Methods

• Run registry key
• Scheduled Tasks
• Startup Folder
• Service
• Winlogon registry entries
• Image File Execution Options (IFEO)
• Accessibility programs
• AppInit_DLLs
• DLL Search order hijacking
• COM Hijacking
• Hands-on lab exercise involves analyzing a real malware sample

Day 2

Code Analysis

• Code Analysis Overview
• Disassembler & Debuggers
• Code Analysis Tools
• Basics of IDA Pro
• Basics of Ollydbg/x64dbg
• Understanding the API calls
• Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
•  Hands-on lab exercise involves analyzing a real malware sample

Introduction to Memory Forensics

• What is Memory Forensics
• Why Memory Forensics
• Steps in Memory Forensics
• Memory acquisition and tools
• Acquiring memory From physical machine
• Acquiring memory from the virtual machine
• The hands-on exercise involves acquiring the memory

Volatility Overview

• Introduction to Volatility Advanced Memory Forensics Framework
• Volatility Installation
• Volatility basic commands
• Determining the profile
• Volatility help options
• Running the plugin

Investigating Process

• Understanding Process Internals
• Process(EPROCESS) Structure
• Process organization
• Process Enumeration by walking the double linked list
• Process relationship (parent-child relationship)
• Understanding DKOM attacks
• Process Enumeration using pool tag scanning
• Volatility plugins to enumerate processes
• Identifying malware process
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating Process handles & Registry

• Objects and handles overview
• Enumerating process handles using Volatility
• Understanding Mutex
• Detecting malware presence using a mutex
• Understanding the Registry
• Investigating common registry keys using Volatility
• Detecting malware persistence
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Day 3

Investigating Network Activities

• Understanding malware network activities
• Volatility Network Plugins
• Investigating Network connections
• Investigating Sockets
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigation Process Memory

• Process memory Internals
• Listing DLLs using Volatility
• Identifying hidden DLLs
• Dumping malicious executable from memory
• Dumping Dll’s from memory
• Scanning the memory for patterns(yarascan)
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating User-Mode Rootkits & Fileless Malwares

• Code Injection
• Types of Code injection
• Remote DLL injection
• Remote Code injection
• Reflective DLL injection
• Hollow process injection
• Demo – Case Study
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Memory Forensics in Sandbox technology

• Sandbox Overview
• Integrating Memory Forensics into a sandbox
• Demo – showing the use of memory forensics in a custom sandbox

Investigating Kernel-Mode Rootkits

• Understanding Rootkits
• Understanding Functional call traversal in Windows
• Level of Hooking/Modification on Windows
• Kernel Volatility plugins
• Hands-on lab exercise(scenario-based) involves investigating malware infected memory
• Demo – Rootkit Investigation

Memory Forensic Case Studies

• Demo – Hunting an APT malware from Memory