Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries

Block, Frank E.; Dewald, Andreas

doi:10.1016/j.diin.2019.04.008

Cited by 25 publications

(4 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…2) GhostMiner: It is a powerful fileless cryptojacking [76], observed in 2018, with the high-level evasion techniques [77]. GhostMiner exploits WMI objects as a fileless threat routine for a persistent mechanism [78] to mine Monero cryptocurrency (XMR) continuously.…”

Section: A Common Fileless Cryptojacking Malware In the Wildmentioning

confidence: 99%

The Dangerous Combo: Fileless Malware and Cryptojacking

Varlioglu¹,

Elsayed²,

ElSayed³

et al. 2022

Preprint

View full text Add to dashboard Cite

Fileless malware and cryptojacking attacks have appeared independently as the new alarming threats in 2017. After 2020, fileless attacks have been devastating for victim organizations with low-observable characteristics. Also, the amount of unauthorized cryptocurrency mining has increased after 2019. Adversaries have started to merge these two different cyberattacks to gain more invisibility and profit under "Fileless Cryptojacking." This paper aims to provide a literature review in academic papers and industry reports for this new threat. Additionally, we present a new threat hunting-oriented DFIR approach with the best practices derived from field experience as well as the literature. Last, this paper reviews the fundamentals of the fileless threat that can also help ransomware researchers examine similar patterns.

show abstract

Section: A Common Fileless Cryptojacking Malware In the Wildmentioning

confidence: 99%

The Dangerous Combo: Fileless Malware and Cryptojacking

Varlioglu¹,

Elsayed²,

ElSayed³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…There exists no single system which has the capability to detect all major types of process injection. Current process injection detection tools are not able to cope with the existing injection techniques and fail to reliably reveal existing malware utilizing certain hiding techniques [1].…”

Section: A Motivationmentioning

confidence: 99%

An Advanced Memory Introspection Technique to Detect Process Injection and Malwares of Varied Types in a Virtualized Environment

Tank¹,

Aggarwal²,

Chaubey³

2021

Preprint

View full text Add to dashboard Cite

Today’s advanced malware can easily avoid detection by adopting several evasion strategies. Process injection is one such strategy to evade detection from security products since the execution is masked under a legitimate process. Malicious activities are often enforced by injecting malicious code into running processes, which is often undetectable by traditional antimalware techniques. Various process injection techniques are employed by malware to gain more stealth and to bypass security tools/products. Our main focus in this research work is to propose an entirely out-of-VM approach based on advanced memory introspection to detect process injection of varied types in a virtualized environment. We have implemented a plugin using the open-source Volatility tool and successfully tested it on live VMs and malware-infected memory images. Experimental results show that our model classifies injected memory regions with high accuracy and completeness and has more true positives and fewer false positives when compared to other existing systems/solutions. Our proposed detection approach assures precise and reliable results and exactly pinpoint injected memory regions. Our proposed system detects an actual malicious memory region in the virtual address space of an infected process. Our proposed system detects more malware families and dominates the other approaches in all evaluation metrics.

show abstract

“…Tahap akuisisi data pada penelitian ini dilakukan secara live forensics, Tahapan akuisisi data secara live forensics mengacu pada penelitian yang dilakukan sebelumnya oleh [12], [13]. Pada penelitian lainnya yang dilakukan oleh [14] dilakukan akuisisi terhadap random access memory windows untuk menemukan user_id dan password.…”

Section: Proses Penguncian Pada Dm-cryptunclassified

Analisis Forensik Digital Memori Volatile untuk Mendapatkan Kunci Enkripsi Aplikasi Dm-Crypt

Firdaus

Suprianto

Agustina

2021

json

View full text Add to dashboard Cite

Disk encryption technology is something very useful in securing data. On the other hand, disk encryption can be used by criminals to hide the digital evidence. The information in the disk will be very useful for the investigation, but if the disk on the computer evidence encrypted then it will hamper the investigation process. The conditions will certainly be a challenge for investigator cybercrime to be able to find the disk encryption key, especially if the perpetrator did not cooperate in the investigation process. The analysis of the image memory to get the encryption key will be helpful in the investigation. In the overall memory activity on the computer evidence will be recorded, using a live image memory dump on the computer evidence, the decryption keys can be recovered. This paper will discuss about forensic analysis to getting the disk encryption key on the dm-crypt is used to encrypt the disk on Linux operating system and prove that through forensic image memory on a live memory dump, key dm-crypt disk encryption can be found with a success percentage of 80%. On this paper the research will be focused on the Linux operating system with dm-crypt function to full disk encryption.

show abstract

Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries

Cited by 25 publications

References 3 publications

The Dangerous Combo: Fileless Malware and Cryptojacking

The Dangerous Combo: Fileless Malware and Cryptojacking

An Advanced Memory Introspection Technique to Detect Process Injection and Malwares of Varied Types in a Virtualized Environment

Analisis Forensik Digital Memori Volatile untuk Mendapatkan Kunci Enkripsi Aplikasi Dm-Crypt

Contact Info

Product

Resources

About