Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
1 like3,761 views
Presented by Monnappa K A in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information
1 of 30
Downloaded 78 times
Recommended
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
?
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.Code Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
?
This document discusses different techniques for injecting code on Windows systems, including PE file infection, IAT hooking, and runtime code injection. PE file infection involves overwriting a section like .code and changing the entry point to inject malicious code. IAT hooking changes the DLL name in the import address table to point to a proxy DLL for intercepting function calls. Runtime code injection uses APIs like CreateRemoteThread and WriteProcessMemory to load a DLL or executable into another process's memory and execute it remotely.
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicssecurityxploded
?
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.phpFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
?
Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationBuffer Overflow Attacks
Buffer Overflow Attackssecurityxploded
?
Presented by Abhinav chourasia in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
?
Presented by Satyam Saxena in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
?
Presented by Adarsh Agarwal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandboxsecurityxploded
?
Presented by Monnappa K A in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationIntroduction to SMPC
Introduction to SMPCsecurityxploded
?
Presented by Jitendra Kumar Patel in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information Breaking into hospitals
Breaking into hospitalssecurityxploded
?
Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information Bluetooth [in]security![Bluetooth [in]security](https://cdn.slidesharecdn.com/ss_thumbnails/bluetoothinsecurity-160203162816-thumbnail.jpg?width=560&fit=bounds)
Bluetooth [in]securitysecurityxploded
?
Presented by Jiggyasu Sharma in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationBasic malware analysis
Basic malware analysissecurityxploded
?
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.Automating Malware Analysis
Automating Malware Analysissecurityxploded
?
This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.Reverse Engineering Malware
Reverse Engineering Malwaresecurityxploded
?
This document provides an overview of the Etumbot malware, including its use in cyber espionage attacks, how it works, and how to analyze and decrypt its communications. Etumbot is dropped via spearphishing emails and establishes persistence on Windows systems by adding a registry entry. It communicates with command and control servers using an initial handshake to receive an RC4 key, which it then uses to encrypt additional communications like sending stolen system information. The document demonstrates analyzing the malware's behavior and decrypting its network traffic.DLL Preloading Attack
DLL Preloading Attacksecurityxploded
?
This document summarizes a presentation about DLL loading vulnerabilities. It begins with an introduction to the presenter and their background. The topics to be covered are then outlined, including the history of DLL loading issues, types of vulnerabilities like hijacking and preloading, how the DLL search order works and can be affected, recommendations for secure development practices, and references. A demonstration will also be included.Partial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
?
Presented by Sreelakshmy and Mythily in SecurityXploded cyber security meet. visit: http://www.securitytrainings.Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
?
Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Return Address ¨C The Silver Bullet
Return Address ¨C The Silver Bulletsecurityxploded
?
This document discusses return address analysis for malware detection. It explains that return addresses provide important context about the execution flow and origin of API calls. Precisely tracking return addresses and API calls can help analyze application hijacking, detect unpacked/injected code, and identify abnormal system interactions that may indicate malware. While return address analysis provides useful insights, the document also notes limitations in fully detecting advanced exploits from external tools due to opportunities for a malware program to evade detection.Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
?
Presented by Raghav Pande in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensicssecurityxploded
?
Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learningsecurityxploded
?
This document discusses using machine learning to detect malicious URLs. It proposes extracting various features from URLs, including querying blacklists, domain registration information, host properties, and lexical features of the URL. These features are then used to train classifiers like logistic regression to distinguish benign from malicious URLs. The approach is shown to achieve over 86.5% accuracy in detecting malicious URLs using a diverse set of over 18,000 features, performing better than blacklists alone. Future work includes scaling the approach for deployment and incorporating webpage content analysis.Anatomy of Exploit Kits
Anatomy of Exploit Kitssecurityxploded
?
The document provides an overview of exploit kits, including common exploit kit names (e.g. Fiesta, Angler), the phases of an exploit kit attack (compromised site, redirector, landing page, post-infection traffic), exploits used across browsers/plugins (e.g. IE, Java, Flash), evasion techniques (e.g. obfuscation), and includes a technical analysis of the CVE-2014-0515 Flash exploit.MalwareNet Project
MalwareNet Projectsecurityxploded
?
Presented by SecurityXploded team in our quarterly Cyber security meet. visit: http://www.securitytrainings.net for more information.Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
?
Presented by Monnappa in our quarterly Cyber security meet. visit: http://www.securitytrainings.net for more information.Dissecting BetaBot
Dissecting BetaBotsecurityxploded
?
This document summarizes the analysis of the Betabot malware. It describes how the malware unpacks itself in multiple stages using common unpacking techniques. It also discusses the malware's anti-analysis behaviors, injection and migration methods, and how it hooks various system calls on 32-bit and 64-bit systems to maintain persistence. The document provides technical details on the malware's behavior and interesting internal workings.Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14securityxploded
?
Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.
More Related Content
More from securityxploded (20)
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
?
Presented by Adarsh Agarwal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandboxsecurityxploded
?
Presented by Monnappa K A in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationIntroduction to SMPC
Introduction to SMPCsecurityxploded
?
Presented by Jitendra Kumar Patel in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information Breaking into hospitals
Breaking into hospitalssecurityxploded
?
Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information Bluetooth [in]security
Bluetooth [in]securitysecurityxploded
?
Presented by Jiggyasu Sharma in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more informationBasic malware analysis
Basic malware analysissecurityxploded
?
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.Automating Malware Analysis
Automating Malware Analysissecurityxploded
?
This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.Reverse Engineering Malware
Reverse Engineering Malwaresecurityxploded
?
This document provides an overview of the Etumbot malware, including its use in cyber espionage attacks, how it works, and how to analyze and decrypt its communications. Etumbot is dropped via spearphishing emails and establishes persistence on Windows systems by adding a registry entry. It communicates with command and control servers using an initial handshake to receive an RC4 key, which it then uses to encrypt additional communications like sending stolen system information. The document demonstrates analyzing the malware's behavior and decrypting its network traffic.DLL Preloading Attack
DLL Preloading Attacksecurityxploded
?
This document summarizes a presentation about DLL loading vulnerabilities. It begins with an introduction to the presenter and their background. The topics to be covered are then outlined, including the history of DLL loading issues, types of vulnerabilities like hijacking and preloading, how the DLL search order works and can be affected, recommendations for secure development practices, and references. A demonstration will also be included.Partial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
?
Presented by Sreelakshmy and Mythily in SecurityXploded cyber security meet. visit: http://www.securitytrainings.Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
?
Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Return Address ¨C The Silver Bullet
Return Address ¨C The Silver Bulletsecurityxploded
?
This document discusses return address analysis for malware detection. It explains that return addresses provide important context about the execution flow and origin of API calls. Precisely tracking return addresses and API calls can help analyze application hijacking, detect unpacked/injected code, and identify abnormal system interactions that may indicate malware. While return address analysis provides useful insights, the document also notes limitations in fully detecting advanced exploits from external tools due to opportunities for a malware program to evade detection.Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
?
Presented by Raghav Pande in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensicssecurityxploded
?
Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learningsecurityxploded
?
This document discusses using machine learning to detect malicious URLs. It proposes extracting various features from URLs, including querying blacklists, domain registration information, host properties, and lexical features of the URL. These features are then used to train classifiers like logistic regression to distinguish benign from malicious URLs. The approach is shown to achieve over 86.5% accuracy in detecting malicious URLs using a diverse set of over 18,000 features, performing better than blacklists alone. Future work includes scaling the approach for deployment and incorporating webpage content analysis.Anatomy of Exploit Kits
Anatomy of Exploit Kitssecurityxploded
?
The document provides an overview of exploit kits, including common exploit kit names (e.g. Fiesta, Angler), the phases of an exploit kit attack (compromised site, redirector, landing page, post-infection traffic), exploits used across browsers/plugins (e.g. IE, Java, Flash), evasion techniques (e.g. obfuscation), and includes a technical analysis of the CVE-2014-0515 Flash exploit.MalwareNet Project
MalwareNet Projectsecurityxploded
?
Presented by SecurityXploded team in our quarterly Cyber security meet. visit: http://www.securitytrainings.net for more information.Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
?
Presented by Monnappa in our quarterly Cyber security meet. visit: http://www.securitytrainings.net for more information.Dissecting BetaBot
Dissecting BetaBotsecurityxploded
?
This document summarizes the analysis of the Betabot malware. It describes how the malware unpacks itself in multiple stages using common unpacking techniques. It also discusses the malware's anti-analysis behaviors, injection and migration methods, and how it hooks various system calls on 32-bit and 64-bit systems to maintain persistence. The document provides technical details on the malware's behavior and interesting internal workings.Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14securityxploded
?
Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.Recently uploaded (18)
Introduction on how unique identifier systems are managed and coordinated - R...
Introduction on how unique identifier systems are managed and coordinated - R...APNIC
?
Sunny Chendi, Senior Regional Advisor, Membership and Policy at APNIC, presented an 'Introduction on how unique identifier systems are managed and coordinated - RIRs (APNIC for APAC), ICANN, IETF and policy development' at MyAPIGA 2025 held in Putrajaya from 16 to 18 February 2025.
cyber hacking and cyber fraud by internet online money
cyber hacking and cyber fraud by internet online moneyVEENAKSHI PATHAK
?
Cyber fraud is a blanket term to describe crimes committed by cyberattacks via the internet. These crimes are committed with the intent to illegally acquire and leverage an individual's or business¡¯s sensitive information for monetary gainHygiene-and-Sanitation with healthcare and the most important hygiene to be
Hygiene-and-Sanitation with healthcare and the most important hygiene to beLoveJade1
?
Hygiene and sanitation Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...CartCoders
?
CartCoders offers specialized Shopify integration services to enhance your eCommerce store's functionality and user experience. Connect your Shopify store seamlessly with essential software and applications. Perfect for businesses aiming to streamline operations and boost efficiency.IPv6 - Global and Malaysia's Perspectives
IPv6 - Global and Malaysia's PerspectivesAPNIC
?
APNIC's Senior Regional Advisor, Membership and Policy, Sunny Chendi presented on IPv6 at MyAPIGA 2025 held in Putrajaya from 16 to 18 February 2025. KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdfsabranghindi
?
India¡¯s figure of 84 shutdowns in 2024 is surpassed only by Myanmar, which endured 85 shutdowns under the military junta¡¯s rule. HITRUST Overview and AI Assessments Webinar.pptx
HITRUST Overview and AI Assessments Webinar.pptxAmyPoblete3
?
This webinar provides an overview of HITRUST, a widely recognized cybersecurity framework, and its application in AI assessments for risk management and compliance. It explores different HITRUST assessment options, including AI-specific frameworks, and highlights how organizations can streamline certification processes to enhance security and regulatory adherence.IDM Crack 2025 Internet Download Manger Patch
IDM Crack 2025 Internet Download Manger Patchwistrendugftr
?
copy & paste ? ???? https://filedownloadx.com/download-link/
This project provides a cracked version of IDM, enabling users to use the premium features without purchasing a license. This project is for educational purposes only. Using cracked software is illegal and unethical. We strongly recommend purchasing a legitimate license from the official IDM website to support the developers and respect copyright laws.A Teaching Guide for Those interested in teaching monkey beach
A Teaching Guide for Those interested in teaching monkey beachsethiserena
?
A Teaching Guide for Those interested in teaching monkey beach![phase_4_presentation[1] - Read-Only.pptx Iot](https://cdn.slidesharecdn.com/ss_thumbnails/phase4presentation1-read-only-250301195122-ec11f187-thumbnail.jpg?width=560&fit=bounds)
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...CartCoders
?
Choosing between custom development and off-the-shelf solutions for Shopify Plus ERP integration? Our latest blog explores the pros and cons to help you decide the best approach for optimizing your eCommerce operations.
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...IJCNCJournal
?
The increasing use of Industrial Internet of Things (IIoT) devices has brought about new security vulnerabilities, emphasizing the need to create strong and effective security solutions. This research proposes a two-layered approach to enhance security in IIoT networks by combining lightweight encryption and RNN-based attack detection. The first layer utilizes Improved Elliptic Curve Cryptography (IECC), a novel encryption scheme tailored for IIoT devices with limited computational resources. IECC employs a Modified Windowed Method (MWM) to optimize key generation, reducing computational overhead and enabling efficient secure data transmission between IIoT sensors and gateways. The second layer employs a Recurrent Neural Network (RNN) for real-time attack detection. The RNN model is trained on a comprehensive dataset of IIoT network traffic, including instances of Distributed Denial of Service (DDoS), Man-in-the-Middle (MitM), ransomware attacks, and normal communications. The RNN effectively extracts contextual features from IIoT nodes and accurately predicts and classifies potential attacks. The effectiveness of the proposed two-layered approach is evaluated using three phases. The first phase compares the computational efficiency of IECC to established cryptographic algorithms including RSA, AES, DSA, Diffie-Hellman, SHA-256 and ECDSA. IECC outperforms all competitors in key eneration speed, encryption and decryption time, throughput, memory usage, information loss, and overall processing time. The second phase evaluates the prediction accuracy of the RNN model compared to other AI-based models DNNs, DBNs, RBFNs, and LSTM networks. The proposed RNN achieves the highest overall accuracy of 96.4%, specificity of 96.5%, precision of 95.2%, and recall of 96.8%, and the lowest false positive of 3.2% and false negative rates of 3.1%.
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...TANGKI4D
?
MODAL 50RIBU JACKPOT 10JUTA
BERMAIN DI STARLIGHT PRINCESS
TUNGGU APA LAGI MAIN KAN SEKARANG
GUNAKAN POLA BERMAIN REKOMENDASI KAMI
3x MANUAL SPIN ??? DC ON-OFF
10x TURBO Spin ?? ? DC OFF
2x MANUAL Spin ??? DC ON-OFF
20x CEPAT Spin ??? DC OFF
COMBO DENGAN BUY FITURE SPIN
#Tangki4dexclusive #tangki4dlink #tangki4dvip #bandarsbobet #idpro2025 #stargamingasia #situsjitu #jppragmaticplay