By ro0ted | May 7, 2015 - 11:51 | Posted in /b/ | 5 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

So your machines infected. What can you do? Well you can create a memory dump and analyze it with Volatility Framework which runs on Linux, Windows, and OS X. Now you can just wipe your drive but make sure you make a dump first. This is how people get caught or have their servers exposed. – https://twitter.com/ro0ted/

Step 1.) Download the free version of MoonSols:
http://www.moonsols.com/#pricing
Untitled

After you download it. Extract all the files to your desktop or wherever:
Untitled

Then open DumpIt:

Untitled

When opening it you’ll see this window:
Untitled

Then select yes:

Untitled

This is your memory dump:
Untitled

Then upload transfer it to your Virtual Machine with REMnux.
How? Put the dump on an USB or create a shared folder.
So open vbox:
Untitled

Click settings:
Untitled

This window pops up:

Untitled

Click shared folders module:

Untitled

Click the + sign:

Untitled

This window will pop up:
Untitled
Press the arrow sign and select other:
Untitled

This will popup:

Untitled

Select the destination of your dump aka raw image

Untitled

Press okay and select auto mount:

Untitled

Now it will look like this:

Untitled

Note: in order for the shared folder to work you need to install the extensions pack:
Always check for your version in the about page in vbox:
Untitled
http://download.virtualbox.org/virtualbox/4.3.26/Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack

Start up your REMnux VM and follow my previous tutorial to analyze your memory dump to see what you find here:
https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-analyzing-the-zeus-bot-part-2/

Untitled

ro0ted

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics

Volatility Analyzing the ZeuS Bot Part

How to create a memory dump +

 

 

 

 

 

 

 

 

(Visited 1,671 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

5 Responses to #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewbl...

    […]   […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know: Meet the Auto Cousin of Volatility Framework

    […] you think your PC’s infected make a memory dump here in this tutorial: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-infec… Depending how large the memory…

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […] Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump What…

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Interested what you would find on your machine? Follow my tut on how easy is it to create a…

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats don’t want you to know series

    […] Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump What…