[Vol-users] RE: [Detailed analysis of Kaspersky hooks including analysis....

Jamie Levy jamie at memoryanalysis.net
Wed Oct 29 09:03:59 CDT 2014


Hi Mike,

You might want to take a look at malfinddeep by David Lassalle:
http://blog.superponible.com/2014/08/30/volatility-plugin-ssdeep-for-malfind-and-apihooks/

All the best,

-Jamie



On 10/29/14, 8:28 AM, Michael Chaves wrote:
> I've used malfind and memscan on a suspected POS infected system and I get a ton of false positive hits on AV processes.  Any way to white list some of these or use --silent to filter out some of these false positives?  On the other side, is it likely malware is using AV processes to do their deed?
>
> Mike
>
> Det. Michael Chaves
> Monroe Police Department
> 7 Fan Hill Road
> Monroe, CT 06468
> 203.452.2831 x1307 (desk)
> 203.261.3622  (w)
> 203.650.7997 (c)
>
> *** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg, otherwise, due to filters, I will not get it ***
>
> -----Original Message-----
> From: vol-users-bounces at volatilityfoundation.org [mailto:vol-users-bounces at volatilityfoundation.org] On Behalf Of vol-users-request at volatilityfoundation.org
> Sent: Tuesday, October 28, 2014 1:00 PM
> To: vol-users at volatilityfoundation.org
> Subject: [BULK] Vol-users Digest, Vol 76, Issue 6
>
> Send Vol-users mailing list submissions to
> 	vol-users at volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> 	vol-users-request at volatilityfoundation.org
>
> You can reach the person managing the list at
> 	vol-users-owner at volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
>    1. Detailed analysis of Kaspersky hooks including analysis	with
>       Volatility (Andrew Case)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 28 Oct 2014 02:16:58 -0500
> From: Andrew Case <atcuno at gmail.com>
> Subject: [Vol-users] Detailed analysis of Kaspersky hooks including
> 	analysis	with Volatility
> To: "'vol-users at volatilityfoundation.org'" <vol-users at volatilityfoundation.org>
> Message-ID: <544F42EA.9020500 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> A really well done writeup & analysis:
>
> https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
>
> --
> Thanks,
> Andrew (@attrc)
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 76, Issue 6
> ****************************************
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- 
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG:  http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92



More information about the Vol-users mailing list