Duck Hunt! Hunting Qakbot Malware with AXIOM

This presentation will walk the you through the analysis of an actual Qakbot investigation. The presentation will start with the collection of physical memory and filesystem acquisition, pivot through the analysis process, thus eventually ending with identification and attribution. Aaron will illustrate how MAGNET AXIOM can be used to leverage malware investigations by utilizing the embedded volatility framework, connections, artifact analysis, and timeline features. By using these embedded features within the AXIOM analysis platform we will be able to illuminate the breach from beginning to end. Aaron will share lessons learned and highlight both those things which worked as well as things that could have been done better in the investigation. From this presentation, you will gain a complete understanding of how Qakbot infects the network, as well as how to hunt, identify, isolate and remediate the malware infection