{
	"id": "530cb2b6-abba-4ec0-b546-99be88f8f062",
	"created_at": "2026-04-10T03:20:30.42841Z",
	"updated_at": "2026-04-10T13:11:56.976966Z",
	"deleted_at": null,
	"sha1_hash": "72d77735774149a783d6e808ee49cf8e9084e066",
	"title": "Memory forensics of Qakbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49632,
	"plain_text": "Memory forensics of Qakbot\r\nBy Borg, Steve (2020)\r\nArchived: 2026-04-10 02:42:57 UTC\r\n1. OAR@UM\r\n2. Faculty of Information and Communication Technology\r\n3. Department of Computer Information Systems\r\n4. Dissertations - FacICTCIS\r\n5. Dissertations - FacICTCIS - 2020\r\nPlease use this identifier to cite or link to this item:\r\nhttps://www.um.edu.mt/library/oar/handle/123456789/76802\r\nTitle:  Memory forensics of Qakbot\r\nAuthors: \r\nKeywords: \r\nMalware (Computer software)\r\nComputer security\r\nDigital forensic science\r\nIssue Date:  2020\r\nCitation:  Borg, S. (2020). Memory forensics of Qakbot (Bachelor's dissertation).\r\nAbstract:  As malware is continuously evolving, a common technique used by malware authors is\r\nprocess injection, whereby malicious code is injected into benign processes with escalated\r\nprivileges. In the past, signature-based detection may have been considered as a sufficient\r\napproach to malware detection. However, with the advent of polymorphism becoming one of\r\nthe most prevalent detection evasion techniques, antivirus signatures are no longer effective\r\ndue to malware’s ability to change its appearance at will. Qakbot malware is a prime example\r\nwhere despite several signatures have been written throughout the years, it has still managed\r\nto evolve and evade detection. Therefore, one would most likely have a late detection of the\r\nQakbot Sample, making the use of digital investigation tools central for Incident Response.\r\nThis malware has evolved and managed to blend into regular Windows processes,\r\nemphasising the importance of Memory Forensics to identify the exact workings of Qakbot\r\nand be able to reconstruct the timeline of events that occurred since the malware infection. A\r\nprominent obstacle to the analysis of the Qakbot malware is that it includes a packing layer,\r\nwhere parts of the malware are compressed to avoid detection and hinder analysis. In this\r\ndissertation, Reverse Software Engineering (RSE) and Dynamic Binary Instrumentation\r\n(DBI) techniques were used to produce forensic tools that will aid Incident Responders to\r\nidentify exactly which processes are being created and potentially injected. The first two tools\r\nhttps://www.um.edu.mt/library/oar/handle/123456789/76802\r\nPage 1 of 2\n\nthat were developed are based on state-ofthe- art system logs and memory forensics. The\r\nthird and final tool that was developed, is a custom tool based on DBI and which through\r\npartial but timely memory dumps manages to get to that elusive infection evidence. The\r\ncomplete mobsync.exe misuse picture comes at the expense of computer memory and storage\r\noverheads.\r\nDescription:  B.Sc. IT (Hons)(Melit.)\r\nURI:  https://www.um.edu.mt/library/oar/handle/123456789/76802\r\nAppears in\r\nCollections:\r\nDissertations - FacICT - 2020\r\nDissertations - FacICTCIS - 2020\r\nFiles in This Item:\r\nFile Description Size Format  \r\n20BITSD002.pdf\r\n  Restricted Access\r\n2.02 MB Adobe PDF View/Open Request a copy\r\nItems in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.\r\nSource: https://www.um.edu.mt/library/oar/handle/123456789/76802\r\nhttps://www.um.edu.mt/library/oar/handle/123456789/76802\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.um.edu.mt/library/oar/handle/123456789/76802"
	],
	"report_names": [
		"76802"
	],
	"threat_actors": [],
	"ts_created_at": 1775791230,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72d77735774149a783d6e808ee49cf8e9084e066.pdf",
		"text": "https://archive.orkl.eu/72d77735774149a783d6e808ee49cf8e9084e066.txt",
		"img": "https://archive.orkl.eu/72d77735774149a783d6e808ee49cf8e9084e066.jpg"
	}
}