Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques

Ibrahim Sadek; Penny Chong; Shafiq Ul Rehman; Yuval Elovici; Alexander Binder

doi:10.1016/j.dib.2019.104437

Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques

Ibrahim Sadek, Penny Chong, Shafiq Ul Rehman, Yuval Elovici, Alexander Binder

Research output: Contribution to journal › Article › peer-review

4 Scopus citations

Abstract

This article presents a dataset for studying the detection of obfuscated malware in volatile computer memory. Several obfuscated reverse remote shells were generated using Metasploit-Framework, Hyperion, and PEScrambler tools. After compromising the host, Memory snapshots of a Windows 10 virtual machine were acquired using the open-source Rekall's WinPmem acquisition tool. The dataset is complemented by memory snapshots of uncompromised virtual machines. The data includes a reference for all running processes as well as a mapping for the designated malware running inside the memory. The datasets are available in the article, for advancing research towards the detection of obfuscated malware from volatile computer memory during a forensic analysis.

Original language	English
Article number	104437
Journal	Data in Brief
Volume	26
DOIs	https://doi.org/10.1016/j.dib.2019.104437
State	Published - 1 Oct 2019
Externally published	Yes

Keywords

Forensic analysis
Malware detection
Memory snapshots
Obfuscated malware
System security

ASJC Scopus subject areas

General

Access to Document

10.1016/j.dib.2019.104437

Cite this

@article{160c37bf8ef849f788b2e367f9421fd5,

title = "Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques",

abstract = "This article presents a dataset for studying the detection of obfuscated malware in volatile computer memory. Several obfuscated reverse remote shells were generated using Metasploit-Framework, Hyperion, and PEScrambler tools. After compromising the host, Memory snapshots of a Windows 10 virtual machine were acquired using the open-source Rekall's WinPmem acquisition tool. The dataset is complemented by memory snapshots of uncompromised virtual machines. The data includes a reference for all running processes as well as a mapping for the designated malware running inside the memory. The datasets are available in the article, for advancing research towards the detection of obfuscated malware from volatile computer memory during a forensic analysis.",

keywords = "Forensic analysis, Malware detection, Memory snapshots, Obfuscated malware, System security",

author = "Ibrahim Sadek and Penny Chong and Rehman, {Shafiq Ul} and Yuval Elovici and Alexander Binder",

note = "Funding Information: This work was supported by both ST Electronics and the National Research Foundation ( NRF ), Prime Minister's Office, Singapore under Corporate Laboratory @ University Scheme (Programme Title: STEE Infosec - SUTD Corporate Laboratory). Publisher Copyright: {\textcopyright} 2019 The Author(s)",

year = "2019",

month = oct,

day = "1",

doi = "10.1016/j.dib.2019.104437",

language = "English",

volume = "26",

journal = "Data in Brief",

issn = "2352-3409",

publisher = "Elsevier BV",

}

TY - JOUR

T1 - Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques

AU - Sadek, Ibrahim

AU - Chong, Penny

AU - Rehman, Shafiq Ul

AU - Elovici, Yuval

AU - Binder, Alexander

N1 - Funding Information: This work was supported by both ST Electronics and the National Research Foundation ( NRF ), Prime Minister's Office, Singapore under Corporate Laboratory @ University Scheme (Programme Title: STEE Infosec - SUTD Corporate Laboratory). Publisher Copyright: © 2019 The Author(s)

PY - 2019/10/1

Y1 - 2019/10/1

N2 - This article presents a dataset for studying the detection of obfuscated malware in volatile computer memory. Several obfuscated reverse remote shells were generated using Metasploit-Framework, Hyperion, and PEScrambler tools. After compromising the host, Memory snapshots of a Windows 10 virtual machine were acquired using the open-source Rekall's WinPmem acquisition tool. The dataset is complemented by memory snapshots of uncompromised virtual machines. The data includes a reference for all running processes as well as a mapping for the designated malware running inside the memory. The datasets are available in the article, for advancing research towards the detection of obfuscated malware from volatile computer memory during a forensic analysis.

AB - This article presents a dataset for studying the detection of obfuscated malware in volatile computer memory. Several obfuscated reverse remote shells were generated using Metasploit-Framework, Hyperion, and PEScrambler tools. After compromising the host, Memory snapshots of a Windows 10 virtual machine were acquired using the open-source Rekall's WinPmem acquisition tool. The dataset is complemented by memory snapshots of uncompromised virtual machines. The data includes a reference for all running processes as well as a mapping for the designated malware running inside the memory. The datasets are available in the article, for advancing research towards the detection of obfuscated malware from volatile computer memory during a forensic analysis.

KW - Forensic analysis

KW - Malware detection

KW - Memory snapshots

KW - Obfuscated malware

KW - System security

UR - http://www.scopus.com/inward/record.url?scp=85071912174&partnerID=8YFLogxK

U2 - 10.1016/j.dib.2019.104437

DO - 10.1016/j.dib.2019.104437

M3 - Article

AN - SCOPUS:85071912174

SN - 2352-3409

VL - 26

JO - Data in Brief

JF - Data in Brief

M1 - 104437

ER -

Memory snapshot dataset of a compromised host with malware using obfuscation evasion techniques

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this