SlideShare una empresa de Scribd logo

Malware Analysis Reverse Engineering Workshop Tools

Descargar como PPTX, PDF
Iñaki Rodríguez
Iñaki Rodríguez

Dynamic analysis malware workshop I did for 44Con 2013

Tecnología
1 de 62
Malware Analysis Reverse Engineering Workshop (44Con 2013) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
Grab a copy of the files • Thumb drives being passed around – Disclaimer about new malware of your own  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2 • Wifi – SSID hbn – PSK ILoveTheSmellOfHackInTheMorning – www http://192.168.252.5/
Agenda 1. Basic Concepts 2. Behaviors Analysis 3. Memory Analysis 4. Static Analysis SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
What is Malware • Any piece of software that performs malicious activities. – Executable – Documents – Flash – Java – … SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
Types of Malware • Some examples of categories Worm Trojan Spyware Adware Ransomware Rootkit Keyloggers Stealers Virus Backdoor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
Windows Executable • An executable under the hood • Structure: • Imported Functions • Exported Functions • Sections • Code • Data • Relocation information • Certificate SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6 • PE File
Binary Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
Interpreted Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
The BIG picture SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
PE Explorer • Examining the content of a Windows executable (exe, cpl, ocx, dll, …) • Editor, disassembler, resource editor. Imports Dependencies Sections Resource Data Directories SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10 General Info Editor
LAB – 1 • Use PE Explorer over installer.exe and pafish.exe • Questions – Could you enumerate some notable differences? – Could you find something interesting in installer.exe? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
From File to Process • From File to Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15 Loader Read Header Place Executable in Memory Create Process Object
Monitoring Behavior Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16 DLL Fun1 Fun2 Fun 3 DLL DLL Fun1 Fun2 Fun 3 Fun1 Fun2 Fun 3 • Interaction with the Operating System • File Activity • Network flows • Registry monitor • Api Calls
Behavior Analysis • Execution in a controlled environment. • Not as time consuming as static analysis. • Focused on results. • VM and Snapshots. • MSDN – Api calls SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
What are we looking for • New processes • Code injection • Downloads • File activity • Persistence mechanism • Registry changes • C&C Communication • Network activity (LAN) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
Process Monitor • Included in the Sysinternals Suite with many other interesting tools. Filter Search Event Filter by Event SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
Process Monitor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
Lab – 2 (File Activities) • Open Process Explorer • Execute installer.exe • Filter the results • Questions – Which file was created? – Where? – Why has the installer.exe vanished? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
Lab – 3 (Process Activities) • Use the previous capture • Questions – How many processes were spawned? – Could you identify who deleted the original installer.exe file? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
Regshot • Takes Registry Snapshots • Compare Snapshots SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
Regshot Report SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
Lab – 4 (Registry) • Restore the Snapshot • Execute Regshot and take a first snapshot. • Execute Process Explorer. • Execute installer.exe. • Sleep 1m  • Take a second snapshot and compare. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
Lab – 4 (Registry) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30 • Questions – Could you identify the persistence mechanism using RegShot? – And with Process Monitor? – Could you find any new service added by the malware?
Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
Network Activity • Wireshark is a well known network sniffer. • Many protocol decoders • Drawback: Secure connections  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33 Restart Stop Start Capture Options
Lab – 5 • Network Activity – Wireshark • Questions – Did the malware contact with a C&C? – Was it successful? – What was the IP/domain name? – Could you find information about the C&C? • DNS redirection (*) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
Sysanalyzer • Logs some interesting APIs • Sniffer • Less noisy • Less information SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
Lab – 7 • Run installer.exe and compare the results from previous tools. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
API Monitor • Logs a set of Windows APIs from a large set of them • Low-level information • Don’t try to log all  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
API Monitor Start new process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41 Filters
WinApiOverride32 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
Lab – 8 • Log the network and file activity • Monitor newly created processes on demand. • Questions – Could you find the C&C? – Could you find when the file is deleted? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
LAB – 8 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
LAB – 8 (Answers) • Were you able to find the C&C? • Why? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
Sandbox • Why not automation? • Cuckoo Sandbox executes the malware inside a VM for us. • Analyzer and reporting system all in one solution. • Extensible • Must be installed on Linux SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
Submit Samples • Web interface • Command Line SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
Cuckoo Architecture Host Virtual Machine Agent.py Analyzer.py Cuckoomon.dll malware SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48 Cuckoo.py Processors Signatures Reports
Lab – 9 • Upload a sample to the Sandbox • Meanwhile, check the report for sample a6ff0e175acc7aaa3c2a855e44b11e3b. • Question – Could you identify the same indicators of compromise from extracted from previous tools? – Could you find the C&C? – And the function call? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
Post Mortem Analysis • Volatility can extract information from a memory dump. • Hidden process, handles, connections, … • Malfind • Dump memory from Cuckoo, Winpmem, SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
Dumping Memory Cuckoo VirtualBox SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
Volatility • Offline Memory analysis tool • Search for – Open handles – Hooked Apis – New Dlls – Hidden processes – Registry values • No diff tool  (Anyone?) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
LAB – 10 • Dump memory from a clean system • List process list • Find explorer.exe and list its dlls • Store this information in a file and repeat all the process with the malware running SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
LAB – 10 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58 • Question – Could you find anything suspicious?
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
CONTACT ME • Iñaki Rodriguez –@virtualminds_es – irodriguez@virtualminds.es SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62

Recomendados

A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks LessAlon Fliess
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Python testing like a pro by Keith Yang
Python testing like a pro by Keith YangPython testing like a pro by Keith Yang
Python testing like a pro by Keith YangPYCON MY PLT
 
SBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopSBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopPhil Ewels
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Project report
Project reportProject report
Project reportArijit Roy
 

Recomendados

A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks LessAlon Fliess
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Python testing like a pro by Keith Yang
Python testing like a pro by Keith YangPython testing like a pro by Keith Yang
Python testing like a pro by Keith YangPYCON MY PLT
 
SBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopSBW 2016: MultiQC Workshop
SBW 2016: MultiQC WorkshopPhil Ewels
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Project report
Project reportProject report
Project reportArijit Roy
 
One Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestOne Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestIñaki Rodríguez
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
 
Phonosurgery
PhonosurgeryPhonosurgery
Phonosurgerypraneeth koduru
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
 
TYPES OF JOINTS
TYPES OF JOINTS TYPES OF JOINTS
TYPES OF JOINTS PMAS Arid Agriculture Univsersity Rawalpindi
 
Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016ewin aulia
 
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP DevSecCon
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroKyle Bubp
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CISimon Bennetts
 
Publishing Linked Data from RDB
Publishing Linked Data from RDBPublishing Linked Data from RDB
Publishing Linked Data from RDBBoris Villazón-Terrazas
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman
 

Más contenido relacionado

Destacado

One Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestOne Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestIñaki Rodríguez
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
 
Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016ewin aulia
 

Destacado (7)

One Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's NestOne Flaw over the Cuckoo's Nest
One Flaw over the Cuckoo's Nest
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
Phonosurgery
PhonosurgeryPhonosurgery
Phonosurgery
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
 
TYPES OF JOINTS
TYPES OF JOINTS TYPES OF JOINTS
TYPES OF JOINTS
 
Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016Rf atp nibong tebal p00128 rev 1 30 nov2016
Rf atp nibong tebal p00128 rev 1 30 nov2016
 

Similar a Malware Analysis Reverse Engineering Workshop Tools

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Source Conference
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP DevSecCon
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroKyle Bubp
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CISimon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxTuynNguyn819213
 
Introduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-SeqIntroduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-SeqEnis Afgan
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...njcar
 

Similar a Malware Analysis Reverse Engineering Workshop Tools (20)

Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
Chris Gates - Attacking Oracle Web Applications With Metasploit (and wXf)
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
Publishing Linked Data from RDB
Publishing Linked Data from RDBPublishing Linked Data from RDB
Publishing Linked Data from RDB
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
Introduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-SeqIntroduction to Galaxy and RNA-Seq
Introduction to Galaxy and RNA-Seq
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...Standard Provenance Reporting and Scientific Software Management in Virtual L...
Standard Provenance Reporting and Scientific Software Management in Virtual L...
 

Más de Iñaki Rodríguez

Seguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoSeguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoIñaki Rodríguez
 
Seguridad internet para niños
Seguridad internet para niñosSeguridad internet para niños
Seguridad internet para niñosIñaki Rodríguez
 
Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Iñaki Rodríguez
 

Más de Iñaki Rodríguez (7)

Seguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria NuevoSeguridad en Internet para 6 Primaria Nuevo
Seguridad en Internet para 6 Primaria Nuevo
 
Seguridad en Internet v2
Seguridad en Internet v2Seguridad en Internet v2
Seguridad en Internet v2
 
Seguridad internet para niños
Seguridad internet para niñosSeguridad internet para niños
Seguridad internet para niños
 
Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)Seguridad internet para padres y madres (AMPAs)
Seguridad internet para padres y madres (AMPAs)
 
APT - A Pretty Trojan
APT - A Pretty TrojanAPT - A Pretty Trojan
APT - A Pretty Trojan
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzz
 
Mysql Motores
Mysql MotoresMysql Motores
Mysql Motores
 

Último

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Malware Analysis Reverse Engineering Workshop Tools

  • 1. Malware Analysis Reverse Engineering Workshop (44Con 2013) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
  • 2. Grab a copy of the files • Thumb drives being passed around – Disclaimer about new malware of your own  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2 • Wifi – SSID hbn – PSK ILoveTheSmellOfHackInTheMorning – www http://192.168.252.5/
  • 3. Agenda 1. Basic Concepts 2. Behaviors Analysis 3. Memory Analysis 4. Static Analysis SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
  • 4. What is Malware • Any piece of software that performs malicious activities. – Executable – Documents – Flash – Java – … SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
  • 5. Types of Malware • Some examples of categories Worm Trojan Spyware Adware Ransomware Rootkit Keyloggers Stealers Virus Backdoor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
  • 6. Windows Executable • An executable under the hood • Structure: • Imported Functions • Exported Functions • Sections • Code • Data • Relocation information • Certificate SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6 • PE File
  • 7. Binary Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
  • 8. Interpreted Content SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
  • 9. The BIG picture SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
  • 10. PE Explorer • Examining the content of a Windows executable (exe, cpl, ocx, dll, …) • Editor, disassembler, resource editor. Imports Dependencies Sections Resource Data Directories SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10 General Info Editor
  • 11. LAB – 1 • Use PE Explorer over installer.exe and pafish.exe • Questions – Could you enumerate some notable differences? – Could you find something interesting in installer.exe? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
  • 12. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
  • 13. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
  • 14. LAB – 1 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
  • 15. From File to Process • From File to Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15 Loader Read Header Place Executable in Memory Create Process Object
  • 16. Monitoring Behavior Process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16 DLL Fun1 Fun2 Fun 3 DLL DLL Fun1 Fun2 Fun 3 Fun1 Fun2 Fun 3 • Interaction with the Operating System • File Activity • Network flows • Registry monitor • Api Calls
  • 17. Behavior Analysis • Execution in a controlled environment. • Not as time consuming as static analysis. • Focused on results. • VM and Snapshots. • MSDN – Api calls SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
  • 18. What are we looking for • New processes • Code injection • Downloads • File activity • Persistence mechanism • Registry changes • C&C Communication • Network activity (LAN) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
  • 19. Process Monitor • Included in the Sysinternals Suite with many other interesting tools. Filter Search Event Filter by Event SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
  • 20. Process Monitor SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
  • 21. Lab – 2 (File Activities) • Open Process Explorer • Execute installer.exe • Filter the results • Questions – Which file was created? – Where? – Why has the installer.exe vanished? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
  • 22. LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
  • 23. LAB – 2 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
  • 24. Lab – 3 (Process Activities) • Use the previous capture • Questions – How many processes were spawned? – Could you identify who deleted the original installer.exe file? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
  • 25. Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
  • 26. Lab – 3 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
  • 27. Regshot • Takes Registry Snapshots • Compare Snapshots SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
  • 28. Regshot Report SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
  • 29. Lab – 4 (Registry) • Restore the Snapshot • Execute Regshot and take a first snapshot. • Execute Process Explorer. • Execute installer.exe. • Sleep 1m  • Take a second snapshot and compare. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
  • 30. Lab – 4 (Registry) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30 • Questions – Could you identify the persistence mechanism using RegShot? – And with Process Monitor? – Could you find any new service added by the malware?
  • 31. Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
  • 32. Lab – 4 (Answer) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
  • 33. Network Activity • Wireshark is a well known network sniffer. • Many protocol decoders • Drawback: Secure connections  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33 Restart Stop Start Capture Options
  • 34. Lab – 5 • Network Activity – Wireshark • Questions – Did the malware contact with a C&C? – Was it successful? – What was the IP/domain name? – Could you find information about the C&C? • DNS redirection (*) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
  • 35. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
  • 36. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
  • 37. Lab – 5 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
  • 38. Sysanalyzer • Logs some interesting APIs • Sniffer • Less noisy • Less information SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
  • 39. Lab – 7 • Run installer.exe and compare the results from previous tools. SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
  • 40. API Monitor • Logs a set of Windows APIs from a large set of them • Low-level information • Don’t try to log all  SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
  • 41. API Monitor Start new process SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41 Filters
  • 42. WinApiOverride32 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
  • 43. Lab – 8 • Log the network and file activity • Monitor newly created processes on demand. • Questions – Could you find the C&C? – Could you find when the file is deleted? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
  • 44. LAB – 8 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
  • 45. LAB – 8 (Answers) • Were you able to find the C&C? • Why? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
  • 46. Sandbox • Why not automation? • Cuckoo Sandbox executes the malware inside a VM for us. • Analyzer and reporting system all in one solution. • Extensible • Must be installed on Linux SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
  • 47. Submit Samples • Web interface • Command Line SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
  • 48. Cuckoo Architecture Host Virtual Machine Agent.py Analyzer.py Cuckoomon.dll malware SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48 Cuckoo.py Processors Signatures Reports
  • 49. Lab – 9 • Upload a sample to the Sandbox • Meanwhile, check the report for sample a6ff0e175acc7aaa3c2a855e44b11e3b. • Question – Could you identify the same indicators of compromise from extracted from previous tools? – Could you find the C&C? – And the function call? SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
  • 50. Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
  • 51. Lab – 9 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
  • 52. Post Mortem Analysis • Volatility can extract information from a memory dump. • Hidden process, handles, connections, … • Malfind • Dump memory from Cuckoo, Winpmem, SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
  • 53. Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
  • 54. Dumping Memory SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
  • 55. Dumping Memory Cuckoo VirtualBox SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
  • 56. Volatility • Offline Memory analysis tool • Search for – Open handles – Hooked Apis – New Dlls – Hidden processes – Registry values • No diff tool  (Anyone?) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
  • 57. LAB – 10 • Dump memory from a clean system • List process list • Find explorer.exe and list its dlls • Store this information in a file and repeat all the process with the malware running SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
  • 58. LAB – 10 SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58 • Question – Could you find anything suspicious?
  • 59. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
  • 60. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
  • 61. LAB – 10 (Answers) SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
  • 62. CONTACT ME • Iñaki Rodriguez –@virtualminds_es – irodriguez@virtualminds.es SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62