2. Grab a copy of the files
• Thumb drives being passed around
– Disclaimer about new malware of your own
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2
• Wifi
– SSID hbn
– PSK ILoveTheSmellOfHackInTheMorning
– www http://192.168.252.5/
9. The BIG picture
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
10. PE Explorer
• Examining the content of a Windows
executable (exe, cpl, ocx, dll, …)
• Editor, disassembler, resource editor.
Imports Dependencies
Sections Resource
Data
Directories
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10
General
Info
Editor
11. LAB – 1
• Use PE Explorer over installer.exe and
pafish.exe
• Questions
– Could you enumerate some notable
differences?
– Could you find something interesting in
installer.exe?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
15. From File to Process
• From File to Process
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15
Loader
Read Header
Place
Executable in
Memory
Create Process
Object
16. Monitoring Behavior
Process
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16
DLL
Fun1
Fun2
Fun 3
DLL DLL
Fun1
Fun2
Fun 3
Fun1
Fun2
Fun 3
• Interaction with the
Operating System
• File Activity
• Network flows
• Registry monitor
• Api Calls
17. Behavior Analysis
• Execution in a controlled environment.
• Not as time consuming as static analysis.
• Focused on results.
• VM and Snapshots.
• MSDN – Api calls
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
18. What are we looking for
• New processes
• Code injection
• Downloads
• File activity
• Persistence mechanism
• Registry changes
• C&C Communication
• Network activity (LAN)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
19. Process Monitor
• Included in the Sysinternals Suite with
many other interesting tools.
Filter Search
Event
Filter by Event
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
21. Lab – 2 (File Activities)
• Open Process Explorer
• Execute installer.exe
• Filter the results
• Questions
– Which file was created?
– Where?
– Why has the installer.exe vanished?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
24. Lab – 3 (Process Activities)
• Use the previous capture
• Questions
– How many processes were spawned?
– Could you identify who deleted the original
installer.exe file?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
29. Lab – 4 (Registry)
• Restore the Snapshot
• Execute Regshot and take a first
snapshot.
• Execute Process Explorer.
• Execute installer.exe.
• Sleep 1m
• Take a second snapshot and compare.
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
30. Lab – 4 (Registry)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30
• Questions
– Could you identify the persistence mechanism
using RegShot?
– And with Process Monitor?
– Could you find any new service added by the
malware?
33. Network Activity
• Wireshark is a well known network sniffer.
• Many protocol decoders
• Drawback: Secure connections
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33
Restart
Stop
Start
Capture Options
34. Lab – 5
• Network Activity – Wireshark
• Questions
– Did the malware contact with a C&C?
– Was it successful?
– What was the IP/domain name?
– Could you find information about the C&C?
• DNS redirection (*)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
38. Sysanalyzer
• Logs some interesting APIs
• Sniffer
• Less noisy
• Less information
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
39. Lab – 7
• Run installer.exe and compare the results
from previous tools.
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
40. API Monitor
• Logs a set of Windows APIs from a large
set of them
• Low-level information
• Don’t try to log all
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
41. API Monitor
Start new process
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41
Filters
43. Lab – 8
• Log the network and file activity
• Monitor newly created processes on
demand.
• Questions
– Could you find the C&C?
– Could you find when the file is deleted?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
45. LAB – 8 (Answers)
• Were you able to find the C&C?
• Why?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
46. Sandbox
• Why not automation?
• Cuckoo Sandbox executes the malware
inside a VM for us.
• Analyzer and reporting system all in one
solution.
• Extensible
• Must be installed on Linux
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
47. Submit Samples
• Web interface
• Command Line
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
49. Lab – 9
• Upload a sample to the Sandbox
• Meanwhile, check the report for sample
a6ff0e175acc7aaa3c2a855e44b11e3b.
• Question
– Could you identify the same indicators of
compromise from extracted from previous
tools?
– Could you find the C&C?
– And the function call?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
52. Post Mortem Analysis
• Volatility can extract information from a
memory dump.
• Hidden process, handles, connections, …
• Malfind
• Dump memory from Cuckoo, Winpmem,
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
56. Volatility
• Offline Memory analysis tool
• Search for
– Open handles
– Hooked Apis
– New Dlls
– Hidden processes
– Registry values
• No diff tool (Anyone?)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
57. LAB – 10
• Dump memory from a clean system
• List process list
• Find explorer.exe and list its dlls
• Store this information in a file and repeat
all the process with the malware running
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
58. LAB – 10
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58
• Question
– Could you find anything suspicious?