SlideShare una empresa de Scribd logo

Ninja Correlation of APT Binaries

CODE BLUE
CODE BLUE

Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage. In recent years, there has been research into “similarity metrics”― methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the abilities and motivations of that adversary to conduct more effective response.

Internet
1 de 35
Descargar para leer sin conexión
N I N J A C O R R E L AT I O N O F A P T B I N A R I E S E VA L U A T I N G T H E E F F E C T I V E N E S S O F F U Z Z Y H A S H I N G T E C H N I Q U E S I N I D E N T I F Y I N G P R O V E N A N C E O F A P T B I N A R I E S Bhavna Soman Cyber Analyst/Developer, Intel Corp. @bsoman3, #codeblue_jp Copyright © Intel Corporation 2015. All rights reserved.
- G E O R G E P. B U R D E L L Opinions expressed are those of the author and do not reflect the opinions of his/her employer. - L E G A L Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. D I S C L A I M E R S
W H AT A D VA N TA G E C A N K N O W I N G T H E O R I G I N S O F A M A L I C I O U S B I N A RY G I V E Y O U ? ? • We can apply past analyses of motivations and capabilities of adversary • Connect disparate events into one whole picture • So what’s the best way to connect the dots?
A G E N D A • Methods to connect binaries • Getting a test dataset and ground truth • Results • Sample clusters found • Takeaways and Future direction
W H AT I S T H E B E S T WAY T O C O N N E C T S I M I L A R B I N A R I E S ? ? • Imphash— md5 hash of the import table • ssdeep— Context triggered piecewise hashing • SDhash— Bloom filters How to : 1. Get non-trivial dataset of binaries related to targeted campaigns 2. Establish ground truth without static/dynamic analyses of hundreds of binaries?
G AT H E R I N G D ATA • Published Jan-March 2015 • e.g. “Project Cobra Analysis”, “The Desert Falcon Targeted Attacks” • Extract MD5s • >10% Malicious on Virus Total MD5s Similarity Metrics • Calculate for each binary • Import hash • ssdeep • SDhash EXTRACT CALCULATE APT Whitepapers
A S S E S S I N G C O R R E L AT I O N S Are these malware related?
{Actor Names, Campaign Name, Malware Families, Aliases} APT1 APT2 {Actor Names, Campaign Name, Malware Families, Aliases} A S S E S S I N G C O R R E L AT I O N S
• No one method found all the correlations • Imphash had the most false positives • Sdhash had maximum recall • Both ssdeep and SDhash had near perfect precision S U M M A RY R E S U LT S Recall Precision
I M P H A S H E S
• 4 0 8 T R U E C O R R E L AT I O N S • 1 7 2 FA L S E P O S I T I V E S • H I G H F I D E L I T Y T R U E P O S I T I V E S • 2 C O R R E L AT I O N S A C R O S S C A M PA I G N S B Y T H E S A M E A C T O R • N O C O R R E L AT I O N S B E T W E E N D I F F E R E N T V E R S I O N S O F T H E S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N I M P H A S H S C O R E FREQUENCY
I M P H A S H
I M P H A S H • S AV s a m p l e s c i r c a 2 0 1 1 • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • A KA Tu r l a / U r u b o r o s • Ve r s i o n 1 . 5 o f Co m R AT ( Tu r l a A tt a c ke r s ) • Co m p i l e d o n M a r c h 2 5 , 2 0 0 8 • O t h e r v e r s i o n s o f t h e R AT i n t h e d a t a s e t w e r e n o t c o n n e c t e d • W i p b o t 2 0 1 3 S a m p l e s • U s e d b y t h e Wa t e r b u g a tt a c k G r o u p • Co m p i l e d o n 1 5 - 1 0 - 2 0 1 3 • A l s o r e f e r r e d t o a s Ta v d i g / Wo r l d C u p S e c / Ta d j M a k h a l
I M P H A S H
I M P H A S H • B o t h s a m p l e s o f Co m R AT • A s s o c i a t e d w i t h Wa t e r b u g G r o u p a n d Tu r l a A tt a c ke r s r e s p e c t i v e l y • S a m p l e s o f t h e Ca r b o n M a l w a r e • R e l a t e d t o Pr o j e c t Co b r a a n d T h e Wa t e r b u g A tt a c k G r o u p
I M P H A S H
I M P H A S H • C r e d e n t i a l s t e a l e r a n d d r o p p e r f r o m O P A r i d V i p e r • V s . D r o p p e r s u s e d b y A tt a c k s o n t h e Sy r i a n O p p o s i t i o n Fo r c e s • N o c o m m o n a tt r i b u t i o n o r K N O W N l i n k • B i n a r i e s f r o m S I X d i ff e r e n t c a m p a i g n s • N o c o m m o n A c t o r o r M a l w a r e Fa m i l y • D i ff e r e n t p a r t s o f t h e K i l l c h a i n
I M P H A S H
S S D E E P
• 8 5 6 T R U E C O R R E L AT I O N S • 0 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S S D E E P S C O R E FREQUENCY
S S D E E P
S S D E E P • W i p b o t 2 0 1 3 • U s e d b y t h e Wa t e r b u g a tt a c k g r o u p • Co r r e l a t i o n a c r o s s m i n o r v e r s i o n s o f Co m R AT • Co m p i l e d a t e s s p a n o v e r 3 y e a r s • S AV / U r u b o r o s s a m p l e s • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • T i m e s t a m p e d 2 0 1 3
S S D E E P
S S D E E P • B a c k d o o r s u s e d i n O P D e s e r t Fa l c o n ( Ka s p e r s k y ) • 6 3 0 Co r r e l a t i o n s . A v e r a g e s i m i l a r i t y s c o r e w a s 3 5 . 1 3 • D i ff e r e n t Ve r s i o n s o f Ca r b o n M a l w a r e c o m p l i e d i n 2 0 0 9 • Fr o m Pr o j e c t Co b r a a n d Wa t e r b u g Ca m p a i g n s .
S S D E E P
S S D E E P N O FA L S E P O S I T I V E S
S D H A S H
• T H R E S H O L D = 1 0 • 1 4 1 2 T R U E C O R R E L AT I O N S • 3 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • 1 C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S D H A S H S C O R E FREQUENCY
S D H A S H
S D H A S H • Co r r e l a t i o n b e t w e e n D r o p p e r, S t a g e 1 , S t a g e 2 a n d I n j e c t e d L i b r a r y o f Co b r a Ca m p a i g n • H i g h s i m i l a r i t y w i t h Ca r b o n To o l u s e d b y t h e Wa t e r b u g g r o u p • W i d e l y v a r y i n g AV l a b e l s e v e n c o n t r o l l i n g f o r v e n d o r • Co r r e l a t i o n s m a d e b y s d h a s h o n l y • S AV / U r u b o r o s s a m p l e s • 3 0 d i ff e r e n t B i n a r i e s c o m p i l e d o v e r 3 m o n t h s i n 2 0 1 3
S D H A S H
S D H A S H • B a c k d o o r u s e d b y O P D e s e r t Fa l c o n • V s . S c a n b o x s a m p l e ( k n o w n t o b e r e l a t e d t o A n t h e m a tt a c k s a n d D e e p Pa n d a ) • N o k n o w n r e l a t i o n s h i p b e t w e e n t h o s e a c t o r s / c a m p a i g n s / m a l w a r e f a m i l i e s • “ H tt p B r o w s e r ” m a l w a r e u s e d i n A n t h e m a tt a c k • “A m m y A d m i n ” t o o l u s e d b y t h e Ca r b a n a k g r o u p
S D H A S H
W H E R E W E S TA N D • Imphash, ssdeep or SDhash?? • Path finding-ish. Engineer systems to make connections • APT binaries may reuse code —use it against them • It pays to know your adversary.
A C K S / Q & A / T H A N K S ! @bsoman3, bhavna.soman@ {intel.com, gmail.com} • Chris Kitto and Jeff Boerio for helping me make better slides. • Wonderful folks that write Security white papers • @kbandla for creating and maintaining APTNotes • Virus Total for the great data they provide

Recomendados

In pursuit of messaging broker(s)
In pursuit of messaging broker(s)In pursuit of messaging broker(s)
In pursuit of messaging broker(s)David Gevorkyan
 
AUA Data Science Meetup
AUA Data Science MeetupAUA Data Science Meetup
AUA Data Science MeetupDavid Gevorkyan
 
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesAltair
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redesAndreaGuadalupeAceve
 
C-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityC-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityMICHAEL MOSHIRI
 
Hard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesHard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesMike Crabb
 
Codecademy Live QA Presentation
Codecademy Live QA PresentationCodecademy Live QA Presentation
Codecademy Live QA PresentationJames Kim
 
Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Sam Cheema
 

Recomendados

In pursuit of messaging broker(s)
In pursuit of messaging broker(s)In pursuit of messaging broker(s)
In pursuit of messaging broker(s)David Gevorkyan
 
AUA Data Science Meetup
AUA Data Science MeetupAUA Data Science Meetup
AUA Data Science MeetupDavid Gevorkyan
 
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesAltair
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redesAndreaGuadalupeAceve
 
C-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityC-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityMICHAEL MOSHIRI
 
Hard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesHard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesMike Crabb
 
Codecademy Live QA Presentation
Codecademy Live QA PresentationCodecademy Live QA Presentation
Codecademy Live QA PresentationJames Kim
 
Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Sam Cheema
 
Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsPlatform9
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation Sam Cheema
 
June 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingJune 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingMiami-Dade Transportation Planning Organization
 
Help Ukraine
Help UkraineHelp Ukraine
Help UkraineNastyaTsaruk
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerCliffano Subagio
 
Mapan
MapanMapan
MapanAdiba Rasib
 
Fashion Guidelines
Fashion Guidelines Fashion Guidelines
Fashion Guidelines Saad Lemgaddar
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAlvaro García Loaisa
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World ObservatoryAddison O'Connor
 
Faizal Resume
Faizal ResumeFaizal Resume
Faizal ResumeFaizal Johori
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductGyörgy Balázsi
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014Raul Fraile
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Kancil San
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar Kira Smith
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdfArissa Loh
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement ashleyyeap
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Lviv Startup Club
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWanbok Choi
 
DATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYDATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYMartina F. Ferracane
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014Nikolai Onken
 
New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyYvann Saculo
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMScott Urich
 

Más contenido relacionado

La actualidad más candente

Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsPlatform9
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation Sam Cheema
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerCliffano Subagio
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAlvaro García Loaisa
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World ObservatoryAddison O'Connor
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductGyörgy Balázsi
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014Raul Fraile
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Kancil San
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar Kira Smith
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdfArissa Loh
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement ashleyyeap
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Lviv Startup Club
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWanbok Choi
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014Nikolai Onken
 

La actualidad más candente (20)

Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common Pitfalls
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation
 
June 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingJune 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual Meeting
 
Help Ukraine
Help UkraineHelp Ukraine
Help Ukraine
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum Cleaner
 
Mapan
MapanMapan
Mapan
 
Fashion Guidelines
Fashion Guidelines Fashion Guidelines
Fashion Guidelines
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWS
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World Observatory
 
Faizal Resume
Faizal ResumeFaizal Resume
Faizal Resume
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as Byproduct
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdf
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 Cheatsheet
 
DATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYDATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITY
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014
 

Similar a Ninja Correlation of APT Binaries

New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyYvann Saculo
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMScott Urich
 
Test quick, build smart, be awesome
Test quick, build smart, be awesomeTest quick, build smart, be awesome
Test quick, build smart, be awesomeWP&UP
 
Malignant melanoma Oral pathology
Malignant melanoma Oral pathologyMalignant melanoma Oral pathology
Malignant melanoma Oral pathologyAkshMinhas
 
Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Guus van den Brekel
 
PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)Reymart Dellomas
 
Information Security Project Management
Information Security Project ManagementInformation Security Project Management
Information Security Project ManagementIgor Pertsovsky
 
messagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB
 
Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace AFCOM
 
4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after electionFlora Liu
 
Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Guus van den Brekel
 
Visibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureVisibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureGuus van den Brekel
 
Convention 2014Presentation 3
Convention 2014Presentation 3Convention 2014Presentation 3
Convention 2014Presentation 3Amanda Taylor
 

Similar a Ninja Correlation of APT Binaries (20)

New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - Pharmacology
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEM
 
Firefox OS Bus India Tour
Firefox OS Bus India TourFirefox OS Bus India Tour
Firefox OS Bus India Tour
 
Test quick, build smart, be awesome
Test quick, build smart, be awesomeTest quick, build smart, be awesome
Test quick, build smart, be awesome
 
Orla Recreio - CURY
Orla Recreio - CURYOrla Recreio - CURY
Orla Recreio - CURY
 
Paris (France)
Paris (France)Paris (France)
Paris (France)
 
Occ Cinque Terre
Occ Cinque TerreOcc Cinque Terre
Occ Cinque Terre
 
Malignant melanoma Oral pathology
Malignant melanoma Oral pathologyMalignant melanoma Oral pathology
Malignant melanoma Oral pathology
 
Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016
 
PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)
 
Information Security Project Management
Information Security Project ManagementInformation Security Project Management
Information Security Project Management
 
messagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB_thought leadership class slides
messagingLAB_thought leadership class slides
 
Griffins Social Media
Griffins Social MediaGriffins Social Media
Griffins Social Media
 
Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace
 
4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election
 
Presentation
PresentationPresentation
Presentation
 
Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)
 
Spring cleaning workbook 2018
Spring cleaning workbook 2018Spring cleaning workbook 2018
Spring cleaning workbook 2018
 
Visibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureVisibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and Pure
 
Convention 2014Presentation 3
Convention 2014Presentation 3Convention 2014Presentation 3
Convention 2014Presentation 3
 

Más de CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Más de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Último

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...SUHANI PANDEY
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 

Último (20)

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 

Ninja Correlation of APT Binaries

  • 1. N I N J A C O R R E L AT I O N O F A P T B I N A R I E S E VA L U A T I N G T H E E F F E C T I V E N E S S O F F U Z Z Y H A S H I N G T E C H N I Q U E S I N I D E N T I F Y I N G P R O V E N A N C E O F A P T B I N A R I E S Bhavna Soman Cyber Analyst/Developer, Intel Corp. @bsoman3, #codeblue_jp Copyright © Intel Corporation 2015. All rights reserved.
  • 2. - G E O R G E P. B U R D E L L Opinions expressed are those of the author and do not reflect the opinions of his/her employer. - L E G A L Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. D I S C L A I M E R S
  • 3. W H AT A D VA N TA G E C A N K N O W I N G T H E O R I G I N S O F A M A L I C I O U S B I N A RY G I V E Y O U ? ? • We can apply past analyses of motivations and capabilities of adversary • Connect disparate events into one whole picture • So what’s the best way to connect the dots?
  • 4. A G E N D A • Methods to connect binaries • Getting a test dataset and ground truth • Results • Sample clusters found • Takeaways and Future direction
  • 5. W H AT I S T H E B E S T WAY T O C O N N E C T S I M I L A R B I N A R I E S ? ? • Imphash— md5 hash of the import table • ssdeep— Context triggered piecewise hashing • SDhash— Bloom filters How to : 1. Get non-trivial dataset of binaries related to targeted campaigns 2. Establish ground truth without static/dynamic analyses of hundreds of binaries?
  • 6. G AT H E R I N G D ATA • Published Jan-March 2015 • e.g. “Project Cobra Analysis”, “The Desert Falcon Targeted Attacks” • Extract MD5s • >10% Malicious on Virus Total MD5s Similarity Metrics • Calculate for each binary • Import hash • ssdeep • SDhash EXTRACT CALCULATE APT Whitepapers
  • 7. A S S E S S I N G C O R R E L AT I O N S Are these malware related?
  • 8. {Actor Names, Campaign Name, Malware Families, Aliases} APT1 APT2 {Actor Names, Campaign Name, Malware Families, Aliases} A S S E S S I N G C O R R E L AT I O N S
  • 9. • No one method found all the correlations • Imphash had the most false positives • Sdhash had maximum recall • Both ssdeep and SDhash had near perfect precision S U M M A RY R E S U LT S Recall Precision
  • 10. I M P H A S H E S
  • 11. • 4 0 8 T R U E C O R R E L AT I O N S • 1 7 2 FA L S E P O S I T I V E S • H I G H F I D E L I T Y T R U E P O S I T I V E S • 2 C O R R E L AT I O N S A C R O S S C A M PA I G N S B Y T H E S A M E A C T O R • N O C O R R E L AT I O N S B E T W E E N D I F F E R E N T V E R S I O N S O F T H E S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N I M P H A S H S C O R E FREQUENCY
  • 12. I M P H A S H
  • 13. I M P H A S H • S AV s a m p l e s c i r c a 2 0 1 1 • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • A KA Tu r l a / U r u b o r o s • Ve r s i o n 1 . 5 o f Co m R AT ( Tu r l a A tt a c ke r s ) • Co m p i l e d o n M a r c h 2 5 , 2 0 0 8 • O t h e r v e r s i o n s o f t h e R AT i n t h e d a t a s e t w e r e n o t c o n n e c t e d • W i p b o t 2 0 1 3 S a m p l e s • U s e d b y t h e Wa t e r b u g a tt a c k G r o u p • Co m p i l e d o n 1 5 - 1 0 - 2 0 1 3 • A l s o r e f e r r e d t o a s Ta v d i g / Wo r l d C u p S e c / Ta d j M a k h a l
  • 14. I M P H A S H
  • 15. I M P H A S H • B o t h s a m p l e s o f Co m R AT • A s s o c i a t e d w i t h Wa t e r b u g G r o u p a n d Tu r l a A tt a c ke r s r e s p e c t i v e l y • S a m p l e s o f t h e Ca r b o n M a l w a r e • R e l a t e d t o Pr o j e c t Co b r a a n d T h e Wa t e r b u g A tt a c k G r o u p
  • 16. I M P H A S H
  • 17. I M P H A S H • C r e d e n t i a l s t e a l e r a n d d r o p p e r f r o m O P A r i d V i p e r • V s . D r o p p e r s u s e d b y A tt a c k s o n t h e Sy r i a n O p p o s i t i o n Fo r c e s • N o c o m m o n a tt r i b u t i o n o r K N O W N l i n k • B i n a r i e s f r o m S I X d i ff e r e n t c a m p a i g n s • N o c o m m o n A c t o r o r M a l w a r e Fa m i l y • D i ff e r e n t p a r t s o f t h e K i l l c h a i n
  • 18. I M P H A S H
  • 19. S S D E E P
  • 20. • 8 5 6 T R U E C O R R E L AT I O N S • 0 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S S D E E P S C O R E FREQUENCY
  • 21. S S D E E P
  • 22. S S D E E P • W i p b o t 2 0 1 3 • U s e d b y t h e Wa t e r b u g a tt a c k g r o u p • Co r r e l a t i o n a c r o s s m i n o r v e r s i o n s o f Co m R AT • Co m p i l e d a t e s s p a n o v e r 3 y e a r s • S AV / U r u b o r o s s a m p l e s • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • T i m e s t a m p e d 2 0 1 3
  • 23. S S D E E P
  • 24. S S D E E P • B a c k d o o r s u s e d i n O P D e s e r t Fa l c o n ( Ka s p e r s k y ) • 6 3 0 Co r r e l a t i o n s . A v e r a g e s i m i l a r i t y s c o r e w a s 3 5 . 1 3 • D i ff e r e n t Ve r s i o n s o f Ca r b o n M a l w a r e c o m p l i e d i n 2 0 0 9 • Fr o m Pr o j e c t Co b r a a n d Wa t e r b u g Ca m p a i g n s .
  • 25. S S D E E P
  • 26. S S D E E P N O FA L S E P O S I T I V E S
  • 27. S D H A S H
  • 28. • T H R E S H O L D = 1 0 • 1 4 1 2 T R U E C O R R E L AT I O N S • 3 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • 1 C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S D H A S H S C O R E FREQUENCY
  • 29. S D H A S H
  • 30. S D H A S H • Co r r e l a t i o n b e t w e e n D r o p p e r, S t a g e 1 , S t a g e 2 a n d I n j e c t e d L i b r a r y o f Co b r a Ca m p a i g n • H i g h s i m i l a r i t y w i t h Ca r b o n To o l u s e d b y t h e Wa t e r b u g g r o u p • W i d e l y v a r y i n g AV l a b e l s e v e n c o n t r o l l i n g f o r v e n d o r • Co r r e l a t i o n s m a d e b y s d h a s h o n l y • S AV / U r u b o r o s s a m p l e s • 3 0 d i ff e r e n t B i n a r i e s c o m p i l e d o v e r 3 m o n t h s i n 2 0 1 3
  • 31. S D H A S H
  • 32. S D H A S H • B a c k d o o r u s e d b y O P D e s e r t Fa l c o n • V s . S c a n b o x s a m p l e ( k n o w n t o b e r e l a t e d t o A n t h e m a tt a c k s a n d D e e p Pa n d a ) • N o k n o w n r e l a t i o n s h i p b e t w e e n t h o s e a c t o r s / c a m p a i g n s / m a l w a r e f a m i l i e s • “ H tt p B r o w s e r ” m a l w a r e u s e d i n A n t h e m a tt a c k • “A m m y A d m i n ” t o o l u s e d b y t h e Ca r b a n a k g r o u p
  • 33. S D H A S H
  • 34. W H E R E W E S TA N D • Imphash, ssdeep or SDhash?? • Path finding-ish. Engineer systems to make connections • APT binaries may reuse code —use it against them • It pays to know your adversary.
  • 35. A C K S / Q & A / T H A N K S ! @bsoman3, bhavna.soman@ {intel.com, gmail.com} • Chris Kitto and Jeff Boerio for helping me make better slides. • Wonderful folks that write Security white papers • @kbandla for creating and maintaining APTNotes • Virus Total for the great data they provide