SlideShare una empresa de Scribd logo

Flowchart - Building next gen malware behavioural analysis environment

I
isc2-hellenic

ISC2 Hellenic Chapter 25/10/2016

Tecnología
1 de 2
Descargar para leer sin conexión
Extract Archive Unpack file with UPX Load TempKey in memory “c9e0b830ff18645849b8dbab57e47 7b5” CPU Check if (cores < 3) { Exit; } Check resources If (!filexists(base*.dat)) {exit;} Check Windows Version If (!WinVistaOrGreater) {exit;} Final Key Key = TempKey XOR 0x03 Decoy Base8.tmp = Base8.dat XOR Key XOR0x08 Real sample Base16.tmp = Base16.dat XOR key Decoy Base32.tmp = Base32.dat XOR Key XOR0x32 Decoy Base64.tmp = Base64.dat XOR Key XOR0x64 Clean-up: remove (base*.tmp) Run sample cmd /c base16.tmp Identify .NET binary Decompile binary RansomKiller: MainApp Write Registry Key RAND 15 char = HKLMSoftware SergSecKey CPU Check if (cores < 5) { Exit; } Checks for MAC ofNetcard Checks for debugger Checks for malware analysis software Detect HyperV MainApp Scan Buy product Update signatures Settings goes through files, doesn’t do anything Open Register Form Open Register Form Checks for internet by connecting to https://cyber-europe.net Checks thekey by sending a GET request to https://cyber-europe.net/ evl/ransomkill/reg.php If (reply == “260CA9DD8A4577FC00B7BD5810298 076") { RegisterProduct; } Enables all buttons of MainApp Easter Egg: checks ifpublic key of SergSec is installed in the CA Store Downloads https://cyber-europe.net// evl/ransomkill/update.rk Check ifit’s a Thursday Decrypt using AES-128 update.rk to updt.exe Gets AES Key = serial number of SergSec public certificate Executes updt.exe Creates Task: binary to be ran on 12th Oct 2016 Autoupdate: creates a Registry Key in HKLMSoftwareSergSecAutoUpdate = 1 Autostart: creates a Registry Key in HKLMSoftwareMicrosoftWindows CurrentVersionRun RansomKillerAppbase16.tmp Auto schedule: creates a weekly Task in theWindows Task Scheduler named RK_Weekly Sign in Easter Egg: if (user == “demo”)&(password==”demo”) { AccessWebPanel; }
updt.exe MainApp Hides Window Stalls Execution via Search Stalls Execution via Math Calculation Checks for debugger (Necromancy Check) Deletes Old Logs Anti-Forensics Checks Username Computer Name Processes Running CheckChecks for debugger (Running Proccess) Stalls Execution via Search2 Keylogger ScreenGrabber Sends data to: 10.210.1.12 Exfiltrator Stores key strikes in: rNdfgl34f.txt Grabs Printscreen test.jpg 500 Strikes Persistance Deletes Logs

Recomendados

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Debugging TV Frame 0x09
Debugging TV Frame 0x09Debugging TV Frame 0x09
Debugging TV Frame 0x09Dmitry Vostokov
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Ceph OSD Op trace
Ceph OSD Op traceCeph OSD Op trace
Ceph OSD Op trace畅 刘
 
主機自保指南
主機自保指南主機自保指南
主機自保指南維泰 蔡
 

Recomendados

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Debugging TV Frame 0x09
Debugging TV Frame 0x09Debugging TV Frame 0x09
Debugging TV Frame 0x09Dmitry Vostokov
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Ceph OSD Op trace
Ceph OSD Op traceCeph OSD Op trace
Ceph OSD Op trace畅 刘
 
主機自保指南
主機自保指南主機自保指南
主機自保指南維泰 蔡
 
Oop lecture9 12
Oop lecture9 12Oop lecture9 12
Oop lecture9 12Shahriar Robbani
 
Rcpp11
Rcpp11Rcpp11
Rcpp11Romain Francois
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Advanced Replication Internals
Advanced Replication InternalsAdvanced Replication Internals
Advanced Replication InternalsScott Hernandez
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
บทท 7
บทท 7บทท 7
บทท 7J-Kitipat Vatinivijet
 
Monitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachineMonitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachineWooga
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Arduino Aficionado
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Using the Power to Prove
Using the Power to ProveUsing the Power to Prove
Using the Power to ProveKazuho Oku
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationrjsmelo
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP ProxySecurity B-Sides
 
MongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all togetherMongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all togetherScott Hernandez
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 

Más contenido relacionado

La actualidad más candente

A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Advanced Replication Internals
Advanced Replication InternalsAdvanced Replication Internals
Advanced Replication InternalsScott Hernandez
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Monitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachineMonitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachineWooga
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Using the Power to Prove
Using the Power to ProveUsing the Power to Prove
Using the Power to ProveKazuho Oku
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationrjsmelo
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
MongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all togetherMongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all togetherScott Hernandez
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 

La actualidad más candente (20)

Oop lecture9 12
Oop lecture9 12Oop lecture9 12
Oop lecture9 12
 
Rcpp11
Rcpp11Rcpp11
Rcpp11
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Advanced Replication Internals
Advanced Replication InternalsAdvanced Replication Internals
Advanced Replication Internals
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
บทท 7
บทท 7บทท 7
บทท 7
 
Monitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachineMonitoring with Syslog and EventMachine
Monitoring with Syslog and EventMachine
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
 
Using the Power to Prove
Using the Power to ProveUsing the Power to Prove
Using the Power to Prove
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your application
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
MongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all togetherMongoDB 2.8 Replication Internals: Fitting it all together
MongoDB 2.8 Replication Internals: Fitting it all together
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 

Destacado

Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Marsisc2-hellenic
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Teamisc2-hellenic
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobPriyanka Aash
 

Destacado (12)

Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 
Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Mars
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINAL
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpected
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Team
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
Itil 2011 Mind Maps
Itil 2011 Mind MapsItil 2011 Mind Maps
Itil 2011 Mind Maps
 

Similar a Flowchart - Building next gen malware behavioural analysis environment

Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4Sunil OS
 
Hibernate Import.Sql I18n
Hibernate Import.Sql I18nHibernate Import.Sql I18n
Hibernate Import.Sql I18nyifi2009
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bfinalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bChereCheek752
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?Docker, Inc.
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)David Gómez García
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File HandlingSunil OS
 
Shell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfShell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfclarityvision
 
The Ring programming language version 1.6 book - Part 28 of 189
The Ring programming language version 1.6 book - Part 28 of 189The Ring programming language version 1.6 book - Part 28 of 189
The Ring programming language version 1.6 book - Part 28 of 189Mahmoud Samir Fayed
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”GlobalLogic Ukraine
 

Similar a Flowchart - Building next gen malware behavioural analysis environment (20)

Lab4
Lab4Lab4
Lab4
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4
 
ExtraFileIO.pptx
ExtraFileIO.pptxExtraFileIO.pptx
ExtraFileIO.pptx
 
Hibernate Import.Sql I18n
Hibernate Import.Sql I18nHibernate Import.Sql I18n
Hibernate Import.Sql I18n
 
srgoc
srgocsrgoc
srgoc
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bfinalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)
 
Java Input Output and File Handling
Java Input Output and File HandlingJava Input Output and File Handling
Java Input Output and File Handling
 
Shell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdfShell to be modified#include stdlib.h #include unistd.h .pdf
Shell to be modified#include stdlib.h #include unistd.h .pdf
 
Java practical
Java practicalJava practical
Java practical
 
The Ring programming language version 1.6 book - Part 28 of 189
The Ring programming language version 1.6 book - Part 28 of 189The Ring programming language version 1.6 book - Part 28 of 189
The Ring programming language version 1.6 book - Part 28 of 189
 
Java 7 LavaJUG
Java 7 LavaJUGJava 7 LavaJUG
Java 7 LavaJUG
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”“Linux Kernel CPU Hotplug in the Multicore System”
“Linux Kernel CPU Hotplug in the Multicore System”
 
Inheritance
InheritanceInheritance
Inheritance
 

Más de isc2-hellenic

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0isc2-hellenic
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentationisc2-hellenic
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosisc2-hellenic
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1isc2-hellenic
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2isc2-hellenic
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0isc2-hellenic
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attackisc2-hellenic
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & updateisc2-hellenic
 

Más de isc2-hellenic (12)

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatos
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & update
 
1. Welcome Note
1. Welcome Note1. Welcome Note
1. Welcome Note
 

Último

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Último (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

Flowchart - Building next gen malware behavioural analysis environment

  • 1. Extract Archive Unpack file with UPX Load TempKey in memory “c9e0b830ff18645849b8dbab57e47 7b5” CPU Check if (cores < 3) { Exit; } Check resources If (!filexists(base*.dat)) {exit;} Check Windows Version If (!WinVistaOrGreater) {exit;} Final Key Key = TempKey XOR 0x03 Decoy Base8.tmp = Base8.dat XOR Key XOR0x08 Real sample Base16.tmp = Base16.dat XOR key Decoy Base32.tmp = Base32.dat XOR Key XOR0x32 Decoy Base64.tmp = Base64.dat XOR Key XOR0x64 Clean-up: remove (base*.tmp) Run sample cmd /c base16.tmp Identify .NET binary Decompile binary RansomKiller: MainApp Write Registry Key RAND 15 char = HKLMSoftware SergSecKey CPU Check if (cores < 5) { Exit; } Checks for MAC ofNetcard Checks for debugger Checks for malware analysis software Detect HyperV MainApp Scan Buy product Update signatures Settings goes through files, doesn’t do anything Open Register Form Open Register Form Checks for internet by connecting to https://cyber-europe.net Checks thekey by sending a GET request to https://cyber-europe.net/ evl/ransomkill/reg.php If (reply == “260CA9DD8A4577FC00B7BD5810298 076") { RegisterProduct; } Enables all buttons of MainApp Easter Egg: checks ifpublic key of SergSec is installed in the CA Store Downloads https://cyber-europe.net// evl/ransomkill/update.rk Check ifit’s a Thursday Decrypt using AES-128 update.rk to updt.exe Gets AES Key = serial number of SergSec public certificate Executes updt.exe Creates Task: binary to be ran on 12th Oct 2016 Autoupdate: creates a Registry Key in HKLMSoftwareSergSecAutoUpdate = 1 Autostart: creates a Registry Key in HKLMSoftwareMicrosoftWindows CurrentVersionRun RansomKillerAppbase16.tmp Auto schedule: creates a weekly Task in theWindows Task Scheduler named RK_Weekly Sign in Easter Egg: if (user == “demo”)&(password==”demo”) { AccessWebPanel; }
  • 2. updt.exe MainApp Hides Window Stalls Execution via Search Stalls Execution via Math Calculation Checks for debugger (Necromancy Check) Deletes Old Logs Anti-Forensics Checks Username Computer Name Processes Running CheckChecks for debugger (Running Proccess) Stalls Execution via Search2 Keylogger ScreenGrabber Sends data to: 10.210.1.12 Exfiltrator Stores key strikes in: rNdfgl34f.txt Grabs Printscreen test.jpg 500 Strikes Persistance Deletes Logs