SlideShare a Scribd company logo

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

Download as PPTX, PDF
securityxploded
securityxploded

This presentation is part of our Reverse Engineering & Malware Analysis Training program. For more details refer our Security Training page http://securityxploded.com/security-training.php

Technology
1 of 44
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Monnappa  m0nna  Member of SecurityXploded (SX)  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com, twitter@monnappa22 www.SecurityXploded.com
Contents  Why Malware Analysis?  Types of Malware Analysis  Static Analysis  Dynamic Analysis  Memory Analysis  Demo www.SecurityXploded.com
Why Malware Analysis? To determine:  the nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  Identifiable patterns www.SecurityXploded.com
Types of Malware Analysis?  Static Analysis - Analyzing without executing the malware  Dynamic Analysis - Analyzing by executing the malware  Memory Analysis - Analyzing the RAM for artifacts www.SecurityXploded.com
Static Analysis Steps:  Determine the file type tools: file utility on unix and windows (need to install)  Determine the cryptographic hash tools: md5sum utility on unix and windows (part of unix utils for windows)  Strings search tools: strings utility on unix and windows , Bintext  File obfuscation (packers, cryptors and binders) detection tools: PEiD, RDG packer detector  Submission to online antivirus scanners (virustotal, jotti, cymru) tools: browser and public api of Virustotal  Determine the Imports tools: PEview, Dependency Walker  Disassembly tools: IDA Pro, Ollydbg www.SecurityXploded.com
Dynamic Analysis Involves executing the malware in a controlled environment to determine its behavior Steps:  Determine the File system activity tools: process monitor, capturebat  Determine the Process activity tools: process explorer, process monitor, capturebat  Determine the Network activity tools: wireshark  Detemine the Registry activity tools: regmon, process monitor, capturebat www.SecurityXploded.com
Memory Analysis Finding and extracting artifacts from computer’s RAM  Determine the process activity  Determine the network connections  Determine hidden artifacts  Detemine the Registry activity Tools: Volatility (Advanced Memory Forensic Framework) Advantages:  helps in rootkit detection  helps in unpacking www.SecurityXploded.com
http://youtu.be/592uIELKUX8
Step 1 – Taking the cryptographic hash The below screenshot shows the md5sum of the sample www.SecurityXploded.com
Step 2 – Determine the packer PEiD was unable determine the packer www.SecurityXploded.com
Step 3 – Determine the Imports Dependency Walker shows the DLLs and API used by malicious executable www.SecurityXploded.com
Step 4 – VirusTotal Submission VirusTotal results show that this sample is a zeus bot (zbot) www.SecurityXploded.com
Step 1 – Running the monitoring tools Before executing the malware, montioring tools are run to capture the activities of the malware www.SecurityXploded.com
Step 2 – Simulate Internet Services Internet services are simulated to give fake response to malware and also to prevent malware from talking out on the internet www.SecurityXploded.com
Step 3 – Executing the malware (edd94.exe) www.SecurityXploded.com
Step 4 – process, registry and filesystem activity The below results show the process, registry and fileystem activity after executing the malware (edd94.exe), also explorer.exe performs lot of activity indicating code injection into explorer.exe www.SecurityXploded.com
Step 5 – Malware drops a file (raruo.exe) The below results show the malware dropping a file raruo.exe and creating a process. www.SecurityXploded.com
Step 6 – Explorer.exe setting value in registry The below output shows explorer.exe setting a value under run registry subkey as a persistence mechanism to survive the reboot. www.SecurityXploded.com
Step 7 – DNS query to malicious domain Packet capture shows dns query to users9.nofeehost.com and also response shows that the “A” record for the domain is pointed to the machine 192.168.1.2, which is simulating internet services. www.SecurityXploded.com
Step 8 – http connection to malicious domain The below output shows zeus bot trying to download configuration file from C&C and also the fake response given by the inetsim server. www.SecurityXploded.com
Step 9– ZeuS Tracker result ZueS Tracker shows that the domain was a ZeuS C&C server www.SecurityXploded.com
Step 1 – Taking the memory image Suspending the VM creates a memory image of the infected machine, the below screenshot show the memory image (infected.vmem) of the infected machine www.SecurityXploded.com
Step 2 – Process listing from memory image Volatility’s pslist module shows the two process edd94.exe and raruo.exe www.SecurityXploded.com
Step 3 – Network connections from memory image Volatility’s connscan module shows pid 1748 making http connection, this pid 1748 is associated with explorer.exe www.SecurityXploded.com
Step 4 – Embedded exe and api hooks in explorer.exe The below output shows the inline api hooks and embedded executable in explorer.exe, and also the embedded executable is dumped into a directory (dump) by malfind plugin www.SecurityXploded.com
Step 5 – Virustotal submission of dumped exe The virustotal submission confirms the dumped exe to be component of ZeuS bot www.SecurityXploded.com
Step 6 – Printing the registry key Malware creates registry key to survive the reboot www.SecurityXploded.com
Step 12 – Finding the malicious exe on infected machine Finding malicious sample (raruo.exe) from infected host and virustotal submission confirms ZeuS(zbot) infection www.SecurityXploded.com
http://youtu.be/3bxzvrGf5w8
Disassembly Example The below screenshot shows the disassembly of http bot, making connection to the C&C www.SecurityXploded.com
Disassembly Example (contd) The bot send the http request to the C&C www.SecurityXploded.com
Disassembly Example (contd) The bot retireves data from C&C www.SecurityXploded.com
Disassembly Example (contd) The below sceenshot shows some of the supported commands of this http bot www.SecurityXploded.com
Disassembly Example (contd) Bot runs the below code if the received command is “Execute”, it creates a process and sends the process id to the C&C server www.SecurityXploded.com
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Recommended

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 

Recommended

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
n|u - The Open Security Community
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
securityxploded
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversing
Cysinfo Cyber Security Community
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
Cysinfo Cyber Security Community
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 

More Related Content

What's hot

What's hot (20)

Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversing
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 

Similar to Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 

Similar to Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis (20)

Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009
 
Super1
Super1Super1
Super1
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 

More from securityxploded

More from securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
MalwareNet Project
MalwareNet ProjectMalwareNet Project
MalwareNet Project
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Monnappa  m0nna  Member of SecurityXploded (SX)  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com, twitter@monnappa22 www.SecurityXploded.com
  • 6. Contents  Why Malware Analysis?  Types of Malware Analysis  Static Analysis  Dynamic Analysis  Memory Analysis  Demo www.SecurityXploded.com
  • 7. Why Malware Analysis? To determine:  the nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  Identifiable patterns www.SecurityXploded.com
  • 8. Types of Malware Analysis?  Static Analysis - Analyzing without executing the malware  Dynamic Analysis - Analyzing by executing the malware  Memory Analysis - Analyzing the RAM for artifacts www.SecurityXploded.com
  • 9. Static Analysis Steps:  Determine the file type tools: file utility on unix and windows (need to install)  Determine the cryptographic hash tools: md5sum utility on unix and windows (part of unix utils for windows)  Strings search tools: strings utility on unix and windows , Bintext  File obfuscation (packers, cryptors and binders) detection tools: PEiD, RDG packer detector  Submission to online antivirus scanners (virustotal, jotti, cymru) tools: browser and public api of Virustotal  Determine the Imports tools: PEview, Dependency Walker  Disassembly tools: IDA Pro, Ollydbg www.SecurityXploded.com
  • 10. Dynamic Analysis Involves executing the malware in a controlled environment to determine its behavior Steps:  Determine the File system activity tools: process monitor, capturebat  Determine the Process activity tools: process explorer, process monitor, capturebat  Determine the Network activity tools: wireshark  Detemine the Registry activity tools: regmon, process monitor, capturebat www.SecurityXploded.com
  • 11. Memory Analysis Finding and extracting artifacts from computer’s RAM  Determine the process activity  Determine the network connections  Determine hidden artifacts  Detemine the Registry activity Tools: Volatility (Advanced Memory Forensic Framework) Advantages:  helps in rootkit detection  helps in unpacking www.SecurityXploded.com
  • 13.
  • 14. Step 1 – Taking the cryptographic hash The below screenshot shows the md5sum of the sample www.SecurityXploded.com
  • 15. Step 2 – Determine the packer PEiD was unable determine the packer www.SecurityXploded.com
  • 16. Step 3 – Determine the Imports Dependency Walker shows the DLLs and API used by malicious executable www.SecurityXploded.com
  • 17. Step 4 – VirusTotal Submission VirusTotal results show that this sample is a zeus bot (zbot) www.SecurityXploded.com
  • 18.
  • 19. Step 1 – Running the monitoring tools Before executing the malware, montioring tools are run to capture the activities of the malware www.SecurityXploded.com
  • 20. Step 2 – Simulate Internet Services Internet services are simulated to give fake response to malware and also to prevent malware from talking out on the internet www.SecurityXploded.com
  • 21. Step 3 – Executing the malware (edd94.exe) www.SecurityXploded.com
  • 22. Step 4 – process, registry and filesystem activity The below results show the process, registry and fileystem activity after executing the malware (edd94.exe), also explorer.exe performs lot of activity indicating code injection into explorer.exe www.SecurityXploded.com
  • 23. Step 5 – Malware drops a file (raruo.exe) The below results show the malware dropping a file raruo.exe and creating a process. www.SecurityXploded.com
  • 24. Step 6 – Explorer.exe setting value in registry The below output shows explorer.exe setting a value under run registry subkey as a persistence mechanism to survive the reboot. www.SecurityXploded.com
  • 25. Step 7 – DNS query to malicious domain Packet capture shows dns query to users9.nofeehost.com and also response shows that the “A” record for the domain is pointed to the machine 192.168.1.2, which is simulating internet services. www.SecurityXploded.com
  • 26. Step 8 – http connection to malicious domain The below output shows zeus bot trying to download configuration file from C&C and also the fake response given by the inetsim server. www.SecurityXploded.com
  • 27. Step 9– ZeuS Tracker result ZueS Tracker shows that the domain was a ZeuS C&C server www.SecurityXploded.com
  • 28.
  • 29. Step 1 – Taking the memory image Suspending the VM creates a memory image of the infected machine, the below screenshot show the memory image (infected.vmem) of the infected machine www.SecurityXploded.com
  • 30. Step 2 – Process listing from memory image Volatility’s pslist module shows the two process edd94.exe and raruo.exe www.SecurityXploded.com
  • 31. Step 3 – Network connections from memory image Volatility’s connscan module shows pid 1748 making http connection, this pid 1748 is associated with explorer.exe www.SecurityXploded.com
  • 32. Step 4 – Embedded exe and api hooks in explorer.exe The below output shows the inline api hooks and embedded executable in explorer.exe, and also the embedded executable is dumped into a directory (dump) by malfind plugin www.SecurityXploded.com
  • 33. Step 5 – Virustotal submission of dumped exe The virustotal submission confirms the dumped exe to be component of ZeuS bot www.SecurityXploded.com
  • 34. Step 6 – Printing the registry key Malware creates registry key to survive the reboot www.SecurityXploded.com
  • 35. Step 12 – Finding the malicious exe on infected machine Finding malicious sample (raruo.exe) from infected host and virustotal submission confirms ZeuS(zbot) infection www.SecurityXploded.com
  • 36.
  • 38. Disassembly Example The below screenshot shows the disassembly of http bot, making connection to the C&C www.SecurityXploded.com
  • 39. Disassembly Example (contd) The bot send the http request to the C&C www.SecurityXploded.com
  • 40. Disassembly Example (contd) The bot retireves data from C&C www.SecurityXploded.com
  • 41. Disassembly Example (contd) The below sceenshot shows some of the supported commands of this http bot www.SecurityXploded.com
  • 42. Disassembly Example (contd) Bot runs the below code if the received command is “Execute”, it creates a process and sends the process id to the C&C server www.SecurityXploded.com
  • 43. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com