44Con Malware Workshop
-
Upload
inaki-rodriguez -
Category
Technology
-
view
188 -
download
0
description
Transcript of 44Con Malware Workshop
![Page 1: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/1.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
Malware Analysis Reverse Engineering Workshop(44Con 2013)
![Page 2: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/2.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2
• Thumb drives being passed around– Disclaimer about new malware of your own
• Wifi– SSID hbn– PSK ILoveTheSmellOfHackInTheMorning
– www http://192.168.252.5/
Grab a copy of the files
![Page 3: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/3.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
1. Basic Concepts
2. Behaviors Analysis
3. Memory Analysis
4. Static Analysis
Agenda
![Page 4: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/4.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
• Any piece of software that performs malicious activities.– Executable– Documents– Flash– Java– …
What is Malware
![Page 5: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/5.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
• Some examples of categories
Types of Malware
Worm Trojan
Spyware Adware
Ransomware Rootkit
Keyloggers Stealers
Virus Backdoor
![Page 6: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/6.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6
• An executable under the hood• Structure:
• Imported Functions• Exported Functions• Sections• Code• Data• Relocation information• Certificate
•PE File
Windows Executable
![Page 7: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/7.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
Binary Content
![Page 8: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/8.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
Interpreted Content
![Page 9: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/9.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
The BIG picture
![Page 10: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/10.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10
• Examining the content of a Windows executable (exe, cpl, ocx, dll, …)
• Editor, disassembler, resource editor.
PE Explorer
General Info
Data Directories
Sections Resource Editor
Imports Dependencies
![Page 11: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/11.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
• Use PE Explorer over installer.exe and pafish.exe
• Questions– Could you enumerate some notable
differences?– Could you find something interesting in
installer.exe?
LAB – 1
![Page 12: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/12.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
LAB – 1
![Page 13: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/13.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
LAB – 1
![Page 14: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/14.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
LAB – 1
![Page 15: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/15.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15
• From File to Process
From File to Process
Loader
Read Header
Place Executable in Memory
Create Process Object
![Page 16: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/16.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16
Monitoring Behavior
Process
DLL
Fun1Fun2Fun 3
DLL DLL
Fun1Fun2Fun 3
Fun1Fun2Fun 3
• Interaction with the Operating System
• File Activity• Network flows• Registry monitor• Api Calls
![Page 17: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/17.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
• Execution in a controlled environment.• Not as time consuming as static analysis.• Focused on results.• VM and Snapshots.• MSDN – Api calls
Behavior Analysis
![Page 18: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/18.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
• New processes• Code injection• Downloads• File activity• Persistence mechanism• Registry changes• C&C Communication• Network activity (LAN)
What are we looking for
![Page 19: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/19.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
• Included in the Sysinternals Suite with many other interesting tools.
Process Monitor
Filter Search Event
Filter by Event
![Page 20: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/20.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
Process Monitor
![Page 21: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/21.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
Lab – 2 (File Activities)• Open Process Explorer• Execute installer.exe• Filter the results• Questions
– Which file was created?– Where?– Why has the installer.exe vanished?
![Page 22: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/22.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
LAB – 2 (Answers)
![Page 23: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/23.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
LAB – 2 (Answers)
![Page 24: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/24.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
Lab – 3 (Process Activities)• Use the previous capture• Questions
– How many processes were spawned?– Could you identify who deleted the original
installer.exe file?
![Page 25: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/25.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
Lab – 3 (Answers)
![Page 26: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/26.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
Lab – 3 (Answers)
![Page 27: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/27.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
Regshot
• Takes Registry Snapshots• Compare Snapshots
![Page 28: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/28.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
Regshot Report
![Page 29: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/29.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
Lab – 4 (Registry)• Restore the Snapshot• Execute Regshot and take a first
snapshot.• Execute Process Explorer.• Execute installer.exe.• Sleep 1m • Take a second snapshot and compare.
![Page 30: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/30.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30
Lab – 4 (Registry)• Questions
– Could you identify the persistence mechanism using RegShot?
– And with Process Monitor?– Could you find any new service added by the
malware?
![Page 31: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/31.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
Lab – 4 (Answer)
![Page 32: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/32.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
Lab – 4 (Answer)
![Page 33: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/33.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33
Network Activity• Wireshark is a well known network sniffer.• Many protocol decoders• Drawback: Secure connections
Capture Options
Start
Stop
Restart
![Page 34: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/34.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
Lab – 5 • Network Activity – Wireshark• Questions
– Did the malware contact with a C&C?– Was it successful?– What was the IP/domain name?– Could you find information about the C&C?
• DNS redirection (*)
![Page 35: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/35.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
Lab – 5 (Answers)
![Page 36: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/36.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
Lab – 5 (Answers)
![Page 37: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/37.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
Lab – 5 (Answers)
![Page 38: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/38.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
Sysanalyzer• Logs some interesting APIs• Sniffer• Less noisy• Less information
![Page 39: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/39.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
Lab – 7 • Run installer.exe and compare the results
from previous tools.
![Page 40: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/40.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
• Logs a set of Windows APIs from a large set of them
• Low-level information• Don’t try to log all
API Monitor
![Page 41: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/41.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41
API Monitor
Start new process
Filters
![Page 42: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/42.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
WinApiOverride32
![Page 43: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/43.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
• Log the network and file activity• Monitor newly created processes on
demand.• Questions
– Could you find the C&C?– Could you find when the file is deleted?
Lab – 8
![Page 44: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/44.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
LAB – 8 (Answers)
![Page 45: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/45.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
LAB – 8 (Answers)• Were you able to find the C&C?• Why?
![Page 46: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/46.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
• Why not automation?• Cuckoo Sandbox executes the malware
inside a VM for us.• Analyzer and reporting system all in one
solution.• Extensible• Must be installed on Linux
Sandbox
![Page 47: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/47.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
• Web interface
• Command Line
Submit Samples
![Page 48: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/48.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48
Cuckoo Architecture
Agent.py
Cuckoomon.dll
malware
Analyzer.py
Cuckoo.py
Processors
Signatures
Reports
Virtual MachineHost
![Page 49: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/49.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
• Upload a sample to the Sandbox• Meanwhile, check the report for sample
a6ff0e175acc7aaa3c2a855e44b11e3b.• Question
– Could you identify the same indicators of compromise from extracted from previous tools?
– Could you find the C&C? – And the function call?
Lab – 9
![Page 50: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/50.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
Lab – 9 (Answers)
![Page 51: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/51.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
Lab – 9 (Answers)
![Page 52: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/52.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
• Volatility can extract information from a memory dump.
• Hidden process, handles, connections, …• Malfind• Dump memory from Cuckoo, Winpmem,
Post Mortem Analysis
![Page 53: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/53.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
Dumping Memory
![Page 54: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/54.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
Dumping Memory
![Page 55: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/55.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
Dumping Memory
Cuckoo
VirtualBox
![Page 56: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/56.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
• Offline Memory analysis tool• Search for
– Open handles– Hooked Apis– New Dlls– Hidden processes– Registry values
• No diff tool (Anyone?)
Volatility
![Page 57: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/57.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
• Dump memory from a clean system• List process list• Find explorer.exe and list its dlls• Store this information in a file and repeat
all the process with the malware running
LAB – 10
![Page 58: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/58.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58
• Question– Could you find anything suspicious?
LAB – 10
![Page 59: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/59.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
LAB – 10 (Answers)
![Page 60: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/60.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
LAB – 10 (Answers)
![Page 61: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/61.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
LAB – 10 (Answers)
![Page 62: 44Con Malware Workshop](https://reader037.fdocuments.in/reader037/viewer/2022102805/556b0b92d8b42ae47d8b4af1/html5/thumbnails/62.jpg)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62
• Iñaki Rodriguez– @virtualminds_es– [email protected]
CONTACT ME