Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
MALCFGPARSER
A LIGHTWEIGHT MALWARE CONFIGURATION PARSING TOOL
YCY
Cyber Threat Analyst
DUCKLL
Cyber Threat Analyst
CHARLES LI
Chief Analyst
3
60+ Clients in Asia Pacific
90%+ MSSP in Taiwan
Government agencies
Telecom / ISP
Leading CTI Firms
Accounting firms / F...
POWERED BY
SUPPORTS
AND POSSIBLY
OTHER PRODUCTS…?
MEMORY DUMP SCAN
ADVERSARY: POLARIS (MUSTANG PANDA)
MALWARE: PLUGX
LIVE MEMORY SCAN
MALWARE: PHANTOMIVY
LIVE MEMORY SCANEVER-CHANGING MALWARE
2015 FROM APT20
PLUGX 0X36A4 LOADER
2016 FROM DRAGONOK
> STRINGS
cPNfEPGjP<p=t
XeWTj...
LIVE MEMORY SCANEVER-CHANGING MALWARE
2017 FROM SLIME.HLEMONK
PLUGX 0X36A4 LOADER
IN MEMORY
> STRINGS
Create
FileW
CreateF...
ANOTHER CHALLENGE…
So here is born of…
WORKING WITH CUCKOO
WORKING WITH THREATSONAR
Malware
Configuration
{
“C&C Server1": "…"
“C&C Server2": "…"
"Installation Path":
"…"
}
VIRTUAL MACHINE
LIVE MEMORY SCANH...
LIVE MEMORY SCANINSIDE MALCFGPARSER
Structure
POWERED BY
POWERED BY Parse
Scan LOADS
Decode
Brute Force Parsing
Validate
MALWARE
LIVE MEMORY SCANWORKING WITH CUCKOO
Ananlyzer
PROCESS DUMP
ProcMemory
SUPPORTED BY
GUEST MACHINE HOST MACHINE WEB ...
ycy@teamt5.org
duckll@teamt5.org
charles@teamt5.org
Prochain SlideShare
Chargement dans…5
×

[CB19] MalCfgParser: A Lightweight Malware Configuration Parsing Tool by Ycy Yu, Duckll Liao, Charles Li

454 vues

Publié le

"MalCfgParser" is a malware configuration parsing tool for incident response analysts and malware researchers.

Malware detection and analysis evasion is a cat-and-mouse game between analysts and malware authors. The attackers apply diverse landing mechanisms or obfuscation techniques to cloak their backdoors. It is imperative to adopt automated analysis to handle these rapidly changing malware. In this talk, we present "MalCfgParser", which dives into memory to perform automatic and brute-force parsing to extract the malware configuration. Malware configurations expose C&C servers, encryption key, campaign code, installation path or mutex name. It helps analysts or enterprise to produce a more complete vision to threat.

The MalCfgParser operate standalone for manually analysis, integrate with a sandbox, or any memory forensics tools. It is designed to be a flexible framework that every malware researcher could contribute their knowledge of a specific malware family, and easily add configuration settings to enhance its power. We believe the above scenarios and operated modes serve the needs for people fighting with malware, including malware researchers, forensic or incident response.

Lastly, we will have a live demo for both standalone and integration with TeamT5 product with several notorious APT malware, or crimeware.

  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

[CB19] MalCfgParser: A Lightweight Malware Configuration Parsing Tool by Ycy Yu, Duckll Liao, Charles Li

  1. 1. MALCFGPARSER A LIGHTWEIGHT MALWARE CONFIGURATION PARSING TOOL
  2. 2. YCY Cyber Threat Analyst DUCKLL Cyber Threat Analyst CHARLES LI Chief Analyst
  3. 3. 3 60+ Clients in Asia Pacific 90%+ MSSP in Taiwan Government agencies Telecom / ISP Leading CTI Firms Accounting firms / Financial sectors Semiconductor / Manufacturing International Trading NGO / NPO Taiwan 10+ Partners Japan 2+ Partners Start from APAC, Speak for APAC, Guardian of APAC ASEAN 3+ Partners
  4. 4. POWERED BY SUPPORTS AND POSSIBLY OTHER PRODUCTS…?
  5. 5. MEMORY DUMP SCAN ADVERSARY: POLARIS (MUSTANG PANDA) MALWARE: PLUGX
  6. 6. LIVE MEMORY SCAN MALWARE: PHANTOMIVY
  7. 7. LIVE MEMORY SCANEVER-CHANGING MALWARE 2015 FROM APT20 PLUGX 0X36A4 LOADER 2016 FROM DRAGONOK > STRINGS cPNfEPGjP<p=t XeWTjYfOOib]jYR hJ;b@K:CJiFCJaNBJX c[]ln[x d5BF Ba>;BP rIFBPmTGQIP <111 T;BB7 bhgvn pRCjHSBKRoVISKRv GetProcAddress LoadLibraryA KERNEL32.dll ;Tls.u MessageBoxA user32.dll GetModuleFileNameA GetModuleHandleA GetSystemTime Sleep lstrlenA kernel32.dll !+W RasTls.dll DoWork 2X<^<&= …
  8. 8. LIVE MEMORY SCANEVER-CHANGING MALWARE 2017 FROM SLIME.HLEMONK PLUGX 0X36A4 LOADER IN MEMORY > STRINGS Create FileW CreateFileMappingW MapViewOfFile GetSystemTime GetModuleHandleA VirtualProtect VirtualAlloc GetModuleFileNameW lstrcpyW lstrcpyA lstrcatA GetProcAddress GetLastError f91u JhL0 VVVVVVQV 5L0 ExitProcess GetCommandLineW CreateProcessW WaitForSingleObject lstrcpyW KERNEL32.dll JP0 JP1 JAP0 JAP1
  9. 9. ANOTHER CHALLENGE…
  10. 10. So here is born of…
  11. 11. WORKING WITH CUCKOO
  12. 12. WORKING WITH THREATSONAR
  13. 13. Malware Configuration { “C&C Server1": "…" “C&C Server2": "…" "Installation Path": "…" } VIRTUAL MACHINE LIVE MEMORY SCANHOW DOES IT WORK? MALCFGPARSER MALWARE DUMP FILES PID
  14. 14. LIVE MEMORY SCANINSIDE MALCFGPARSER Structure POWERED BY POWERED BY Parse Scan LOADS Decode Brute Force Parsing Validate
  15. 15. MALWARE LIVE MEMORY SCANWORKING WITH CUCKOO Ananlyzer PROCESS DUMP ProcMemory SUPPORTED BY GUEST MACHINE HOST MACHINE WEB SERVER
  16. 16. ycy@teamt5.org duckll@teamt5.org charles@teamt5.org

×