SlideShare une entreprise Scribd logo

Reversing & malware analysis training part 9 advanced malware analysis

Abdulrahman Bassam
Abdulrahman Bassam

The document discusses a training program on reverse engineering and malware analysis. It provides an overview of static analysis, dynamic analysis and memory analysis techniques. It also includes a demonstration of analyzing a Zeus bot sample using these techniques. The demonstration shows taking the cryptographic hash, determining imports, submitting to VirusTotal, monitoring process, registry and network activity while executing in a sandbox, analyzing the memory dump with Volatility and more.

Technologie
1  sur  45
Télécharger pour lire hors ligne
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & MalwareAnalysis Training program.Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Monnappa  m0nna  Member of SecurityXploded (SX)  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com, twitter@monnappa22 www.SecurityXploded.com
Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
Contents  Why Malware Analysis?  Types of Malware Analysis  StaticAnalysis  DynamicAnalysis  MemoryAnalysis  Demo www.SecurityXploded.com
Why Malware Analysis? To determine:  the nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  Identifiable patterns www.SecurityXploded.com
Types of Malware Analysis?  Static Analysis - Analyzing without executing the malware  Dynamic Analysis - Analyzing by executing the malware  Memory Analysis - Analyzing the RAM for artifacts www.SecurityXploded.com
www.SecurityXploded.com StaticAnalysis Steps:  Determine the file type tools: file utility on unix and windows (need to install)  Determine the cryptographic hash tools: md5sum utility on unix and windows (part of unix utils for windows)  Strings search tools: strings utility on unix and windows , Bintext  File obfuscation (packers, cryptors and binders) detection tools: PEiD, RDG packer detector  Submission to online antivirus scanners (virustotal, jotti, cymru) tools: browser and public api of Virustotal  Determine the Imports tools: PEview, Dependency Walker  Disassembly tools: IDA Pro, Ollydbg
Dynamic Analysis Involvesexecuting the malwarein a controlled environmentto determine its behavior Steps:  Determine the File system activity tools: process monitor, capturebat  Determine the Process activity tools: process explorer, process monitor, capturebat  Determine the Network activity tools: wireshark  Deteminethe Registry activity tools: regmon, process monitor, capturebat www.SecurityXploded.com
MemoryAnalysis Finding and extracting artifactsfrom computer’s RAM  Determine the process activity  Determine the network connections  Determine hidden artifacts  Detemine the Registry activity Tools: Volatility (Advanced Memory ForensicFramework) Advantages:  helps in rootkitdetection  helps in unpacking www.SecurityXploded.com
http://youtu.be/592uIELKUX8
Step 1 – Taking the cryptographic hash www.SecurityXploded.com Thebelow screenshotshows themd5sumof the sample
Step 2 – Determine the packer www.SecurityXploded.com PEiD was unable determine the packer
Step 3 – Determine the Imports www.SecurityXploded.com Dependency Walker shows the DLLs and API used by maliciousexecutable
Step 4 – VirusTotal Submission www.SecurityXploded.com VirusTotal results show that this sample is a zeus bot (zbot)
Step 1 – Running the monitoring tools www.SecurityXploded.com Before executing the malware, montioring tools are run to capture the activities of the malware
Step 2 – Simulate Internet Services www.SecurityXploded.com Internet services are simulatedto give fake response to malware and also to prevent malware from talking out on the internet
Step 3 – Executing the malware (edd94.exe) www.SecurityXploded.com
Step 4 – process, registry and filesystem activity www.SecurityXploded.com Thebelow results show theprocess, registry and fileystem activity after executingthemalware(edd94.exe), also explorer.exeperforms lot ofactivity indicatingcodeinjection into explorer.exe
Step 5 – Malware drops a file (raruo.exe) www.SecurityXploded.com The below results show the malware dropping a file raruo.exe and creating a process.
Step 6 – Explorer.exe setting value in registry www.SecurityXploded.com The below output shows explorer.exe settinga value under run registry subkey as a persistence mechanism tosurvive the reboot.
Step 7 – DNS query to malicious domain www.SecurityXploded.com Packet capture shows dns query to users9.nofeehost.com and also response shows that the “A” record for the domain is pointed to the machine 192.168.1.2, which is simulatinginternet services.
Step 8 – http connection to malicious domain www.SecurityXploded.com The below output shows zeus bot trying to download configurationfile from C&C and also the fake response given by the inetsim server.
Step 9– ZeuS Tracker result www.SecurityXploded.com ZueS Tracker shows that the domain was a ZeuS C&C server
Step 1 – Taking the memory image www.SecurityXploded.com Suspendingthe VM creates a memoryimage of the infectedmachine, the below screenshot show the memoryimage (infected.vmem) of the infected machine
Step 2 – Process listing from memory image www.SecurityXploded.com Volatility’s pslist module shows the two process edd94.exe and raruo.exe
Step 3 – Network connections from memory image www.SecurityXploded.com Volatility’s connscan module shows pid 1748 making http connection,this pid 1748 is associatedwith explorer.exe
Step 4 – Embedded exe and api hooks in explorer.exe www.SecurityXploded.com Thebelow output showstheinline apihooks andembedded executablein explorer.exe, andalso theembedded executableis dumped into a directory (dump)by malfind plugin
Step 5 – Virustotal submission of dumped exe www.SecurityXploded.com The virustotal submissionconfirms the dumped exe to be component of ZeuS bot
Step 6 – Printing the registry key www.SecurityXploded.com Malware creates registry key to survive the reboot
Step 12 – Finding the malicious exe on infected machine www.SecurityXploded.com Finding malicious sample (raruo.exe) from infected host and virustotal submission confirms ZeuS(zbot) infection
http://youtu.be/3bxzvrGf5w8
Disassembly Example www.SecurityXploded.com The below screenshot shows the disassembly of http bot, making connection to the C&C
Disassembly Example (contd) www.SecurityXploded.com The bot send the http request to the C&C
Disassembly Example (contd) www.SecurityXploded.com The bot retireves data from C&C
Disassembly Example (contd) www.SecurityXploded.com The below sceenshot shows some of the supported commands of this httpbot
Disassembly Example (contd) www.SecurityXploded.com Bot runs the below code if the received command is “Execute”, it creates a process and sends the process id to the C&C server
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Recommandé

Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
Cysinfo Cyber Security Community
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 

Recommandé

Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
Cysinfo Cyber Security Community
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
n|u - The Open Security Community
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
Cysinfo Cyber Security Community
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 

Contenu connexe

Tendances

Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 

Tendances (20)

Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Advanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of MalwaresAdvanced Malware Analysis Training - Detection and Removal of Malwares
Advanced Malware Analysis Training - Detection and Removal of Malwares
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 

En vedette

Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 

En vedette (15)

Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Cuckoo Sandbox: Automated malware analysis
Cuckoo Sandbox: Automated malware analysisCuckoo Sandbox: Automated malware analysis
Cuckoo Sandbox: Automated malware analysis
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 
Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandbox
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Antivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and CountermeasuresAntivirus Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
 

Similaire à Reversing & malware analysis training part 9 advanced malware analysis

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
ricagip499
 

Similaire à Reversing & malware analysis training part 9 advanced malware analysis (18)

Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2Dissecting the heart beat apt rat functionalities - Part 2
Dissecting the heart beat apt rat functionalities - Part 2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009Ilomo Clampi Botnet Aug2009
Ilomo Clampi Botnet Aug2009
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Super1
Super1Super1
Super1
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Reversing and decrypting the communications of HeartBeat Rat - Part1
Reversing and decrypting the communications of HeartBeat Rat - Part1Reversing and decrypting the communications of HeartBeat Rat - Part1
Reversing and decrypting the communications of HeartBeat Rat - Part1
 
App locker
App lockerApp locker
App locker
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 

Plus de Abdulrahman Bassam

Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)
Abdulrahman Bassam
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
Abdulrahman Bassam
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
The apache software foundation
The apache software foundationThe apache software foundation
The apache software foundation
Abdulrahman Bassam
 

Plus de Abdulrahman Bassam (9)

Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)Reversing & malware analysis training part 6 practical reversing (i)
Reversing & malware analysis training part 6 practical reversing (i)
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
The apache software foundation
The apache software foundationThe apache software foundation
The apache software foundation
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Reversing & malware analysis training part 9 advanced malware analysis

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & MalwareAnalysis Training program.Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Monnappa  m0nna  Member of SecurityXploded (SX)  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com, twitter@monnappa22 www.SecurityXploded.com
  • 6. Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
  • 7. Contents  Why Malware Analysis?  Types of Malware Analysis  StaticAnalysis  DynamicAnalysis  MemoryAnalysis  Demo www.SecurityXploded.com
  • 8. Why Malware Analysis? To determine:  the nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  Identifiable patterns www.SecurityXploded.com
  • 9. Types of Malware Analysis?  Static Analysis - Analyzing without executing the malware  Dynamic Analysis - Analyzing by executing the malware  Memory Analysis - Analyzing the RAM for artifacts www.SecurityXploded.com
  • 10. www.SecurityXploded.com StaticAnalysis Steps:  Determine the file type tools: file utility on unix and windows (need to install)  Determine the cryptographic hash tools: md5sum utility on unix and windows (part of unix utils for windows)  Strings search tools: strings utility on unix and windows , Bintext  File obfuscation (packers, cryptors and binders) detection tools: PEiD, RDG packer detector  Submission to online antivirus scanners (virustotal, jotti, cymru) tools: browser and public api of Virustotal  Determine the Imports tools: PEview, Dependency Walker  Disassembly tools: IDA Pro, Ollydbg
  • 11. Dynamic Analysis Involvesexecuting the malwarein a controlled environmentto determine its behavior Steps:  Determine the File system activity tools: process monitor, capturebat  Determine the Process activity tools: process explorer, process monitor, capturebat  Determine the Network activity tools: wireshark  Deteminethe Registry activity tools: regmon, process monitor, capturebat www.SecurityXploded.com
  • 12. MemoryAnalysis Finding and extracting artifactsfrom computer’s RAM  Determine the process activity  Determine the network connections  Determine hidden artifacts  Detemine the Registry activity Tools: Volatility (Advanced Memory ForensicFramework) Advantages:  helps in rootkitdetection  helps in unpacking www.SecurityXploded.com
  • 14.
  • 15. Step 1 – Taking the cryptographic hash www.SecurityXploded.com Thebelow screenshotshows themd5sumof the sample
  • 16. Step 2 – Determine the packer www.SecurityXploded.com PEiD was unable determine the packer
  • 17. Step 3 – Determine the Imports www.SecurityXploded.com Dependency Walker shows the DLLs and API used by maliciousexecutable
  • 18. Step 4 – VirusTotal Submission www.SecurityXploded.com VirusTotal results show that this sample is a zeus bot (zbot)
  • 19.
  • 20. Step 1 – Running the monitoring tools www.SecurityXploded.com Before executing the malware, montioring tools are run to capture the activities of the malware
  • 21. Step 2 – Simulate Internet Services www.SecurityXploded.com Internet services are simulatedto give fake response to malware and also to prevent malware from talking out on the internet
  • 22. Step 3 – Executing the malware (edd94.exe) www.SecurityXploded.com
  • 23. Step 4 – process, registry and filesystem activity www.SecurityXploded.com Thebelow results show theprocess, registry and fileystem activity after executingthemalware(edd94.exe), also explorer.exeperforms lot ofactivity indicatingcodeinjection into explorer.exe
  • 24. Step 5 – Malware drops a file (raruo.exe) www.SecurityXploded.com The below results show the malware dropping a file raruo.exe and creating a process.
  • 25. Step 6 – Explorer.exe setting value in registry www.SecurityXploded.com The below output shows explorer.exe settinga value under run registry subkey as a persistence mechanism tosurvive the reboot.
  • 26. Step 7 – DNS query to malicious domain www.SecurityXploded.com Packet capture shows dns query to users9.nofeehost.com and also response shows that the “A” record for the domain is pointed to the machine 192.168.1.2, which is simulatinginternet services.
  • 27. Step 8 – http connection to malicious domain www.SecurityXploded.com The below output shows zeus bot trying to download configurationfile from C&C and also the fake response given by the inetsim server.
  • 28. Step 9– ZeuS Tracker result www.SecurityXploded.com ZueS Tracker shows that the domain was a ZeuS C&C server
  • 29.
  • 30. Step 1 – Taking the memory image www.SecurityXploded.com Suspendingthe VM creates a memoryimage of the infectedmachine, the below screenshot show the memoryimage (infected.vmem) of the infected machine
  • 31. Step 2 – Process listing from memory image www.SecurityXploded.com Volatility’s pslist module shows the two process edd94.exe and raruo.exe
  • 32. Step 3 – Network connections from memory image www.SecurityXploded.com Volatility’s connscan module shows pid 1748 making http connection,this pid 1748 is associatedwith explorer.exe
  • 33. Step 4 – Embedded exe and api hooks in explorer.exe www.SecurityXploded.com Thebelow output showstheinline apihooks andembedded executablein explorer.exe, andalso theembedded executableis dumped into a directory (dump)by malfind plugin
  • 34. Step 5 – Virustotal submission of dumped exe www.SecurityXploded.com The virustotal submissionconfirms the dumped exe to be component of ZeuS bot
  • 35. Step 6 – Printing the registry key www.SecurityXploded.com Malware creates registry key to survive the reboot
  • 36. Step 12 – Finding the malicious exe on infected machine www.SecurityXploded.com Finding malicious sample (raruo.exe) from infected host and virustotal submission confirms ZeuS(zbot) infection
  • 37.
  • 39. Disassembly Example www.SecurityXploded.com The below screenshot shows the disassembly of http bot, making connection to the C&C
  • 40. Disassembly Example (contd) www.SecurityXploded.com The bot send the http request to the C&C
  • 42. Disassembly Example (contd) www.SecurityXploded.com The below sceenshot shows some of the supported commands of this httpbot
  • 43. Disassembly Example (contd) www.SecurityXploded.com Bot runs the below code if the received command is “Execute”, it creates a process and sends the process id to the C&C server
  • 44. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com