malware analysis - what to learn from your invaders
TRANSCRIPT
- 1. Malware Analysis What to learn from your invaders
- 2. Disclaimer All opinions expressed during this talk are mine and do not reflect that of my employer I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. scare tactic>
- 3. Agenda Whoami Tools Analysis Resources
- 4. Whoami Father Geek Drummer SIEM Manager by day, malware analyst by night... when I can...
- 5. Background
- 6. Tools VirtualBox Remnux Regshot FakeNet DNSChef Wireshark PEStudio Volatility
- 7. Samples Unpaid taxes. Notice #12831 phishing email LogMeIn Spear phishing link Vendor site cart purchase phishing email
- 8. Unpaid taxes. Notice #12831 phishing email
- 9. Unpaid taxes. Notice #12831 phishing email
- 10. LogMeIn spear phishing
- 11. Vendor site cart purchase phishing email
- 12. Static analysis Regshot Remnux tools (imports, pescan, pescanner, pyew.txt) PEStudio
- 13. Vendor site cart purchase phishing email
- 14. Vendor site cart purchase phishing email
- 15. Behavioral analysis How does it react? What does it do?
- 16. Lab configuration Virtualbox Windows 7 (Victim of course) Remnux 6.0 (Ubuntu 14.04) Traffic capture Wireshark Procmon
- 17. Network behavior analysis First attempt
- 18. Network behavior analysis First attempt 174.16.157.26 130.37.198.90 203.80.102.213 88.68.117.47 75.99.113.250 184.166.216.26 212.235.62.68 172.245.217.122 24.231.61.81 27.110.203.125 221.193.254.122 183.87.238.127 198.50.128.48 82.127.150.123 85.64.52.205 24.78.17.137 79.119.228.199 219.77.136.199 76.234.37.14
- 19. Network behavior analysis Second attempt
- 20. Network behavior analysis Third attempt
- 21. Host analysis - Files
- 22. Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
- 23. Wrapping up What's been learned? Network activity Host based activity Where can it be used? SIEM
- 24. Resources Blogs Lenny Zeltzer's blog - https://zeltser.com/ Malware Analysis blog - http://www.malware-traffic-analysis.net/ MalwareMust Die blog - http://blog.malwaremustdie.org/ Malwageddon's blog - http://malwageddon.blogspot.com/ MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/ Live samples Contagio - http://contagiodump.blogspot.com/ Malc0de database - http://malc0de.com/database/ Tools VirtualBox Remnux SysInternals Volatility
- 25. Resources Training OpenSecurityTraining.Info - http://opensecuritytraining.info/
- 26. Questions Twitter - @Tazdrumm3r Email [email protected] Blog - https://tazdrumm3r.wordpress.com