SlideShare a Scribd company logo

Black Hat 2015 Arsenal: Noriben Malware Analysis

Brian Baskin
Brian Baskin

Demonstration of Noriben for Black Hat US 2015 Arsenal

Technology
1 of 17
Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
FakeAV (Track Activity Per Button Clicked)
FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdfn00py1
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Osint
OsintOsint
OsintKamal Rathaur
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 

More Related Content

What's hot

Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdfn00py1
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
 
Osint
OsintOsint
Osint
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 

Viewers also liked

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware AnalysisBrian Baskin
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over TwitterBrian Baskin
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondThe Linux Foundation
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?AntonioMaio2
 

Viewers also liked (14)

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware Analysis
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
P2P Forensics
P2P ForensicsP2P Forensics
P2P Forensics
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Teach your kids to code
Teach your kids to codeTeach your kids to code
Teach your kids to code
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over Twitter
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Agile scrum roles
Agile scrum rolesAgile scrum roles
Agile scrum roles
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and Beyond
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Daniel Berman
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis (20)

Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Zabbixconf2016(2)
Zabbixconf2016(2)Zabbixconf2016(2)
Zabbixconf2016(2)
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Black Hat 2015 Arsenal: Noriben Malware Analysis

  • 1. Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
  • 2. Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
  • 3. Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
  • 4. Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
  • 5. Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
  • 6. ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
  • 7. Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
  • 8. FakeAV (Track Activity Per Button Clicked)
  • 9. FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
  • 10. Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
  • 11. Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
  • 12. Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
  • 13. Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
  • 14. Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
  • 15. VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
  • 16. YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
  • 17. Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056