Intro to Reversing Malware

DefCamp
DefCampDefCamp
BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
2 About Me ‣ Security Analyst ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x2
What is Malware? “Malware is a binary that does something someone wouldn’t like...”
Demo
Why bother with analysis?
“Sacred Cash Cow Tipping”
Analyzing a Ransomware
openme.exe
Static Analysis
Unix: ./strings openme.exe
Unix: ./strings openme.exe
Windows: PEStudio
Windows: PEStudio
Dynamic Analysis
Unix: ./fakedns.py
Unix: ./inetsim
What we know - An encrypted POST request to brb.3dtuts.by - Not a single call to WinInet is weird - No reference to brb.3dtuts.by - No sign of cryptography functions - Too much noise in `./strings` output - The use of TLS
Typical HTTP Imports Courtesy of MSDN (Microsoft Developer Network)
Typical Cryptography Imports Courtesy of MSDN (Microsoft Developer Network)
Checking for Packers
Theory
Theory Theory #1: Binary will use VirtualProtect to dump a packed binary? Theory #2: CryptEncrypt will be used somewhere?
VirtualProtect Courtesy of MSDN (Microsoft Developer Network)
Attach a Debugger Windows: x32dbg
Windows: x32dbg Breakpoint hit!
Checking Memory Regions Found a newly created memory region with “ERW” permissions
Theory #1 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere?
Theory #2: CryptEncrypt We know now the malware is unpacking itself. Let it finish...
CryptEncrypt Courtesy of MSDN (Microsoft Developer Network)
Windows: x32dbg Breakpoint hit!
MZ == ?
MZ == Profit $$$
Theory #2 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere? YES
Unix: ./strings dumped_bin HTTP and Cryptography imports and strings were hidden in the packed malware
Remember this? Further analysis shows the binary communicating with a Command & Control server called brb.3dtuts.by
Demo
Conclusion
Thank you
1 of 38

Intro to Reversing Malware

Download to read offline
Technology

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The video and other presentations can be found on https://def.camp/archive

DefCamp
DefCampDefCamp

Recommended

Defending the Endpoint with Next-Gen Security by
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
70 views21 slides
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак... by
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
699 views51 slides
Stealth post-exploitation with phpsploit by
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitNullbyte Security Conference
2.2K views31 slides
Stranger Danger (NodeSummit, 2016) by
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Guy Podjarny
786 views29 slides
[OWASP Poland Day] Application security - daily questions & answers by
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
379 views30 slides
Blockaudit Presentation by
Blockaudit PresentationBlockaudit Presentation
Blockaudit PresentationAntoine Chabert
1K views23 slides

More Related Content

Similar to Intro to Reversing Malware

Malware analysis by
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
3.4K views39 slides
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014 by
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
4K views68 slides
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ... by
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
5.9K views75 slides
Sans london april sans at night - tearing apart a fileless malware sample by
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
368 views48 slides
A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
6.3K views31 slides
A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
1.2K views31 slides

Similar to Intro to Reversing Malware(20)

Malware analysis by Prakashchand Suthar
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar3.4K views
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014 by grecsl
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl4K views
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ... by grecsl
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl5.9K views
Sans london april sans at night - tearing apart a fileless malware sample by Michel Coene
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
Michel Coene368 views
A Threat Hunter Himself by Sergey Soldatov
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov6.3K views
A Threat Hunter Himself by Teymur Kheirkhabarov
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov1.2K views
Basic malware analysis by securityxploded
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded3.7K views
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014) by Olga Kochetova
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Olga Kochetova18.5K views
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ... by grecsl
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl3.7K views
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014 by grecsl
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
grecsl1.7K views
Become a Threat Hunter by Hamza Beghal by Null Singapore
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore486 views
EMBA Firmware analysis - TROOPERS22 by MichaelM85042
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042100 views
Watchtowers of the Internet - Source Boston 2012 by Stephan Chenette
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette490 views
Malware Analysis by Ramin Farajpour Cami
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami102 views
Visualizing Threats: Network Visualization for Cyber Security by Cambridge Intelligence
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
Cambridge Intelligence4.3K views
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns... by Andrew Morris
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris1.3K views
Having Honeypot for Better Network Security Analysis by Bangladesh Network Operators Group
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group259 views
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT by CanSecWest
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest1.4K views
Wie Sie Ransomware aufspüren und was Sie dagegen machen können by Splunk
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk1.1K views
Keith J. Jones, Ph.D. - Crash Course malware analysis by Keith Jones, PhD
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD334 views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp442 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Recently uploaded

Powerful Google developer tools for immediate impact! (2023-24) by
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)wesley chun
10 views38 slides
Special_edition_innovator_2023.pdf by
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdfWillDavies22
18 views6 slides
Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
22 views68 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
36 views43 slides
Evolving the Network Automation Journey from Python to Platforms by
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to PlatformsNetwork Automation Forum
13 views21 slides
PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
132 views17 slides

Recently uploaded(20)

Powerful Google developer tools for immediate impact! (2023-24) by wesley chun
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)
wesley chun10 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)22 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman36 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views
Mini-Track: Challenges to Network Automation Adoption by Network Automation Forum
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation Adoption
Network Automation Forum13 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum27 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10300 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge38 views
Melek BEN MAHMOUD.pdf by MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)18 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva616 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.56 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp59 views

Intro to Reversing Malware