Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to Reversing Malware

6 views

Published on

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The video and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Intro to Reversing Malware

  1. 1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
  2. 2. 2 About Me ‣ Security Analyst ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x2
  3. 3. What is Malware? “Malware is a binary that does something someone wouldn’t like...”
  4. 4. Demo
  5. 5. Why bother with analysis?
  6. 6. “Sacred Cash Cow Tipping”
  7. 7. Analyzing a Ransomware
  8. 8. openme.exe
  9. 9. Static Analysis
  10. 10. Unix: ./strings openme.exe
  11. 11. Unix: ./strings openme.exe
  12. 12. Windows: PEStudio
  13. 13. Windows: PEStudio
  14. 14. Dynamic Analysis
  15. 15. Unix: ./fakedns.py
  16. 16. Unix: ./inetsim
  17. 17. What we know - An encrypted POST request to brb.3dtuts.by - Not a single call to WinInet is weird - No reference to brb.3dtuts.by - No sign of cryptography functions - Too much noise in `./strings` output - The use of TLS
  18. 18. Typical HTTP Imports Courtesy of MSDN (Microsoft Developer Network)
  19. 19. Typical Cryptography Imports Courtesy of MSDN (Microsoft Developer Network)
  20. 20. Checking for Packers
  21. 21. Theory
  22. 22. Theory Theory #1: Binary will use VirtualProtect to dump a packed binary? Theory #2: CryptEncrypt will be used somewhere?
  23. 23. VirtualProtect Courtesy of MSDN (Microsoft Developer Network)
  24. 24. Attach a Debugger Windows: x32dbg
  25. 25. Windows: x32dbg Breakpoint hit!
  26. 26. Checking Memory Regions Found a newly created memory region with “ERW” permissions
  27. 27. Theory #1 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere?
  28. 28. Theory #2: CryptEncrypt We know now the malware is unpacking itself. Let it finish...
  29. 29. CryptEncrypt Courtesy of MSDN (Microsoft Developer Network)
  30. 30. Windows: x32dbg Breakpoint hit!
  31. 31. MZ == ?
  32. 32. MZ == Profit $$$
  33. 33. Theory #2 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere? YES
  34. 34. Unix: ./strings dumped_bin HTTP and Cryptography imports and strings were hidden in the packed malware
  35. 35. Remember this? Further analysis shows the binary communicating with a Command & Control server called brb.3dtuts.by
  36. 36. Demo
  37. 37. Conclusion
  38. 38. Thank you

×