Successfully reported this slideshow.
Your SlideShare is downloading. ×

Intro to Reversing Malware

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 38 Ad
Advertisement

More Related Content

Similar to Intro to Reversing Malware (20)

More from DefCamp (20)

Advertisement

Recently uploaded (20)

Intro to Reversing Malware

  1. 1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
  2. 2. 2 About Me ‣ Security Analyst ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x2
  3. 3. What is Malware? “Malware is a binary that does something someone wouldn’t like...”
  4. 4. Demo
  5. 5. Why bother with analysis?
  6. 6. “Sacred Cash Cow Tipping”
  7. 7. Analyzing a Ransomware
  8. 8. openme.exe
  9. 9. Static Analysis
  10. 10. Unix: ./strings openme.exe
  11. 11. Unix: ./strings openme.exe
  12. 12. Windows: PEStudio
  13. 13. Windows: PEStudio
  14. 14. Dynamic Analysis
  15. 15. Unix: ./fakedns.py
  16. 16. Unix: ./inetsim
  17. 17. What we know - An encrypted POST request to brb.3dtuts.by - Not a single call to WinInet is weird - No reference to brb.3dtuts.by - No sign of cryptography functions - Too much noise in `./strings` output - The use of TLS
  18. 18. Typical HTTP Imports Courtesy of MSDN (Microsoft Developer Network)
  19. 19. Typical Cryptography Imports Courtesy of MSDN (Microsoft Developer Network)
  20. 20. Checking for Packers
  21. 21. Theory
  22. 22. Theory Theory #1: Binary will use VirtualProtect to dump a packed binary? Theory #2: CryptEncrypt will be used somewhere?
  23. 23. VirtualProtect Courtesy of MSDN (Microsoft Developer Network)
  24. 24. Attach a Debugger Windows: x32dbg
  25. 25. Windows: x32dbg Breakpoint hit!
  26. 26. Checking Memory Regions Found a newly created memory region with “ERW” permissions
  27. 27. Theory #1 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere?
  28. 28. Theory #2: CryptEncrypt We know now the malware is unpacking itself. Let it finish...
  29. 29. CryptEncrypt Courtesy of MSDN (Microsoft Developer Network)
  30. 30. Windows: x32dbg Breakpoint hit!
  31. 31. MZ == ?
  32. 32. MZ == Profit $$$
  33. 33. Theory #2 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere? YES
  34. 34. Unix: ./strings dumped_bin HTTP and Cryptography imports and strings were hidden in the packed malware
  35. 35. Remember this? Further analysis shows the binary communicating with a Command & Control server called brb.3dtuts.by
  36. 36. Demo
  37. 37. Conclusion
  38. 38. Thank you

×