ThreatConnect, profile picture
Uploaded byThreatConnect
PPTX, PDF1,832 views

Open Source Malware Lab

The document outlines the importance of a malware analysis lab, detailing the malware analysis process, tools like Cuckoo sandbox, and techniques for both dynamic and static malware analysis. It covers various components including entry points for malware, user agents for low-interaction honeyclients, and the role of network analysis frameworks like Bro. Additionally, the document highlights the integration of advanced analysis techniques to improve detection and response capabilities against malware.

Technology
Related topics:
Open Source Software

Embed presentation

Downloaded 83 times
1@ThreatConnect Open Source Malware Lab © 2016 ThreatConnect, Inc. All Rights Reserved
2@ThreatConnect Director of Research Innovation Research Team ThreatConnect, Inc. © 2016 ThreatConnect, Inc. All Rights Reserved
3@ThreatConnect Why Do I Need A Malware Analysis Lab? • Malware Research • Automated Malware Analysis (AMA) • First two of four major stages • AMA can include second stage • Enhanced Threat Intelligence • Analysis of malware in your enterprise • Stage of malware hunting process • Network Defense • Network Traffic • Inbound Email • Host Intrusion Detection System • Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/ © 2016 ThreatConnect, Inc. All Rights Reserved
4@ThreatConnect Malware Analysis Process Entry Points File URL PCAP Memory Image © 2016 ThreatConnect, Inc. All Rights Reserved
5@ThreatConnect Cuckoo Sandbox Thug Bro Volatility Open Source Malware Analysis Tools © 2016 ThreatConnect, Inc. All Rights Reserved
6@ThreatConnect Cuckoo Sandbox Static and Dynamic File Analysis © 2016 ThreatConnect, Inc. All Rights Reserved
7@ThreatConnect Sandbox • A controlled, safe environment • Leverages • Virtual machines • Bare metal computers • Running malware • Observing its behavior • Dynamic malware analysis • May also perform static malware analysis © 2016 ThreatConnect, Inc. All Rights Reserved
8@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
9@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
10@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
11@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
12@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
13@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
14@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
15@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
16@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
17@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
18@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
19@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
20@ThreatConnect Cuckoo Sandbox Flavors © 2016 ThreatConnect, Inc. All Rights Reserved Plain Vanilla Version 1.2 (Stable) Cuckoo Modified (brad-accuvant / spender-sandbox) Next Generation Version 2.0 RC1
21@ThreatConnect Cuckoo Modified • Normalization of file and registry paths • 64bit analysis • Service monitoring • Extended API • Tor for outbound network connections • Malheur integration © 2016 ThreatConnect, Inc. All Rights Reserved
22@ThreatConnect Normalization - Why this is Great! • Not normalized •C:Documents and SettingsDumdumApplication DatabonzoAIDVFP.jpg •C:UsersDumdumAppDatabonzoAIDVFP.jpg • Normalized •%APPDATA%bonzoAIDVFP.jpg © 2016 ThreatConnect, Inc. All Rights Reserved
23@ThreatConnect Cuckoo Next Generation • Support for: • MacOS X • Linux • Android © 2016 ThreatConnect, Inc. All Rights Reserved • Integrations • Suricata • Snort • Moloch • SSL decryption • VPN support • 64-bit analysis • Fun, fun, fun
24@ThreatConnect What if the Malware is VM or Sandbox Aware? • Pafish (Paranoid Fish) • Uses malware’s anti-analysis techniques • Shows successful and unsuccessful techniques • Pinpoint ways to improve sandbox • VMCloak • Automated generation of Windows VM images • Ready for use in Cuckoo • Obfuscates VM to prevent anti-analysis © 2016 ThreatConnect, Inc. All Rights Reserved
25@ThreatConnect Cuckoo Output • HTML Report • JSON Report • MongoDB Output • Dropped Files • PCAP • Memory Image • Visited URLs © 2016 ThreatConnect, Inc. All Rights Reserved
26@ThreatConnect Thug Low-Interaction Honeyclient © 2016 ThreatConnect, Inc. All Rights Reserved
27@ThreatConnect What is a Low-Interaction Honeyclient? • Pretends to be a browser • Trigger a drive-by download • Capture its payload © 2016 ThreatConnect, Inc. All Rights Reserved
28@ThreatConnect Wolf in Sheep’s Clothing • User agent can change • Windows, Mac, Linux, Android, iOS • Limitless possibilities • http://www.useragentstring.com/pages/ useragentstring.php • http://www.browser-info.net/useragents • Simulates vulnerable plugins with configurable versions • Flash • Java • Acrobat Reader (PDF) © 2016 ThreatConnect, Inc. All Rights Reserved
29@ThreatConnect Available User Agents © 2016 ThreatConnect, Inc. All Rights Reserved
30@ThreatConnect Thug Output • Payload Files • Other Content Files • Visited URLs • MongoDB Output • Elasticsearch Output • HPFeeds • MAEC • Native Report Format © 2016 ThreatConnect, Inc. All Rights Reserved
31@ThreatConnect Bro Network Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
32@ThreatConnect What is Bro? • Network Security Monitoring (NSM) Framework • Processes • Live Packet Capture • Recorded Packet Capture (PCAP) • Series of scripts • Output Bro logs • Packaged with a large group of scripts • Rich community of open source scripts • Write your own Bro script for specific needs © 2016 ThreatConnect, Inc. All Rights Reserved
33@ThreatConnect Bro in Action © 2016 ThreatConnect, Inc. All Rights Reserved • Analysis Target: tue_schedule.doc_7387.doc • PCAP Source: https://www.hybrid-analysis.com/ • SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e • What can we learn from PCAP only?
34@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
35@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
36@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
37@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
38@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
39@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
40@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
41@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
42@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
43@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
44@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
45@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
46@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
47@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
48@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
49@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
50@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
51@ThreatConnect Poor Man’s Reverse Whois © 2016 ThreatConnect, Inc. All Rights Reserved
52@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
53@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
54@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
55@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
56@ThreatConnect pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
57@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
58@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
59@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved Zapoi (Russian: запой) A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two or more days of continuous drunkenness. https://en.wikipedia.org/wiki/Zapoy
60@ThreatConnect /zapoy/gate.php = Pony © 2016 ThreatConnect, Inc. All Rights Reserved
61@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
62@ThreatConnect /xdaovcny/index.php = Nymaim © 2016 ThreatConnect, Inc. All Rights Reserved
63@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
64@ThreatConnect pe.log $ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
65@ThreatConnect files.log $ cat files.log | bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9||F0XaRJ2XvH5Epscnqj|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
66@ThreatConnect MAN1 Adversary Group © 2016 ThreatConnect, Inc. All Rights Reserved http://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html
67@ThreatConnect What Can We Learn From PCAP Only? • Adversary Likely Russophone • Office Document generating network traffic • Multi-stage malware • One payload is Pony • One payload is Nymaim • Nymaim has • Dedicated infrastructure •Rogue DNS • Dropper uses compromised Drupal websites • Adversary is MAN1 © 2016 ThreatConnect, Inc. All Rights Reserved
68@ThreatConnect Collected Lots of Indicators © 2016 ThreatConnect, Inc. All Rights Reserved
69@ThreatConnect My local.bro © 2016 ThreatConnect, Inc. All Rights Reserved
70@ThreatConnect cuddlesome.exe = Ruckguv © 2016 ThreatConnect, Inc. All Rights Reserved
71@ThreatConnect Bro Output • Important Logs • conn.log • dns.log • http.log • pe.log • file.log • Extracted Files • Alternative JSON Output for Elasticsearch © 2016 ThreatConnect, Inc. All Rights Reserved
72@ThreatConnect Volatility Memory Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
73@ThreatConnect What is the Volatility Framework? • Extracts artifacts from samples of volatile memory • An amazing view into what is happening in memory while a malware sample is running © 2016 ThreatConnect, Inc. All Rights Reserved
74@ThreatConnect Operating System Support © 2016 ThreatConnect, Inc. All Rights Reserved
75@ThreatConnect Volatility in Action • Analysis Target: b.exe • Sample Source: https://www.hybrid-analysis.com/ • SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742 • What can we learn from memory analysis? © 2016 ThreatConnect, Inc. All Rights Reserved
76@ThreatConnect Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump • Dump a memory image from running VirtualBox VM • VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img • vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw © 2016 ThreatConnect, Inc. All Rights Reserved
77@ThreatConnect pslist & psscan © 2016 ThreatConnect, Inc. All Rights Reserved • psscan shows hidden and terminated processes • pslist shows running processes • pslist before and after running malware sample
78@ThreatConnect malfind $ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D . © 2016 ThreatConnect, Inc. All Rights Reserved
79@ThreatConnect Malware Found? Avira: TR/Patched.Ren.Gen7 Qihoo-360: HEUR/QVM40.1.Malware.Gen Qihoo-360: HEUR/QVM40.1.Malware.Gen 0x80000 0xa000 © 2016 ThreatConnect, Inc. All Rights Reserved
80@ThreatConnect netscan $ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer © 2016 ThreatConnect, Inc. All Rights Reserved
81@ThreatConnect What Can We Learn From Memory Analysis? • Sample uses process injection • Injects explorer.exe • Command and Control IP Address: 216.170.126.105 © 2016 ThreatConnect, Inc. All Rights Reserved
82@ThreatConnect Volatility Output • Files extracted from services • Files extracted from injection • DLLs extracted • IP addresses extracted from network connections • URLs extracted from IE history • URLs extracted from malware configuration • Suspicious mutexes © 2016 ThreatConnect, Inc. All Rights Reserved
83@ThreatConnect Tying It All Together Conclusion © 2016 ThreatConnect, Inc. All Rights Reserved
84@ThreatConnect Cuckoo, Thug, Bro Process © 2016 ThreatConnect, Inc. All Rights Reserved
85@ThreatConnect Volatility, Thug, Cuckoo Process © 2016 ThreatConnect, Inc. All Rights Reserved
86@ThreatConnect Orchestration and Automation • Use a message queue • Redis • Rabbit MQ • ZeroMQ <- Preferred • Use NGINX for file transfer under message queue • Keep all output in Elasticsearch • Cuckoo needs to be cuckoo-modified or write your own report plugin • Thug uses ES natively • Bro can export logs in JSON format • Volatility can export logs in JSON format • Glue everything together with Python3 © 2016 ThreatConnect, Inc. All Rights Reserved
87@ThreatConnect Questions? © 2016 ThreatConnect, Inc. All Rights Reserved www.ThreatConnect.com/blog @MalwareUtkonos @ThreatConnect

More Related Content

PPTX
Denial of service
bygarishma bhatia
 
PPTX
John the ripper & hydra password cracking tool
byMd. Raquibul Hoque
 
PDF
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
PPTX
Aircrack
byMuhammadHanzalah6
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Threat Hunting with Splunk
bySplunk
 
PPTX
Metasploit seminar
byhenelpj
 
PPTX
Delivering Security Insights with Data Analytics and Visualization
byRaffael Marty
 
Denial of service
bygarishma bhatia
 
John the ripper & hydra password cracking tool
byMd. Raquibul Hoque
 
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
Aircrack
byMuhammadHanzalah6
 
Detection Rules Coverage
bySunny Neo
 
Threat Hunting with Splunk
bySplunk
 
Metasploit seminar
byhenelpj
 
Delivering Security Insights with Data Analytics and Visualization
byRaffael Marty
 

What's hot

PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PPTX
Sqlmap
byInstitute of Information Security (IIS)
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PPTX
Malware Analysis
byPrashant Gupta
 
PDF
Nessus Basics
byamiable_indian
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPTX
Finalppt metasploit
bydevilback
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PPTX
Microsoft Security Development Lifecycle
byRazi Rais
 
PPTX
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
PPTX
Windows Forensic 101
byDigit Oktavianto
 
PPTX
Basic Malware Analysis
byAlbert Hui
 
PDF
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Sqlmap
byInstitute of Information Security (IIS)
 
Nmap basics
byn|u - The Open Security Community
 
Cross site scripting
byn|u - The Open Security Community
 
Malware Analysis
byPrashant Gupta
 
Nessus Basics
byamiable_indian
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Finalppt metasploit
bydevilback
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Microsoft Security Development Lifecycle
byRazi Rais
 
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
Windows Forensic 101
byDigit Oktavianto
 
Basic Malware Analysis
byAlbert Hui
 
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
Malware Classification and Analysis
byPrashant Chopra
 
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 

Viewers also liked

PPTX
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
PDF
Computer malware anti malware coevolution
byHimanshu Dubey
 
PPTX
VMs All the Way Down (BSides Delaware 2016)
byJohn Hubbard
 
PDF
Startup dans les nuages - breizhcamp 2015
byNicolas Ledez
 
PPTX
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
byThreatConnect
 
PDF
Workshop on Setting up Malware Lab
byCharles Lim
 
PPTX
BSides 2016 Presentation
byAngelo Rago
 
PPTX
Hunting gh0st rat using memory forensics
byCysinfo Cyber Security Community
 
PDF
How To Protect From Malware
byINFONAUTICS GmbH
 
PDF
Be Social. Use CrowdRE.
byCrowdStrike
 
PPTX
The Enemy Within: Stopping Advanced Attacks Against Local Users
byTal Be'ery
 
PDF
CrowdCasts Monthly: When Pandas Attack
byCrowdStrike
 
PDF
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
byCrowdStrike
 
PPTX
Tracking Exploit Kits - Virus Bulletin 2016
byJohn Bambenek
 
PDF
CrowdCasts Monthly: Mitigating Pass the Hash
byCrowdStrike
 
PDF
Hacking Exposed Live: Mobile Targeted Threats
byCrowdStrike
 
PPTX
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
bysecurityxploded
 
ODP
Pycon Sec
byguesta762e4
 
DOCX
Metodo estatico equivalente jessica garcia
byJESSICA GARCIA
 
PPTX
Presentacion Stitanques
byAndres Garcia
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
Computer malware anti malware coevolution
byHimanshu Dubey
 
VMs All the Way Down (BSides Delaware 2016)
byJohn Hubbard
 
Startup dans les nuages - breizhcamp 2015
byNicolas Ledez
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
byThreatConnect
 
Workshop on Setting up Malware Lab
byCharles Lim
 
BSides 2016 Presentation
byAngelo Rago
 
Hunting gh0st rat using memory forensics
byCysinfo Cyber Security Community
 
How To Protect From Malware
byINFONAUTICS GmbH
 
Be Social. Use CrowdRE.
byCrowdStrike
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
byTal Be'ery
 
CrowdCasts Monthly: When Pandas Attack
byCrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
byCrowdStrike
 
Tracking Exploit Kits - Virus Bulletin 2016
byJohn Bambenek
 
CrowdCasts Monthly: Mitigating Pass the Hash
byCrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
byCrowdStrike
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
bysecurityxploded
 
Pycon Sec
byguesta762e4
 
Metodo estatico equivalente jessica garcia
byJESSICA GARCIA
 
Presentacion Stitanques
byAndres Garcia
 

Similar to Open Source Malware Lab

PPTX
Sandbox kiev
byuisgslide
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 
PDF
Malware Analysis Using Free Software
byXavier Mertens
 
PDF
RSA OSX Malware
bySynack
 
PDF
Webinar: Insights from Cyren's 2016 cyberthreat report
byCyren, Inc
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
PDF
A Threat Hunter Himself
byTeymur Kheirkhabarov
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Malware Analysis
byRamin Farajpour Cami
 
PDF
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
PDF
OS X Malware: Let's Play Doctor
bySynack
 
PPTX
Splunk for Security Workshop
bySplunk
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PPTX
Ixkxxjxjxlxkxlkzkzjzjxhxjkxkzzjbxhxkxjxxv
bypythonp121
 
PPTX
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
byMichael Gough
 
PPTX
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
PPTX
The Case for EDR: What's In Your Toolkit
byDawn Yankeelov
 
Sandbox kiev
byuisgslide
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 
Malware Analysis Using Free Software
byXavier Mertens
 
RSA OSX Malware
bySynack
 
Webinar: Insights from Cyren's 2016 cyberthreat report
byCyren, Inc
 
Malware analysis as a hobby (Owasp Göteborg)
byMichael Boman
 
Project in malware analysis:C2C
byFabrizio Farinacci
 
A Threat Hunter Himself
byTeymur Kheirkhabarov
 
A Threat Hunter Himself
bySergey Soldatov
 
Threat Hunting with Splunk
bySplunk
 
Malware Analysis
byRamin Farajpour Cami
 
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
OS X Malware: Let's Play Doctor
bySynack
 
Splunk for Security Workshop
bySplunk
 
Malware analysis
byPrakashchand Suthar
 
Ixkxxjxjxlxkxlkzkzjzjxhxjkxkzzjbxhxkxjxxv
bypythonp121
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
byMichael Gough
 
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
The Case for EDR: What's In Your Toolkit
byDawn Yankeelov
 

More from ThreatConnect

PPTX
Advanced Threat Hunting - BotConf 2017
byThreatConnect
 
PDF
Save Time and Act Faster with Playbooks
byThreatConnect
 
PDF
Intelligence driven defense webinar
byThreatConnect
 
PDF
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
 
PDF
Does a Bear Leak in the Woods?
byThreatConnect
 
PPTX
Operationalizing Threat Intelligence to Battle Persistent Actors
byThreatConnect
 
PPTX
Threat Intelligence is a Journey; Not a Destination
byThreatConnect
 
PPTX
Episode IV: A New Scope
byThreatConnect
 
PPTX
Maltego Webinar Slides
byThreatConnect
 
PPTX
The Business Benefits of Threat Intelligence Webinar
byThreatConnect
 
PPTX
Dollars and Sense of Sharing Threat Intelligence
byThreatConnect
 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
 
Advanced Threat Hunting - BotConf 2017
byThreatConnect
 
Save Time and Act Faster with Playbooks
byThreatConnect
 
Intelligence driven defense webinar
byThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
 
Does a Bear Leak in the Woods?
byThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
byThreatConnect
 
Threat Intelligence is a Journey; Not a Destination
byThreatConnect
 
Episode IV: A New Scope
byThreatConnect
 
Maltego Webinar Slides
byThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
byThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
byThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
 

Recently uploaded

PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Open Source Malware Lab

  • 1.
    1@ThreatConnect Open Source MalwareLab © 2016 ThreatConnect, Inc. All Rights Reserved
  • 2.
    2@ThreatConnect Director of ResearchInnovation Research Team ThreatConnect, Inc. © 2016 ThreatConnect, Inc. All Rights Reserved
  • 3.
    3@ThreatConnect Why Do INeed A Malware Analysis Lab? • Malware Research • Automated Malware Analysis (AMA) • First two of four major stages • AMA can include second stage • Enhanced Threat Intelligence • Analysis of malware in your enterprise • Stage of malware hunting process • Network Defense • Network Traffic • Inbound Email • Host Intrusion Detection System • Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/ © 2016 ThreatConnect, Inc. All Rights Reserved
  • 4.
    4@ThreatConnect Malware Analysis ProcessEntry Points File URL PCAP Memory Image © 2016 ThreatConnect, Inc. All Rights Reserved
  • 5.
    5@ThreatConnect Cuckoo Sandbox Thug BroVolatility Open Source Malware Analysis Tools © 2016 ThreatConnect, Inc. All Rights Reserved
  • 6.
    6@ThreatConnect Cuckoo Sandbox Static andDynamic File Analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 7.
    7@ThreatConnect Sandbox • A controlled,safe environment • Leverages • Virtual machines • Bare metal computers • Running malware • Observing its behavior • Dynamic malware analysis • May also perform static malware analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 8.
    8@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 9.
    9@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 10.
    10@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 11.
    11@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 12.
    12@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 13.
    13@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 14.
    14@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 15.
    15@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 16.
    16@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 17.
    17@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 18.
    18@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 19.
    19@ThreatConnect More Than JustDynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 20.
    20@ThreatConnect Cuckoo Sandbox Flavors ©2016 ThreatConnect, Inc. All Rights Reserved Plain Vanilla Version 1.2 (Stable) Cuckoo Modified (brad-accuvant / spender-sandbox) Next Generation Version 2.0 RC1
  • 21.
    21@ThreatConnect Cuckoo Modified • Normalizationof file and registry paths • 64bit analysis • Service monitoring • Extended API • Tor for outbound network connections • Malheur integration © 2016 ThreatConnect, Inc. All Rights Reserved
  • 22.
    22@ThreatConnect Normalization - Whythis is Great! • Not normalized •C:Documents and SettingsDumdumApplication DatabonzoAIDVFP.jpg •C:UsersDumdumAppDatabonzoAIDVFP.jpg • Normalized •%APPDATA%bonzoAIDVFP.jpg © 2016 ThreatConnect, Inc. All Rights Reserved
  • 23.
    23@ThreatConnect Cuckoo Next Generation •Support for: • MacOS X • Linux • Android © 2016 ThreatConnect, Inc. All Rights Reserved • Integrations • Suricata • Snort • Moloch • SSL decryption • VPN support • 64-bit analysis • Fun, fun, fun
  • 24.
    24@ThreatConnect What if theMalware is VM or Sandbox Aware? • Pafish (Paranoid Fish) • Uses malware’s anti-analysis techniques • Shows successful and unsuccessful techniques • Pinpoint ways to improve sandbox • VMCloak • Automated generation of Windows VM images • Ready for use in Cuckoo • Obfuscates VM to prevent anti-analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 25.
    25@ThreatConnect Cuckoo Output • HTMLReport • JSON Report • MongoDB Output • Dropped Files • PCAP • Memory Image • Visited URLs © 2016 ThreatConnect, Inc. All Rights Reserved
  • 26.
    26@ThreatConnect Thug Low-Interaction Honeyclient © 2016ThreatConnect, Inc. All Rights Reserved
  • 27.
    27@ThreatConnect What is aLow-Interaction Honeyclient? • Pretends to be a browser • Trigger a drive-by download • Capture its payload © 2016 ThreatConnect, Inc. All Rights Reserved
  • 28.
    28@ThreatConnect Wolf in Sheep’sClothing • User agent can change • Windows, Mac, Linux, Android, iOS • Limitless possibilities • http://www.useragentstring.com/pages/ useragentstring.php • http://www.browser-info.net/useragents • Simulates vulnerable plugins with configurable versions • Flash • Java • Acrobat Reader (PDF) © 2016 ThreatConnect, Inc. All Rights Reserved
  • 29.
    29@ThreatConnect Available User Agents ©2016 ThreatConnect, Inc. All Rights Reserved
  • 30.
    30@ThreatConnect Thug Output • PayloadFiles • Other Content Files • Visited URLs • MongoDB Output • Elasticsearch Output • HPFeeds • MAEC • Native Report Format © 2016 ThreatConnect, Inc. All Rights Reserved
  • 31.
    31@ThreatConnect Bro Network Analysis Framework ©2016 ThreatConnect, Inc. All Rights Reserved
  • 32.
    32@ThreatConnect What is Bro? •Network Security Monitoring (NSM) Framework • Processes • Live Packet Capture • Recorded Packet Capture (PCAP) • Series of scripts • Output Bro logs • Packaged with a large group of scripts • Rich community of open source scripts • Write your own Bro script for specific needs © 2016 ThreatConnect, Inc. All Rights Reserved
  • 33.
    33@ThreatConnect Bro in Action ©2016 ThreatConnect, Inc. All Rights Reserved • Analysis Target: tue_schedule.doc_7387.doc • PCAP Source: https://www.hybrid-analysis.com/ • SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e • What can we learn from PCAP only?
  • 34.
    34@ThreatConnect conn.log $ cat conn.log| bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 35.
    35@ThreatConnect conn.log $ cat conn.log| bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 36.
    36@ThreatConnect conn.log $ cat conn.log| bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 37.
    37@ThreatConnect conn.log $ cat conn.log| bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 38.
    38@ThreatConnect conn.log $ cat conn.log| bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 39.
    39@ThreatConnect dns.log $ cat dns.log| bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 40.
    40@ThreatConnect dns.log $ cat dns.log| bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 41.
    41@ThreatConnect dns.log $ cat dns.log| bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 42.
    42@ThreatConnect Poor Man’s pDNS ©2016 ThreatConnect, Inc. All Rights Reserved
  • 43.
    43@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 44.
    44@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 45.
    45@ThreatConnect Site Content © 2016ThreatConnect, Inc. All Rights Reserved
  • 46.
    46@ThreatConnect Site Content © 2016ThreatConnect, Inc. All Rights Reserved
  • 47.
    47@ThreatConnect dns.log $ cat dns.log| bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 48.
    48@ThreatConnect Poor Man’s pDNS ©2016 ThreatConnect, Inc. All Rights Reserved
  • 49.
    49@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 50.
    50@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 51.
    51@ThreatConnect Poor Man’s ReverseWhois © 2016 ThreatConnect, Inc. All Rights Reserved
  • 52.
    52@ThreatConnect Site Content © 2016ThreatConnect, Inc. All Rights Reserved
  • 53.
    53@ThreatConnect dns.log $ cat dns.log| bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 54.
    54@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 55.
    55@ThreatConnect Whois Data © 2016ThreatConnect, Inc. All Rights Reserved
  • 56.
  • 57.
    57@ThreatConnect http.log $ cat http.log| bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 58.
    58@ThreatConnect http.log $ cat http.log| bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 59.
    59@ThreatConnect© 2016 ThreatConnect,Inc. All Rights Reserved Zapoi (Russian: запой) A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two or more days of continuous drunkenness. https://en.wikipedia.org/wiki/Zapoy
  • 60.
    60@ThreatConnect /zapoy/gate.php = Pony ©2016 ThreatConnect, Inc. All Rights Reserved
  • 61.
    61@ThreatConnect http.log $ cat http.log| bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 62.
    62@ThreatConnect /xdaovcny/index.php = Nymaim ©2016 ThreatConnect, Inc. All Rights Reserved
  • 63.
    63@ThreatConnect http.log $ cat http.log| bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 64.
    64@ThreatConnect pe.log $ cat pe.log| bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 65.
    65@ThreatConnect files.log $ cat files.log| bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9||F0XaRJ2XvH5Epscnqj|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 66.
    66@ThreatConnect MAN1 Adversary Group ©2016 ThreatConnect, Inc. All Rights Reserved http://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html
  • 67.
    67@ThreatConnect What Can WeLearn From PCAP Only? • Adversary Likely Russophone • Office Document generating network traffic • Multi-stage malware • One payload is Pony • One payload is Nymaim • Nymaim has • Dedicated infrastructure •Rogue DNS • Dropper uses compromised Drupal websites • Adversary is MAN1 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 68.
    68@ThreatConnect Collected Lots ofIndicators © 2016 ThreatConnect, Inc. All Rights Reserved
  • 69.
    69@ThreatConnect My local.bro © 2016ThreatConnect, Inc. All Rights Reserved
  • 70.
    70@ThreatConnect cuddlesome.exe = Ruckguv ©2016 ThreatConnect, Inc. All Rights Reserved
  • 71.
    71@ThreatConnect Bro Output • ImportantLogs • conn.log • dns.log • http.log • pe.log • file.log • Extracted Files • Alternative JSON Output for Elasticsearch © 2016 ThreatConnect, Inc. All Rights Reserved
  • 72.
    72@ThreatConnect Volatility Memory Analysis Framework ©2016 ThreatConnect, Inc. All Rights Reserved
  • 73.
    73@ThreatConnect What is theVolatility Framework? • Extracts artifacts from samples of volatile memory • An amazing view into what is happening in memory while a malware sample is running © 2016 ThreatConnect, Inc. All Rights Reserved
  • 74.
    74@ThreatConnect Operating System Support ©2016 ThreatConnect, Inc. All Rights Reserved
  • 75.
    75@ThreatConnect Volatility in Action •Analysis Target: b.exe • Sample Source: https://www.hybrid-analysis.com/ • SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742 • What can we learn from memory analysis? © 2016 ThreatConnect, Inc. All Rights Reserved
  • 76.
    76@ThreatConnect Preparing Your MemoryImageConvert ELF64 image into raw dd-style memory dump • Dump a memory image from running VirtualBox VM • VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img • vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw © 2016 ThreatConnect, Inc. All Rights Reserved
  • 77.
    77@ThreatConnect pslist & psscan ©2016 ThreatConnect, Inc. All Rights Reserved • psscan shows hidden and terminated processes • pslist shows running processes • pslist before and after running malware sample
  • 78.
    78@ThreatConnect malfind $ vol.py -fcopy.raw --profile=Win7SP1x64 malfind -D . © 2016 ThreatConnect, Inc. All Rights Reserved
  • 79.
    79@ThreatConnect Malware Found? Avira: TR/Patched.Ren.Gen7 Qihoo-360:HEUR/QVM40.1.Malware.Gen Qihoo-360: HEUR/QVM40.1.Malware.Gen 0x80000 0xa000 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 80.
    80@ThreatConnect netscan $ vol.py -fcopy.raw --profile=Win7SP1x64 netscan | grep explorer © 2016 ThreatConnect, Inc. All Rights Reserved
  • 81.
    81@ThreatConnect What Can WeLearn From Memory Analysis? • Sample uses process injection • Injects explorer.exe • Command and Control IP Address: 216.170.126.105 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 82.
    82@ThreatConnect Volatility Output • Filesextracted from services • Files extracted from injection • DLLs extracted • IP addresses extracted from network connections • URLs extracted from IE history • URLs extracted from malware configuration • Suspicious mutexes © 2016 ThreatConnect, Inc. All Rights Reserved
  • 83.
    83@ThreatConnect Tying It AllTogether Conclusion © 2016 ThreatConnect, Inc. All Rights Reserved
  • 84.
    84@ThreatConnect Cuckoo, Thug, BroProcess © 2016 ThreatConnect, Inc. All Rights Reserved
  • 85.
    85@ThreatConnect Volatility, Thug, CuckooProcess © 2016 ThreatConnect, Inc. All Rights Reserved
  • 86.
    86@ThreatConnect Orchestration and Automation •Use a message queue • Redis • Rabbit MQ • ZeroMQ <- Preferred • Use NGINX for file transfer under message queue • Keep all output in Elasticsearch • Cuckoo needs to be cuckoo-modified or write your own report plugin • Thug uses ES natively • Bro can export logs in JSON format • Volatility can export logs in JSON format • Glue everything together with Python3 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 87.
    87@ThreatConnect Questions? © 2016 ThreatConnect,Inc. All Rights Reserved www.ThreatConnect.com/blog @MalwareUtkonos @ThreatConnect