SlideShare a Scribd company logo

Keith J. Jones, Ph.D. - Crash Course malware analysis

Keith Jones, PhD
Keith Jones, PhD

The document provides an introduction to malware analysis through four main sections: defining malware and what it can do, how malware operates, challenges with analyzing the large volume of malware, and free resources for learning more about malware analysis. The author outlines the key phases of analyzing malware - intelligence searching, static analysis, dynamic analysis, and automated analysis - and provides examples of tools that can be used at each phase, such as VirusTotal, Ghidra, and Cuckoo Sandbox.

1 of 36
Download to read offline
Crash Course: Malware Analysis Keith J. Jones, PhD keith.j.jones@ieee.org
I hope to… • Provide a gentle introduction to malware analysis. • Provide some context behind malware analysis that may spark your curiosity to learn more. • Give you some resources so you can learn more about this exciting subject (for free!). Samuel L. Jackson, Jurassic Park 1993 Be prepared for some of my most favorite cinematic references as we discuss malware for the next few minutes…
In Other Words… https://lukelarsoncoaching.com/2016/10/12/get-your-feet-wet/
Outline • Malware • What is it? • What can it do? • How does it do it? • How bad is it for real? • You have yourself some malware... Now what? 1. Intelligence Search 2. Static Analysis 3. Dynamic Analysis 4. Automated Analysis • Where can you learn more? • Tons of free resources! Don’t fall asleep until the next presentation! https://www.hbo.com/deadwood
Malware – What is it? • Malicious + Software = Malware • What is “malicious”? • rm –rf / • Packet sniffing • Encrypting important files • Data theft / exfiltration • Camera Hijacking • Packet forwarding • Etc, etc, etc… James Gandolfini as Tony Soprano, The Sopranos 1999-2006
Malware – What Else Can It Do?
Malware – What Else Can It Do? • https://www.informationweek.com/forensics-expert-attempts-to-link-ubs-attack- and-defendant/d/d-id/1044540 • https://www.informationweek.com/how-a-trigger-set-off-a-logic-bomb-at-ubs- painewebber/d/d-id/1044679 • https://en.wikipedia.org/wiki/Logic_bomb “In Michael Crichton's book Jurassic Park, computer technician Dennis Nedry inserted an object into the mainframe coding for the park that would shut off the entire island's power (including the supply to the electric fences) in order to steal several dinosaur embryos in the chaos.”
Malware – How Does It Do It? • Always comes back to one activity: • Something gets executed. • Executable file (PE, for example) • Weaponized document (VB scripts inside a document, for example) • Device Driver • Etc… • Usually (but not always) because the user executed it. • https://www.popularmechanics.com/technology/apps/news/a18837/facebook-has- been-intentionally-crashing-its-android-app-on-users/ • This was a “harmless” app people kept clicking, but what about that attachment sent via email? Fight Club, 1999
Malware – How Bad Is It Really? • There were on average 200,000+ new malware threats released into the internet each day in 2017, and that number generally grows each year (Panda Security, 2017). • Let’s do some math and round down. There are 24*60*60=86,400 seconds in each day… • 200,000 malware samples / 86,400 seconds each day = 2.315 malware samples / sec • You would have to analyze more than 2 malware per second, for every second in a day. • This assumes you never take a break to eat or sleep. • If I were a betting man, I would bet that these numbers are extremely conservative. • Simply put: Malware has gotten out of control. Jaws, 1975
So You Found Some Malware… • Four phases from least intrusive/difficult to most intrusive/difficult: 1. Intelligence Search 2. Static Analysis 3. Dynamic Analysis 4. Automated Analysis • What do you know so far? • File Type? • File Name? • File Size? • Cryptographic Hash? (MD5, SHA-1, SHA256) • Other file type specific info (imports & exports in a PE file, dig. sig., etc)
Intelligence Searching • Be lazy if you can, don’t reinvent the wheel. • Cryptographic hashes: • MD5 • SHA-1 • SHA256 • Literally, put these ^^^ values for the malware sample you want to learn about into Google! • Think about using the NIST NSRL. • https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl • It is highly probable that any hash found in this list is going to be benign or close to. • Two examples coming up in screen grabs… Band of Brothers, 2001
Intelligence Example… https://www.google.com/search?q=795840d1cc2cea94379e41c60519a8e4439a817150d8dc51b9f2ce8ea7a18d00
“Sorta Free” Resources • https://www.virustotal.com • Malware scanning, Intelligence Feeds, etc. • https://www.virustotal.com/gui/file/795840d1cc2cea94379e41c60519a8e4439a817150d 8dc51b9f2ce8ea7a18d00/detection • https://www.hybrid-analysis.com/ • Similar to VT, above. “Hybrid Analysis” is their name, not necessarily the unbiased description. • https://www.hybrid- analysis.com/sample/dfcdcba97c46f24d4595d604959a0d762d1a58e2a5bc001daa44b2 ae3b650a94?environmentId=120
VirusTotal
“Hybrid Analysis” Website
Static Analysis • File Metadata • Cryptographic hashes • SHA256 • SSDeep - Similarity • File name • File size • File Format Specific Information • PE Files: Number of Sections, Name of Sections, Imports, Exports, etc • Disassembly
Static Analysis – PE Info https://cape.contextis.com/analysis/79752/
Static Analysis – Strings https://cape.contextis.com/analysis/79752/
Static Analysis – AV Info • Scan it! • Any combination of online services or AV software will allow you to scan suspicious binaries.
Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
Static Analysis - Disassembly https://www.nsa.gov/resources/everyone/ghidra/
Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
Dynamic Analysis DANGER! DANGER! DANGER! Archer TV Series, 2009-Present
Dynamic Analysis – API Calls
Windows API Calls • https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi- createfilea
Windows API Calls • https://undocumented.ntinternals.net/
Dynamic Analysis – Memory Dumps This can be used to unpack a malware payload, for example. https://cape.contextis.com/analysis/79752/
Dynamic Analysis – Debugging • WinDBG (Free-ish) • x64dbg (Free) • https://x64dbg.com/#start • GDB (Free) • IDA Pro (Not Free)
Automated Analysis • Cuckoo Sandbox • Great place to get your feet wet. • Tons of documentation online. • Can submit samples programmatically via the Cuckoo API. • Python • Shell script • Curl • Signatures can be developed to alert for certain criteria. • If you go this route, I highly recommend you run all network traffic through a dedicated “dirty network”. • Tor • PIA • Etc…
The Last Step? • Rinse and Repeat. • The information you learn in later steps can be plugged back into Google searches until you have learned as much as you can learn about your malware sample. • Go forth and start pwning malware! • Can your analysis scale to 100m samples? Omar from The Wire, HBO 2002-2008
Free Resources • Malware Unicorn Workshops • https://malwareunicorn.org/#/workshops • Ghidra • https://www.nsa.gov/resources/everyone/ghidra/ • https://github.com/NationalSecurityAgency/ghidra • Radare • https://rada.re/r/ • Capstone Engine • http://www.capstone-engine.org/
Free Resources (Continued…) • Unicorn Engine • http://www.unicorn-engine.org/ • Keystone Engine • http://www.keystone-engine.org/ • Cuckoo Sandbox • https://cuckoosandbox.org/ • https://malwr.com/ • Awesome Malware Analysis List • https://github.com/rshipp/awesome-malware-analysis • Python PEFile • https://github.com/erocarrera/pefile
“Not So Free” Resources • They are not free, but they are worth knowing about. Everyone in the malware and reverse engineering industry either knows about these tools or have used them. If you are looking for a job in the industry, you should be at least vaguely familiar with these tools and where to find more information. • IDA Pro • https://www.hex-rays.com/products/ida/ • Binary Ninja • https://binary.ninja/
? Keith J. Jones, PhD keith.j.jones@ieee.org

Recommended

Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 

Recommended

Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
chrissanders88
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 

More Related Content

What's hot

Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
chrissanders88
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 

What's hot (20)

Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 

Similar to Keith J. Jones, Ph.D. - Crash Course malware analysis

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
Bruce Abernethy
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Okta
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
Charles Lim
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012
inf8nity
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
Michel Coene
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties
Behrouz Sadeghipour
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
Michael Boman
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
Juniper Networks
 
Risk management and auditing
Risk management and auditingRisk management and auditing
Risk management and auditingDorothea Salo
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
Satria Ady Pradana
 

Similar to Keith J. Jones, Ph.D. - Crash Course malware analysis (20)

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Risk management and auditing
Risk management and auditingRisk management and auditing
Risk management and auditing
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Keith J. Jones, Ph.D. - Crash Course malware analysis

  • 1. Crash Course: Malware Analysis Keith J. Jones, PhD keith.j.jones@ieee.org
  • 2. I hope to… • Provide a gentle introduction to malware analysis. • Provide some context behind malware analysis that may spark your curiosity to learn more. • Give you some resources so you can learn more about this exciting subject (for free!). Samuel L. Jackson, Jurassic Park 1993 Be prepared for some of my most favorite cinematic references as we discuss malware for the next few minutes…
  • 4. Outline • Malware • What is it? • What can it do? • How does it do it? • How bad is it for real? • You have yourself some malware... Now what? 1. Intelligence Search 2. Static Analysis 3. Dynamic Analysis 4. Automated Analysis • Where can you learn more? • Tons of free resources! Don’t fall asleep until the next presentation! https://www.hbo.com/deadwood
  • 5. Malware – What is it? • Malicious + Software = Malware • What is “malicious”? • rm –rf / • Packet sniffing • Encrypting important files • Data theft / exfiltration • Camera Hijacking • Packet forwarding • Etc, etc, etc… James Gandolfini as Tony Soprano, The Sopranos 1999-2006
  • 6. Malware – What Else Can It Do?
  • 7. Malware – What Else Can It Do? • https://www.informationweek.com/forensics-expert-attempts-to-link-ubs-attack- and-defendant/d/d-id/1044540 • https://www.informationweek.com/how-a-trigger-set-off-a-logic-bomb-at-ubs- painewebber/d/d-id/1044679 • https://en.wikipedia.org/wiki/Logic_bomb “In Michael Crichton's book Jurassic Park, computer technician Dennis Nedry inserted an object into the mainframe coding for the park that would shut off the entire island's power (including the supply to the electric fences) in order to steal several dinosaur embryos in the chaos.”
  • 8. Malware – How Does It Do It? • Always comes back to one activity: • Something gets executed. • Executable file (PE, for example) • Weaponized document (VB scripts inside a document, for example) • Device Driver • Etc… • Usually (but not always) because the user executed it. • https://www.popularmechanics.com/technology/apps/news/a18837/facebook-has- been-intentionally-crashing-its-android-app-on-users/ • This was a “harmless” app people kept clicking, but what about that attachment sent via email? Fight Club, 1999
  • 9. Malware – How Bad Is It Really? • There were on average 200,000+ new malware threats released into the internet each day in 2017, and that number generally grows each year (Panda Security, 2017). • Let’s do some math and round down. There are 24*60*60=86,400 seconds in each day… • 200,000 malware samples / 86,400 seconds each day = 2.315 malware samples / sec • You would have to analyze more than 2 malware per second, for every second in a day. • This assumes you never take a break to eat or sleep. • If I were a betting man, I would bet that these numbers are extremely conservative. • Simply put: Malware has gotten out of control. Jaws, 1975
  • 10. So You Found Some Malware… • Four phases from least intrusive/difficult to most intrusive/difficult: 1. Intelligence Search 2. Static Analysis 3. Dynamic Analysis 4. Automated Analysis • What do you know so far? • File Type? • File Name? • File Size? • Cryptographic Hash? (MD5, SHA-1, SHA256) • Other file type specific info (imports & exports in a PE file, dig. sig., etc)
  • 11. Intelligence Searching • Be lazy if you can, don’t reinvent the wheel. • Cryptographic hashes: • MD5 • SHA-1 • SHA256 • Literally, put these ^^^ values for the malware sample you want to learn about into Google! • Think about using the NIST NSRL. • https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl • It is highly probable that any hash found in this list is going to be benign or close to. • Two examples coming up in screen grabs… Band of Brothers, 2001
  • 13. “Sorta Free” Resources • https://www.virustotal.com • Malware scanning, Intelligence Feeds, etc. • https://www.virustotal.com/gui/file/795840d1cc2cea94379e41c60519a8e4439a817150d 8dc51b9f2ce8ea7a18d00/detection • https://www.hybrid-analysis.com/ • Similar to VT, above. “Hybrid Analysis” is their name, not necessarily the unbiased description. • https://www.hybrid- analysis.com/sample/dfcdcba97c46f24d4595d604959a0d762d1a58e2a5bc001daa44b2 ae3b650a94?environmentId=120
  • 16. Static Analysis • File Metadata • Cryptographic hashes • SHA256 • SSDeep - Similarity • File name • File size • File Format Specific Information • PE Files: Number of Sections, Name of Sections, Imports, Exports, etc • Disassembly
  • 17. Static Analysis – PE Info https://cape.contextis.com/analysis/79752/
  • 18. Static Analysis – Strings https://cape.contextis.com/analysis/79752/
  • 19. Static Analysis – AV Info • Scan it! • Any combination of online services or AV software will allow you to scan suspicious binaries.
  • 20. Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
  • 21. Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
  • 22. Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
  • 23. Static Analysis - Disassembly https://www.nsa.gov/resources/everyone/ghidra/
  • 24. Static Analysis – Disassembly https://www.nsa.gov/resources/everyone/ghidra/
  • 25. Dynamic Analysis DANGER! DANGER! DANGER! Archer TV Series, 2009-Present
  • 26. Dynamic Analysis – API Calls
  • 27. Windows API Calls • https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi- createfilea
  • 28. Windows API Calls • https://undocumented.ntinternals.net/
  • 29. Dynamic Analysis – Memory Dumps This can be used to unpack a malware payload, for example. https://cape.contextis.com/analysis/79752/
  • 30. Dynamic Analysis – Debugging • WinDBG (Free-ish) • x64dbg (Free) • https://x64dbg.com/#start • GDB (Free) • IDA Pro (Not Free)
  • 31. Automated Analysis • Cuckoo Sandbox • Great place to get your feet wet. • Tons of documentation online. • Can submit samples programmatically via the Cuckoo API. • Python • Shell script • Curl • Signatures can be developed to alert for certain criteria. • If you go this route, I highly recommend you run all network traffic through a dedicated “dirty network”. • Tor • PIA • Etc…
  • 32. The Last Step? • Rinse and Repeat. • The information you learn in later steps can be plugged back into Google searches until you have learned as much as you can learn about your malware sample. • Go forth and start pwning malware! • Can your analysis scale to 100m samples? Omar from The Wire, HBO 2002-2008
  • 33. Free Resources • Malware Unicorn Workshops • https://malwareunicorn.org/#/workshops • Ghidra • https://www.nsa.gov/resources/everyone/ghidra/ • https://github.com/NationalSecurityAgency/ghidra • Radare • https://rada.re/r/ • Capstone Engine • http://www.capstone-engine.org/
  • 34. Free Resources (Continued…) • Unicorn Engine • http://www.unicorn-engine.org/ • Keystone Engine • http://www.keystone-engine.org/ • Cuckoo Sandbox • https://cuckoosandbox.org/ • https://malwr.com/ • Awesome Malware Analysis List • https://github.com/rshipp/awesome-malware-analysis • Python PEFile • https://github.com/erocarrera/pefile
  • 35. “Not So Free” Resources • They are not free, but they are worth knowing about. Everyone in the malware and reverse engineering industry either knows about these tools or have used them. If you are looking for a job in the industry, you should be at least vaguely familiar with these tools and where to find more information. • IDA Pro • https://www.hex-rays.com/products/ida/ • Binary Ninja • https://binary.ninja/
  • 36. ? Keith J. Jones, PhD keith.j.jones@ieee.org