SlideShare a Scribd company logo

Malware analysis _ Threat Intelligence Morocco

T
Touhami Kasbaoui

The document discusses two cyber threats that existed in Morocco: 1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco. 2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized. The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.

Technology
1 of 43
Download to read offline
MALWARE ANALYSIS THE ART OF BEING FRIEND OF MALWARE.
TOUHAMI KASBAOUI! • DEVELOPER CYBER SECURITY SOLUTIONS, PURPLE TEAM. • NOCONAME SPEAKER • ZERODIUM HUNTER • BUG BOUNTY HUNTER. • DEVELOPER APT ATTACKS (MILITARY COMPANIES) • BLEU TEAM DEVELOPER SOLUTIONS (0BTEMOS TRACKER, BLACKCODE) • … $WHOAMI
MALWARE ANALYSIS THE BASICS Class Description Virus Code that propagates (replicates) across systems with user intervention Worm Code that self-propagates/replicates across systems without requiring user intervention Bot Automated process that interacts with other network services Trojan Malware that is often disguised as legitimate software Ransomware Malware that holds the victim's data hostage by cryptography or other means Rootkit Masks its existence or the existence of other software Backdoor Enables a remote attacker to have access to or send commands to a compromised computer RAT Remote Access Trojan, similar to a backdoor Info Stealer Steals victims information, passwords, or other personal data HackTool Admin tools or programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious Hoax Program may deliver a false warning about a computer virus or install a fake AV Dropper/Downloader Designed to "install" or download some sort of malware Adware Automatically renders advertisements in order to generate revenue for its author. PUP/PUA Potentially Unwanted Program, sometimes added to a system without the user's knowledge or approval
HOW DID IT START ? • 1989: AIDS Trojan, first case of ransomware • 2005: Gpcode (PGPCoder) • 2009/2010: WinLock • 2012:ACCDFISA, Urausy, Reveton • 2013: CryptoLocker • 2014: CTB-Locker (Citroni), torrentlocker, CryptoWall • 2015:Mobile Ransomware (on Android), such as Fusob • 2016: Locky, ‘Open Source’ Ransomware such as Eda2, Hidden tear • 2017: WannaCry (May), NotPetya(June), BadRabbit(October) • 2018/2019: GandCrab, Deja-Vu • 2020/2021: DarkSide, SaveTheQueen, Thanatos
CRYPTO-LOCKER • Intoroduction the end of roguware (fake anti-virus) • Innovative … • Instpirational … • … And very annoying ☺ • Many assumed that any form of cryptographic ransomware (cryptoware) is CryptoLocker however this was one ransomware variant. It has been dead since 2014
HOW DOES ONE GET MALWARE ? THE BAD WAY • Phishing or spear-phishing • Exploit kits • Drive-by download • USB drive or other removable media • Network (Shares, SMB) • Manual installation (RDP, VNC, Team Viewer, … ) • Watering hole (Strategic Web Compromise) • Other Malware that downloads and/or install ‘Companions’ • Exploit security vulnerability (RCE , 0day zero click or one click)
HOW DOES ONE GET MALWARE ? FOR ANALYSIS PURPOSES • Malware Samples Sources for researchers • http://tracker.0btemoslab.com/tracker/ (infected/infected) • List of malware sources: • https://github.com/fabacab/awesome-malware (open source and black box) • Be master of funding legit samples from live honeypots by checking only the MD5 hash with google.com ☺ • Track back from the end to the start by looking from the source c&c • http://tracker.0btemoslab.com
ANALYZING MALWARE: STATIC VS DYNAMIC • Static: do not run the malware, look at static properties • Can you think of tools, or what could considered static properties? • Dynamic: run the malware, and examine onwards • Can you think of tools, or what could only be discovered by running the malware? • Why Not BOTH ?
ANALYZING MALWARE: STATIC VS DYNAMIC • Hi! Just giving you that reminder, • What is Reverse Engineering? • Game Plan
STATIC MALWARE ANALYSIS: PRIMER First of, consider the type of a file, Is it a (n) … • Executable? EXE, COM, SCR, PIF, DLL • Strins, compile time, imports, sections … • Image? PNG, BMP, JPG, GIF • Steganography, hidden content, creator/creation date, … • Office file? DOC/DOCX, XLS/ XLSX, RTF • Creator/Creation date, embedded content, filename, … • Adobe file: PDF, SWF/FWS • Creator/Creation date, embedded content, filename, … • Archive: ZIP, RAR, 7z, ISO • Creation date, contents, …
STATIC MALWARE ANALYSIS: TOOLS It is important to have proper toolbox, or toolset • Exectable ? • ExeinfoP, Detect it Easy (DIE), Peviewer (RogueKillerPE) • Office document? • OLETools, oledump, OfficeMalscanner, QuickSand • Adobe Document? • Pdfid, pdf-parser, PDF Stream Dumper • Additionally: Strings2, FLOSS, and … calculate hash ! (MD5, SHA1, SHA256)
STATIC MALWARE ANALYSIS: TOOLS It is important to have proper toolbox, or toolset • Exectable ? • ExeinfoP, Detect it Easy (DIE), Peviewer (RogueKillerPE) • Office document? • OLETools, oledump, OfficeMalscanner, QuickSand • Adobe Document? • Pdfid, pdf-parser, PDF Stream Dumper • Additionally: Strings2, FLOSS, and … calculate hash ! (MD5, SHA1, SHA256) • Usually and necessary: Wireshark, Fiddler, x64db, IDA, Ghidra, ProcMon + Process Hacker
STATIC MALWARE ANALYSIS: PE WHAT IN A FILE? Short for PE – portable executable and Common Object File format Specification. NT HEADER PE Signature File Header Optional Header Optional Header Section Directory Sections .text .data .rdata .reloc .rsrc .debug Section Headers
STATIC MALWARE ANALYSIS: WINDOWS ARCHITECTURE
STATIC MALWARE ANALYSIS: ANATOMY OF A WINDOWS PE C PROGRAM
STATIC MALWARE ANALYSIS: OPCODES AND INSTRUCTIONS •Data Movement/Access •Arithmetic / Logic •Control-Flow
STATIC MALWARE ANALYSIS: OPCODES AND INSTRUCTIONS Register Description SS Stack Segment, Pointer to the stack CS Code Segment, Pointer to the code DS Data Segment, Pointer to the data ES Extra Segment, Pointer to extra data FS F Segment, Pointer to more extra data GS G Segment, Pointer to still more extra data
STATIC MALWARE ANALYSIS: REGISTERS Register Description EAX Accumulator Register EBX Base Register ECX Counter Register EDX Data Register ESI Source Index EDI Destination Index EBP Base Pointer ESP Stack Pointer
STATIC MALWARE ANALYSIS: INSTRUCTION POINTER Register Description EAX Accumulator Register EBX Base Register ECX Counter Register EDX Data Register ESI Source Index EDI Destination Index EBP Base Pointer ESP Stack Pointer
STATIC MALWARE ANALYSIS: PACKED MALWARE •Themida •Armadillo •ASPack •ASPR (ASProtect) •BoxedApp Packer •CExe •dotBundle •Enigma Protector •EXE Bundle •EXE Stealth •eXPressor •FSG •kkrunchy •MEW •MPRESS •Obsidium •PESpin •Petite •RLPack Basic •Smart Packer Pro •Themida •UPX •VMProtect •XComp/XPack
STATIC MALWARE ANALYSIS: OBFUSCATION
STATIC MALWARE ANALYSIS: OBFUSCATION FOLLOW ME
DYNAMIC MALWARE ANALYSIS
DYNAMIC MALWARE ANALYSIS: PRIMER •You have two different ways of doing dynamic analysis: •Do it yourself: Run the malware in a VM •Manual dynamic analysis • Use a sandbox: let a sandbox take care of the malware • Authomatic dynamic analysis
DYNAMIC MALWARE ANALYSIS: ONLINE SANDBOX •You have for online sandbox: •Virustotal •Any.run •malwr.com •Reverse.it •Hybird-analysis.com •Joe sandbox
DYNAMIC MALWARE ANALYSIS: ONLINE SANDBOX •You have for online sandbox: •Virustotal •Any.run •malwr.com •Reverse.it •Hybird-analysis.com •Joe sandbox
Threat attack existed in Morocco guess what is it ? THREAT X IN MOROCCO !
Threat attack existed in Morocco guess what is it ? THREAT X IN MOROCCO !
90% of attacks from Password info stealer! THREAT X IN MOROCCO !
HOW I CAN PROVE IT ? THREAT X IN MOROCCO !
OUR Intelligence TRACKER DETECTED AROUND 180GB LEAKED related to MA domains and personal information. THREAT X IN MOROCCO !
320+ Spammer identified from the gathered data and c&c checks in Morocco. THREAT X IN MOROCCO !
We have some people from ensias.um5.ac.ma THREAT X IN MOROCCO !
THREAT X IN MOROCCO !
Did this all what we have ? THREAT X IN MOROCCO !
NO THREAT X IN MOROCCO !
ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
Getting ready to next war. THE PURPOSE FROM THESE 2 THREAT
Q/A THE PURPOSE FROM THESE 2 THREATS

Recommended

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 

Recommended

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD
 

More Related Content

What's hot

Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 

What's hot (20)

Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
malware analysis
malware analysismalware analysis
malware analysis
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 

Similar to Malware analysis _ Threat Intelligence Morocco

Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
Yashin Mehaboobe
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
Bruce Abernethy
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012
inf8nity
 
[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers
hackersuli
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Rishabha Garg
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
Cybereason
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
Michel Coene
 

Similar to Malware analysis _ Threat Intelligence Morocco (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012Surfing with Sharks KS ED TECH 2012
Surfing with Sharks KS ED TECH 2012
 
[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers[HUN][hackersuli] Malware avengers
[HUN][hackersuli] Malware avengers
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Ransomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near YouRansomware is Coming to a Desktop Near You
Ransomware is Coming to a Desktop Near You
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
 

Recently uploaded

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 

Recently uploaded (20)

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 

Malware analysis _ Threat Intelligence Morocco

  • 1. MALWARE ANALYSIS THE ART OF BEING FRIEND OF MALWARE.
  • 2. TOUHAMI KASBAOUI! • DEVELOPER CYBER SECURITY SOLUTIONS, PURPLE TEAM. • NOCONAME SPEAKER • ZERODIUM HUNTER • BUG BOUNTY HUNTER. • DEVELOPER APT ATTACKS (MILITARY COMPANIES) • BLEU TEAM DEVELOPER SOLUTIONS (0BTEMOS TRACKER, BLACKCODE) • … $WHOAMI
  • 3. MALWARE ANALYSIS THE BASICS Class Description Virus Code that propagates (replicates) across systems with user intervention Worm Code that self-propagates/replicates across systems without requiring user intervention Bot Automated process that interacts with other network services Trojan Malware that is often disguised as legitimate software Ransomware Malware that holds the victim's data hostage by cryptography or other means Rootkit Masks its existence or the existence of other software Backdoor Enables a remote attacker to have access to or send commands to a compromised computer RAT Remote Access Trojan, similar to a backdoor Info Stealer Steals victims information, passwords, or other personal data HackTool Admin tools or programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious Hoax Program may deliver a false warning about a computer virus or install a fake AV Dropper/Downloader Designed to "install" or download some sort of malware Adware Automatically renders advertisements in order to generate revenue for its author. PUP/PUA Potentially Unwanted Program, sometimes added to a system without the user's knowledge or approval
  • 4. HOW DID IT START ? • 1989: AIDS Trojan, first case of ransomware • 2005: Gpcode (PGPCoder) • 2009/2010: WinLock • 2012:ACCDFISA, Urausy, Reveton • 2013: CryptoLocker • 2014: CTB-Locker (Citroni), torrentlocker, CryptoWall • 2015:Mobile Ransomware (on Android), such as Fusob • 2016: Locky, ‘Open Source’ Ransomware such as Eda2, Hidden tear • 2017: WannaCry (May), NotPetya(June), BadRabbit(October) • 2018/2019: GandCrab, Deja-Vu • 2020/2021: DarkSide, SaveTheQueen, Thanatos
  • 5. CRYPTO-LOCKER • Intoroduction the end of roguware (fake anti-virus) • Innovative … • Instpirational … • … And very annoying ☺ • Many assumed that any form of cryptographic ransomware (cryptoware) is CryptoLocker however this was one ransomware variant. It has been dead since 2014
  • 6. HOW DOES ONE GET MALWARE ? THE BAD WAY • Phishing or spear-phishing • Exploit kits • Drive-by download • USB drive or other removable media • Network (Shares, SMB) • Manual installation (RDP, VNC, Team Viewer, … ) • Watering hole (Strategic Web Compromise) • Other Malware that downloads and/or install ‘Companions’ • Exploit security vulnerability (RCE , 0day zero click or one click)
  • 7. HOW DOES ONE GET MALWARE ? FOR ANALYSIS PURPOSES • Malware Samples Sources for researchers • http://tracker.0btemoslab.com/tracker/ (infected/infected) • List of malware sources: • https://github.com/fabacab/awesome-malware (open source and black box) • Be master of funding legit samples from live honeypots by checking only the MD5 hash with google.com ☺ • Track back from the end to the start by looking from the source c&c • http://tracker.0btemoslab.com
  • 8. ANALYZING MALWARE: STATIC VS DYNAMIC • Static: do not run the malware, look at static properties • Can you think of tools, or what could considered static properties? • Dynamic: run the malware, and examine onwards • Can you think of tools, or what could only be discovered by running the malware? • Why Not BOTH ?
  • 9. ANALYZING MALWARE: STATIC VS DYNAMIC • Hi! Just giving you that reminder, • What is Reverse Engineering? • Game Plan
  • 10. STATIC MALWARE ANALYSIS: PRIMER First of, consider the type of a file, Is it a (n) … • Executable? EXE, COM, SCR, PIF, DLL • Strins, compile time, imports, sections … • Image? PNG, BMP, JPG, GIF • Steganography, hidden content, creator/creation date, … • Office file? DOC/DOCX, XLS/ XLSX, RTF • Creator/Creation date, embedded content, filename, … • Adobe file: PDF, SWF/FWS • Creator/Creation date, embedded content, filename, … • Archive: ZIP, RAR, 7z, ISO • Creation date, contents, …
  • 11. STATIC MALWARE ANALYSIS: TOOLS It is important to have proper toolbox, or toolset • Exectable ? • ExeinfoP, Detect it Easy (DIE), Peviewer (RogueKillerPE) • Office document? • OLETools, oledump, OfficeMalscanner, QuickSand • Adobe Document? • Pdfid, pdf-parser, PDF Stream Dumper • Additionally: Strings2, FLOSS, and … calculate hash ! (MD5, SHA1, SHA256)
  • 12. STATIC MALWARE ANALYSIS: TOOLS It is important to have proper toolbox, or toolset • Exectable ? • ExeinfoP, Detect it Easy (DIE), Peviewer (RogueKillerPE) • Office document? • OLETools, oledump, OfficeMalscanner, QuickSand • Adobe Document? • Pdfid, pdf-parser, PDF Stream Dumper • Additionally: Strings2, FLOSS, and … calculate hash ! (MD5, SHA1, SHA256) • Usually and necessary: Wireshark, Fiddler, x64db, IDA, Ghidra, ProcMon + Process Hacker
  • 13. STATIC MALWARE ANALYSIS: PE WHAT IN A FILE? Short for PE – portable executable and Common Object File format Specification. NT HEADER PE Signature File Header Optional Header Optional Header Section Directory Sections .text .data .rdata .reloc .rsrc .debug Section Headers
  • 14. STATIC MALWARE ANALYSIS: WINDOWS ARCHITECTURE
  • 15. STATIC MALWARE ANALYSIS: ANATOMY OF A WINDOWS PE C PROGRAM
  • 16. STATIC MALWARE ANALYSIS: OPCODES AND INSTRUCTIONS •Data Movement/Access •Arithmetic / Logic •Control-Flow
  • 17. STATIC MALWARE ANALYSIS: OPCODES AND INSTRUCTIONS Register Description SS Stack Segment, Pointer to the stack CS Code Segment, Pointer to the code DS Data Segment, Pointer to the data ES Extra Segment, Pointer to extra data FS F Segment, Pointer to more extra data GS G Segment, Pointer to still more extra data
  • 18. STATIC MALWARE ANALYSIS: REGISTERS Register Description EAX Accumulator Register EBX Base Register ECX Counter Register EDX Data Register ESI Source Index EDI Destination Index EBP Base Pointer ESP Stack Pointer
  • 19. STATIC MALWARE ANALYSIS: INSTRUCTION POINTER Register Description EAX Accumulator Register EBX Base Register ECX Counter Register EDX Data Register ESI Source Index EDI Destination Index EBP Base Pointer ESP Stack Pointer
  • 20. STATIC MALWARE ANALYSIS: PACKED MALWARE •Themida •Armadillo •ASPack •ASPR (ASProtect) •BoxedApp Packer •CExe •dotBundle •Enigma Protector •EXE Bundle •EXE Stealth •eXPressor •FSG •kkrunchy •MEW •MPRESS •Obsidium •PESpin •Petite •RLPack Basic •Smart Packer Pro •Themida •UPX •VMProtect •XComp/XPack
  • 22. STATIC MALWARE ANALYSIS: OBFUSCATION FOLLOW ME
  • 24. DYNAMIC MALWARE ANALYSIS: PRIMER •You have two different ways of doing dynamic analysis: •Do it yourself: Run the malware in a VM •Manual dynamic analysis • Use a sandbox: let a sandbox take care of the malware • Authomatic dynamic analysis
  • 25. DYNAMIC MALWARE ANALYSIS: ONLINE SANDBOX •You have for online sandbox: •Virustotal •Any.run •malwr.com •Reverse.it •Hybird-analysis.com •Joe sandbox
  • 26. DYNAMIC MALWARE ANALYSIS: ONLINE SANDBOX •You have for online sandbox: •Virustotal •Any.run •malwr.com •Reverse.it •Hybird-analysis.com •Joe sandbox
  • 27. Threat attack existed in Morocco guess what is it ? THREAT X IN MOROCCO !
  • 28. Threat attack existed in Morocco guess what is it ? THREAT X IN MOROCCO !
  • 29. 90% of attacks from Password info stealer! THREAT X IN MOROCCO !
  • 30. HOW I CAN PROVE IT ? THREAT X IN MOROCCO !
  • 31. OUR Intelligence TRACKER DETECTED AROUND 180GB LEAKED related to MA domains and personal information. THREAT X IN MOROCCO !
  • 32. 320+ Spammer identified from the gathered data and c&c checks in Morocco. THREAT X IN MOROCCO !
  • 33. We have some people from ensias.um5.ac.ma THREAT X IN MOROCCO !
  • 34. THREAT X IN MOROCCO !
  • 35. Did this all what we have ? THREAT X IN MOROCCO !
  • 36. NO THREAT X IN MOROCCO !
  • 37. ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
  • 38. ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
  • 39. ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
  • 40. ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
  • 41. ATM MALWARE GATHERED FROM MOROCCANS ISP’s TECHNICAL DETAILS: ATM DISPENSE MALWARE
  • 42. Getting ready to next war. THE PURPOSE FROM THESE 2 THREAT
  • 43. Q/A THE PURPOSE FROM THESE 2 THREATS