SlideShare a Scribd company logo

Malware analysis - What to learn from your invaders

Download as ODP, PDF
T
Tazdrumm3r

This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.

1 of 27
Malware Analysis What to learn from your invaders
Disclaimer ▪ All opinions expressed during this talk are mine and do not reflect that of my employer ▪ I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) ▪ This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. </fud scare tactic>
Agenda ▪ Whoami ▪ Tools ▪ Analysis ▪ Resources
Whoami ▪ Father ▪ Geek ▪ Drummer ▪ SIEM Manager by day, malware analyst by night... when I can...
Background
Tools ▪ VirtualBox ● Remnux ▪ Regshot ▪ FakeNet ▪ DNSChef ▪ Wireshark ▪ PEStudio ▪ Volatility
Samples ▪ “Unpaid taxes. Notice #12831” phishing email ▪ LogMeIn Spear phishing link ▪ “Vendor site cart purchase” phishing email
“Unpaid taxes. Notice #12831” phishing email
“Unpaid taxes. Notice #12831” phishing email
LogMeIn spear phishing
“Vendor site cart purchase” phishing email
Static analysis ▪ Regshot ▪ Remnux tools (imports, pescan, pescanner, pyew.txt) ▪ PEStudio
“Vendor site cart purchase” phishing email
“Vendor site cart purchase” phishing email
Behavioral analysis ▪ How does it react? ▪ What does it do?
Lab configuration ▪ Virtualbox ● Windows 7 ● (Victim of course) ● Remnux 6.0 (Ubuntu 14.04) ● Traffic capture ▪ Wireshark ▪ Procmon
Network behavior analysis – First attempt
Network behavior analysis – First attempt  174.16.157.26  130.37.198.90  203.80.102.213  88.68.117.47  75.99.113.250  184.166.216.26  212.235.62.68  172.245.217.122  24.231.61.81  27.110.203.125  221.193.254.122  183.87.238.127  198.50.128.48  82.127.150.123  85.64.52.205  24.78.17.137  79.119.228.199  219.77.136.199  76.234.37.14
Network behavior analysis – Second attempt
Network behavior analysis – Third attempt
Host analysis - Files
Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
Wrapping up  What's been learned?  Network activity  Host based activity  Where can it be used?  SIEM
Resources  Blogs  Lenny Zeltzer's blog - https://zeltser.com/  Malware Analysis blog - http://www.malware-traffic-analysis.net/  MalwareMust Die blog - http://blog.malwaremustdie.org/  Malwageddon's blog - http://malwageddon.blogspot.com/  MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/  Live samples  Contagio - http://contagiodump.blogspot.com/  Malc0de database - http://malc0de.com/database/  Tools  VirtualBox  Remnux  SysInternals  Volatility
Resources Training  OpenSecurityTraining.Info - http://opensecuritytraining.info/
Questions Twitter - @Tazdrumm3r Email – tazdrummer@gmail.com Blog - https://tazdrumm3r.wordpress.com

Recommended

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypots
Tazdrumm3r
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

Recommended

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypots
Tazdrumm3r
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
Balaji Rajasekaran
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
xabean
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
TylerDerdun
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
Tsolució
TsolucióTsolució
Tsolució
Bgs Company
 
La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa nº 11
La Gatera de la Villa nº 11
La Gatera de la Villa
 

More Related Content

What's hot

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
Balaji Rajasekaran
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
xabean
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
TylerDerdun
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 

What's hot (20)

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 

Viewers also liked

Tsolució
TsolucióTsolució
Tsolució
Bgs Company
 
La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa nº 11
La Gatera de la Villa nº 11
La Gatera de la Villa
 
A walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commandsA walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commands
Rhydham Joshi
 
Use of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research projectUse of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research project
Olivier Talon
 
Seminar programa pack
Seminar programa packSeminar programa pack
Seminar programa pack
Amber Denton
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
Rhydham Joshi
 
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Dr. Haxel Consult
 
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
Alban Jarry
 

Viewers also liked (8)

Tsolució
TsolucióTsolució
Tsolució
 
La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa nº 11
La Gatera de la Villa nº 11
 
A walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commandsA walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commands
 
Use of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research projectUse of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research project
 
Seminar programa pack
Seminar programa packSeminar programa pack
Seminar programa pack
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
 
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
 
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
 

Similar to Malware analysis - What to learn from your invaders

Hunting fileless malware
Hunting fileless malwareHunting fileless malware
Hunting fileless malware
Olha Pasko
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop]
NoNameCon
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
sixdub
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Intro to Reversing Malware
Intro to Reversing MalwareIntro to Reversing Malware
Intro to Reversing Malware
DefCamp
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
F _
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
James Haughom Jr
 

Similar to Malware analysis - What to learn from your invaders (20)

Hunting fileless malware
Hunting fileless malwareHunting fileless malware
Hunting fileless malware
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop]
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Intro to Reversing Malware
Intro to Reversing MalwareIntro to Reversing Malware
Intro to Reversing Malware
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 

Malware analysis - What to learn from your invaders

  • 1. Malware Analysis What to learn from your invaders
  • 2. Disclaimer ▪ All opinions expressed during this talk are mine and do not reflect that of my employer ▪ I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) ▪ This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. </fud scare tactic>
  • 3. Agenda ▪ Whoami ▪ Tools ▪ Analysis ▪ Resources
  • 4. Whoami ▪ Father ▪ Geek ▪ Drummer ▪ SIEM Manager by day, malware analyst by night... when I can...
  • 6. Tools ▪ VirtualBox ● Remnux ▪ Regshot ▪ FakeNet ▪ DNSChef ▪ Wireshark ▪ PEStudio ▪ Volatility
  • 7. Samples ▪ “Unpaid taxes. Notice #12831” phishing email ▪ LogMeIn Spear phishing link ▪ “Vendor site cart purchase” phishing email
  • 8. “Unpaid taxes. Notice #12831” phishing email
  • 9. “Unpaid taxes. Notice #12831” phishing email
  • 11. “Vendor site cart purchase” phishing email
  • 12.
  • 13. Static analysis ▪ Regshot ▪ Remnux tools (imports, pescan, pescanner, pyew.txt) ▪ PEStudio
  • 14. “Vendor site cart purchase” phishing email
  • 15. “Vendor site cart purchase” phishing email
  • 16. Behavioral analysis ▪ How does it react? ▪ What does it do?
  • 17. Lab configuration ▪ Virtualbox ● Windows 7 ● (Victim of course) ● Remnux 6.0 (Ubuntu 14.04) ● Traffic capture ▪ Wireshark ▪ Procmon
  • 18. Network behavior analysis – First attempt
  • 19. Network behavior analysis – First attempt  174.16.157.26  130.37.198.90  203.80.102.213  88.68.117.47  75.99.113.250  184.166.216.26  212.235.62.68  172.245.217.122  24.231.61.81  27.110.203.125  221.193.254.122  183.87.238.127  198.50.128.48  82.127.150.123  85.64.52.205  24.78.17.137  79.119.228.199  219.77.136.199  76.234.37.14
  • 20. Network behavior analysis – Second attempt
  • 21. Network behavior analysis – Third attempt
  • 23. Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
  • 24. Wrapping up  What's been learned?  Network activity  Host based activity  Where can it be used?  SIEM
  • 25. Resources  Blogs  Lenny Zeltzer's blog - https://zeltser.com/  Malware Analysis blog - http://www.malware-traffic-analysis.net/  MalwareMust Die blog - http://blog.malwaremustdie.org/  Malwageddon's blog - http://malwageddon.blogspot.com/  MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/  Live samples  Contagio - http://contagiodump.blogspot.com/  Malc0de database - http://malc0de.com/database/  Tools  VirtualBox  Remnux  SysInternals  Volatility
  • 27. Questions Twitter - @Tazdrumm3r Email – tazdrummer@gmail.com Blog - https://tazdrumm3r.wordpress.com

Editor's Notes

  1. Email screen shot
  2. Traffic pattern