SlideShare a Scribd company logo

Black Hat 2015 Arsenal: Noriben Malware Analysis

Brian Baskin
Brian Baskin

Demonstration of Noriben for Black Hat US 2015 Arsenal

Technology
1 of 17
Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
FakeAV (Track Activity Per Button Clicked)
FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056

Recommended

Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Recommended

Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
CNIT 126: 8: Debugging
CNIT 126: 8: DebuggingCNIT 126: 8: Debugging
CNIT 126: 8: DebuggingSam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 

More Related Content

What's hot

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
CNIT 126: 8: Debugging
CNIT 126: 8: DebuggingCNIT 126: 8: Debugging
CNIT 126: 8: DebuggingSam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 

What's hot (20)

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
CNIT 126: 8: Debugging
CNIT 126: 8: DebuggingCNIT 126: 8: Debugging
CNIT 126: 8: Debugging
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 

Viewers also liked

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware AnalysisBrian Baskin
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over TwitterBrian Baskin
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondThe Linux Foundation
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?AntonioMaio2
 

Viewers also liked (15)

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware Analysis
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
P2P Forensics
P2P ForensicsP2P Forensics
P2P Forensics
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Teach your kids to code
Teach your kids to codeTeach your kids to code
Teach your kids to code
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over Twitter
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Agile scrum roles
Agile scrum rolesAgile scrum roles
Agile scrum roles
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and Beyond
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Daniel Berman
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis (20)

Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Zabbixconf2016(2)
Zabbixconf2016(2)Zabbixconf2016(2)
Zabbixconf2016(2)
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 

Recently uploaded

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Black Hat 2015 Arsenal: Noriben Malware Analysis

  • 1. Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
  • 2. Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
  • 3. Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
  • 4. Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
  • 5. Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
  • 6. ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
  • 7. Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
  • 8. FakeAV (Track Activity Per Button Clicked)
  • 9. FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
  • 10. Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
  • 11. Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
  • 12. Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
  • 13. Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
  • 14. Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
  • 15. VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
  • 16. YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
  • 17. Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056