-
Seja a primeira pessoa a gostar disto
Próximos SlideShares
[CB19] MalCfgParser: A Lightweight Malware Configuration Parsing Tool by Ycy Yu, Duckll Liao, Charles Li
- 1. MALCFGPARSER A LIGHTWEIGHT MALWARE CONFIGURATION PARSING TOOL
- 2. YCY Cyber Threat Analyst DUCKLL Cyber Threat Analyst CHARLES LI Chief Analyst
- 3. 3 60+ Clients in Asia Pacific 90%+ MSSP in Taiwan Government agencies Telecom / ISP Leading CTI Firms Accounting firms / Financial sectors Semiconductor / Manufacturing International Trading NGO / NPO Taiwan 10+ Partners Japan 2+ Partners Start from APAC, Speak for APAC, Guardian of APAC ASEAN 3+ Partners
- 4. POWERED BY SUPPORTS AND POSSIBLY OTHER PRODUCTS…?
- 5. MEMORY DUMP SCAN ADVERSARY: POLARIS (MUSTANG PANDA) MALWARE: PLUGX
- 6. LIVE MEMORY SCAN MALWARE: PHANTOMIVY
- 7. LIVE MEMORY SCANEVER-CHANGING MALWARE 2015 FROM APT20 PLUGX 0X36A4 LOADER 2016 FROM DRAGONOK > STRINGS cPNfEPGjP<p=t XeWTjYfOOib]jYR hJ;b@K:CJiFCJaNBJX c[]ln[x d5BF Ba>;BP rIFBPmTGQIP <111 T;BB7 bhgvn pRCjHSBKRoVISKRv GetProcAddress LoadLibraryA KERNEL32.dll ;Tls.u MessageBoxA user32.dll GetModuleFileNameA GetModuleHandleA GetSystemTime Sleep lstrlenA kernel32.dll !+W RasTls.dll DoWork 2X<^<&= …
- 8. LIVE MEMORY SCANEVER-CHANGING MALWARE 2017 FROM SLIME.HLEMONK PLUGX 0X36A4 LOADER IN MEMORY > STRINGS Create FileW CreateFileMappingW MapViewOfFile GetSystemTime GetModuleHandleA VirtualProtect VirtualAlloc GetModuleFileNameW lstrcpyW lstrcpyA lstrcatA GetProcAddress GetLastError f91u JhL0 VVVVVVQV 5L0 ExitProcess GetCommandLineW CreateProcessW WaitForSingleObject lstrcpyW KERNEL32.dll JP0 JP1 JAP0 JAP1
- 9. ANOTHER CHALLENGE…
- 10. So here is born of…
- 11. WORKING WITH CUCKOO
- 12. WORKING WITH THREATSONAR
- 13. Malware Configuration { “C&C Server1": "…" “C&C Server2": "…" "Installation Path": "…" } VIRTUAL MACHINE LIVE MEMORY SCANHOW DOES IT WORK? MALCFGPARSER MALWARE DUMP FILES PID
- 14. LIVE MEMORY SCANINSIDE MALCFGPARSER Structure POWERED BY POWERED BY Parse Scan LOADS Decode Brute Force Parsing Validate
- 15. MALWARE LIVE MEMORY SCANWORKING WITH CUCKOO Ananlyzer PROCESS DUMP ProcMemory SUPPORTED BY GUEST MACHINE HOST MACHINE WEB SERVER
- 16. ycy@teamt5.org duckll@teamt5.org charles@teamt5.org
Entre para ver os comentários