2016 hitcon malware is in the memory · cuckoo sandbox - malware automatic analysis system -...
TRANSCRIPT
![Page 1: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/1.jpg)
ⓒ Copyright 2016, blackfort security all rights reserved.
Malware is In the MemoryReal Time Malware Memory Analysis System
2016 HITCON
YoungJin Sim / BLACKFORT Security / Senior Researcher<[email protected]>
YoungHak Lee / BLACKFORT Security / Senior Researcher
![Page 2: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/2.jpg)
Who we are
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
YoungJin Sim YoungHak Lee
![Page 3: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/3.jpg)
New malware per day
Reference: http://www.redsocks.nl/blog-2/malware-statistics-march-2016/
- Per day average 425,531!
- Researcher Analysis time
average 1 hour
- 1day working hours 8 hours
- 425,531 / 8 = 53,191
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 4: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/4.jpg)
Cuckoo Sandbox
- Malware Automatic Analysis System
- Windows, OSX, Linux, Android Supported
- Trace API Calls(User Level API Hooking)
- Cuckoo Monitor.dll
- Rootkit Analysis is impossible
(example: Zero access)
- Vulnerable to Anti-VM
(example: Citadel)
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture
![Page 5: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/5.jpg)
Why Memory Analysis?- All Programs are loaded in memory
- Malware Protector Bypass(packing, anti-debug)
- Advanced malware operates solely in memory
- Identifies system activity and overall machine state
- Memory reliability is very important
- Example: Memory Analysis, Drakvuf, Memminer
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 6: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/6.jpg)
- Black Hat USA 2014 Arsenal Release
- Cuckoo Sandbox Dependencies
- Interval-based memory dump- Too many dumps are inefficient in analysis, time and disk space wise
- Trigger-based memory dump - API which has not been hooked cannot be analyzed
Memory Analysis
Interval-base Memory dump Trigger-based Memory dump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference:https://github.com/djteller/MemoryAnalysis
![Page 7: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/7.jpg)
Drakvuf- 2014 Hacktivity Release
- copy-on-write disk and memory
- extra resources allocated only when used vlan isolation
- Detect when - new process is scheduled, syscalls executed, file accessed/created/deleted, etc
Drakvuf structure
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://drakvuf.com/
http://www.slideshare.net/tklengyel/drakvuf?next_slideshow=1
![Page 8: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/8.jpg)
Drakvuf
Drakvuf Malware Analysis Result
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 9: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/9.jpg)
Memminer
- Cansecwest 2015 Release
- Agentless
- Used rekall & libvmi
- Operation System Data Dependencies cyBox
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://cyboxproject.github.io/documentation/object-relationships/#Created
![Page 10: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/10.jpg)
New Malware Analysis SystemMalware Analyst
![Page 11: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/11.jpg)
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
![Page 12: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/12.jpg)
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
![Page 13: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/13.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 14: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/14.jpg)
Why do LibVMI & Volatility Use?
- Library Virtual Machine Introspection
- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary
- Memory Direct Access
- Reliability Memory
- Memory Analysis Result is reliability
- Volatility
- Possible to analyze a memory to obtain LibVMI
- Open source
- Focused on forensics, incident response, and malware.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 15: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/15.jpg)
Why do LibVMI & Volaility Use?
- Library Virtual Machine Introspection
- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary
- Memory Direct Access
- Reliability Memory
- Memory Analysis Result is reliability
- Volatility
- Possible to analyze a memory to obtain LibVMI
- Open source
- Focused on forensics, incident response, and malware.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 16: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/16.jpg)
Memory Analysis Engine
- Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 17: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/17.jpg)
Command Analysis- Cmdscan
- _COMMAND_HISTORY- Find Windows Basic Command
- Consoles- _SCREEN_INFORMATION- Find Console I/O Data
- Shellbags- NTUSER.DAT & UsrClass.dat- Find Windows Environment, Timestamp, Installer ….
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 18: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/18.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 19: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/19.jpg)
Process Analysis - Privs
- Malware has the necessary permissions for malicious behavior
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Privileges Comment
SeBackupPrivilege Malware can leverage this privilege to copy locked files
SeDebugPrivilege Practically all malware that performs code injection from user
mode relies on enabling this privilege
SeLoadDriverPrivilege Malware can load or unload kernel drivers(Rootkit Load)
SeChangeNotifyPrivilege Malware can use this to determine immediately when one of
their configuration or executable files are removed by antivirus
or users
SeShutdownPrivilege Bootkit modify the Master Boot Record(MBR). Bootkit doesn’t
activate until the next time the system boots
Dangerous Privileges
![Page 20: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/20.jpg)
Process Analysis - Auditpol
- Global audit policy
- Pstree
- Find and walks the doubly linked list
- Psscan
- _EPROCESS Objects instead of relying on the linked list
- Find Terminate Process & Hidden Process in Kernel Memory
- Procdump
- Find PE Header in Kernel Memory
Malware Analyst Process Tree image
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 21: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/21.jpg)
Process Analysis
Citadel Malware Original Binary Citadel Malware Unpacking Binary(Use Malware Analyst)
- Procdump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 22: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/22.jpg)
Process Analysis
Tesla Ransomware Original Binary Tesla Ransomware Unpacking Binary(Use Malware Analyst)
- Procdump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 23: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/23.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 24: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/24.jpg)
Thread Analysis- Threads
- Find Orphan Thread
- loaded modules by walking the doubly lined list and records their base address
and size
- _ETHREAD.StartAddress value is within the range of one of the modules
- Many Rootkit Uses Orphan Thread
- Example: Tigger, Mebroot
Tigger sample Orphan thread
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 25: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/25.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 26: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/26.jpg)
Network Analysis- Sockets & Connections
- Windows XP/2003
- _ADDRESS_OBJECT & _TCPT_OBJECT
structures are undocumented By MS
but many hackers have reverse-engineered
them in the past
- Netscan
- Windows Vista and later
- Finds _TCP_ENDPOINT
- Finds _TCP_LISTENER
- Finds _UDP_ENDPOINT
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
_Addr_Obj_Table _TCBTable
_ADDRESS_OBJECT _TCPT_OBJECT
Socket Search Connection Search
sockscan connections
![Page 27: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/27.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 28: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/28.jpg)
Service Analysis- Svcscan
- sErv tag, serH tag find in Kernel Memory services.exe
- Tags are embedded in merbers of each _SERVICE_RECORD
- Find all instances of the structures even if they’ve been unlinked from the list
- Compare the entries found by scanning with the ones found
via list walking and determine exactly what services have been
maliciously unlinked
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 29: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/29.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 30: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/30.jpg)
MBR Analysis- Mbrparser
- MBR (signature: \x55\xaa)Finds in Kernel Memory
- Compare the partition table to MBR Scan result
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 31: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/31.jpg)
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 32: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/32.jpg)
Rootkit Analysis- Driverirp
- _DRIVER_OBJECT struct finds in kernel memory
- Read the 28 values in the MajorFunction array and determine where they point.
- Rootkit driver can hook entires in a driver’s IRP function table
- For example overwrite the IRP_MJ_Create function in a driver’s IRP table,
a rootkit can inspect create file, create process….
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 33: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/33.jpg)
Rootkit Analysis- Devicetree
- Windows uses a layered architecture for handling I/O requests
- Multiple drivers can handle the same IRP
- Instead of hooking a target driver’s IRP function, as previously described,
a rootkit can just insert, or attach, to the target device’s stack.
- Drivermodule
- DriverIRP Data finds in kernel memory
- Get Driver name & Driver Display name
- After find new driver modules and dump driver modules
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 34: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/34.jpg)
Rootkit Analysis- Callbacks
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Type API
Process Creation PsSetCreateProcessNotifyRoutine API
Thread Creation PsSetCreateThreadNotifyRoutine API
(BlackEnergy used)
Image Load PsSetLoadImageNotifyRoutine API
(stuxnet used)
Registry Modification CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later)
(Ascesso used)
Bugchecks KeRegisterBugChecknCallback,
KeRegisterBugCheckReasonCallback
Callback to use rootkit
- A callback rootkit does not use well have Shutdown, DebugMesage, FileSystem, PnP callbacks.
![Page 35: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/35.jpg)
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
![Page 36: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/36.jpg)
Mamon- Detect Process change, File change, Registry change
- API Function Argument Monitoring
- Operation System Data Dependencies CyBox
- Reg, Process, File ….
- Why does Kernel-Level Hooking Use?
- Anti-VM Bypass(VM-Hardening)
- Rootkit Analyze
- CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later) used
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 37: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/37.jpg)
Mamon- Detect Process change, File change, Registry change
- API Function Argument Monitoring
- Operation System Data Dependencies CyBox
- Reg, Process, File ….
- Why does Kernel-Level Hooking Use?
- Anti-VM Bypass(VM-Hardening)
- Rootkit Analyze
- Windows Driver Kit uses
- Mamon runs in a virtual machine.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 38: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/38.jpg)
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
![Page 39: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/39.jpg)
Network Analyze- MITM Proxy & TCPDump use
- Why do use MITM Proxy
- Decrypt SSL, HTTPS
- Classifies each packet protocols.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
1. Connection
2. Redirection
3. Initiate SSL
handshake with SNI
6. Complete SSL
handshake
7. Request
4. Initiate SSL
handshake with SNI
5. CN & SANs
8. Request
Client
Server
MITM proxy example data(https://www.google.com)MITM Proxy Structure
Reference: http://docs.mitmproxy.org/en/stable/howmitmproxy.html#transparent-https
![Page 40: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/40.jpg)
Network Analyze
- HTTP Replay Use
- Download Meta-File(image, flash, sound ….)
- Drawing Network Flow
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Citadel Network Analyze result
Citadel Network Flow image file
![Page 41: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/41.jpg)
DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware
![Page 42: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/42.jpg)
DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware
![Page 43: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/43.jpg)
Limitation of Malware Analyst- Only Supported 32bit Windows
- Anti Memory Forensic
- Another Anti-VM
- Hooking Detect Malware
- ETC
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 44: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/44.jpg)
Benefits of Malware Analyst- Unpacking Binary
- Decrypt Network Packet Data(HTTPS, TLS ….)
- Malware Run Behaviors Timeline
- Rootkit Analyze
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 45: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/45.jpg)
FutureThreat Insight & Malware Analyst
![Page 46: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/46.jpg)
Future- Supported x64 Windows and Anti-VM, Anti-Memory Forensic research
- Supported create IOC pattern file
- Threat Insight
- Web Site Thread Detect System
- Malware Analyst and Thread Insight will cooperate
- New Malware Database Platform
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
![Page 47: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/47.jpg)
New Malware Database Platform!
ⓒ Copyright 2016, blackfort security all rights reserved.
![Page 48: 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System - Windows ... . ... New Malware Analysis System](https://reader030.vdocuments.site/reader030/viewer/2022020114/5b1e9b1c7f8b9a22028bc1ea/html5/thumbnails/48.jpg)
Thank you
Reference: The Art of MEMORY FORENSIC BOOK