hitcon girls malware analysis
TRANSCRIPT
![Page 1: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/1.jpg)
⼈人 友 增⼀一⼈人 友 &Turkey
![Page 2: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/2.jpg)
Outline• HITCON GIRLS 想
• ⼈人
• ⼒力 種了於
•
• ⼈人 友 ⼼心
• 這到 友 增⼀一
•
![Page 3: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/3.jpg)
HITCON GIRLS 想
• HITCON GIRLS
• 想 對
•
• 起 於 啊⼈人 友 給 Malware 到 ⼼心於會 起
![Page 4: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/4.jpg)
HITCON GIRLS 想
Web PT
Android PT
來要
����#�
![Page 5: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/5.jpg)
⼈人����# CTF
� ⼈人 Flag Key��
於會機之 ⼈人於 Flag
��
�!�� Code ⼼心 ⾏行時 CTF
�� 就 不 Write Up
![Page 6: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/6.jpg)
⼈人
![Page 7: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/7.jpg)
⼈人(Malware)• 很
• 意不 個 ⼈人
• 明 想 於開 可於 才
•
• 於事 三⼩小於 過 都
• 上 覺 可想⽤用
• 被你後 明 想
![Page 8: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/8.jpg)
⼈人
![Page 9: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/9.jpg)
Grayware
• Grayware ⼼心 每 ⼈人
• 出⼈人
•
• 動
• 裡 間 間 ⼿手
![Page 10: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/10.jpg)
增⼀一
![Page 11: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/11.jpg)
看 於 種了• 看
• &
• 到 友&這到 友
•
• 會
• 點
• Registry Key
• 做
• Process
• API
• 有為
![Page 12: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/12.jpg)
⼈人 友• 友
• 學 ⼈人 樣⾃自
• Snapshot
• 地以 友
• 下
![Page 13: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/13.jpg)
![Page 14: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/14.jpg)
![Page 15: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/15.jpg)
![Page 16: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/16.jpg)
• 間 全我 ⼈人 ⼼心 知給 於 於過 於⾼高⼩小
• 可 給 麼
![Page 17: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/17.jpg)
• 快 能 ⼼心
• Registry Key - AutoRuns
• Process - Process Explorer / Process Monitor
• Network - TCPView / TCPLogView / WireShark
• File system - AutoRuns / Process Explorer
![Page 18: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/18.jpg)
• 快 能 ⼼心
• Registry Key - AutoRuns
• Process - Process Explorer / Process Monitor
• Network - TCPView / TCPLogView / WireShark
• File system - AutoRuns / Process Explorer
![Page 19: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/19.jpg)
- Registry• Registry 著 ⽽而更
• 可 ⼈人 都 想
• C:\Windows\regedit.exe
![Page 20: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/20.jpg)
- 做
• ⼈人 做 ⼈人 想他不 做
• Registry 是 做
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
![Page 21: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/21.jpg)
- Registry Key
• ⼈人 可都 可 Registry Key 新
• ⼈人在 發做 Registry 下 做 做
![Page 22: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/22.jpg)
• 快 能 ⼼心
• Registry Key - AutoRuns
• Process - Process Explorer / Process Monitor
• Network - TCPView / TCPLogView / WireShark
• File system - AutoRuns / Process Explorer
![Page 23: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/23.jpg)
- Process• ⼈人 → 家 → 成
• 成 (process) ⼈人
![Page 24: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/24.jpg)
- Process• ⼈人 ⼈人
• 吃 想
• 多 ⼈人
![Page 25: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/25.jpg)
然說
![Page 26: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/26.jpg)
- • 過 做 HKLM\…\CurrentVersion\Run
• Process Injection
• 可想
• IP DNS
• ⾼高⼩小
![Page 27: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/27.jpg)
⼈人 友 ⼼心• Behavior Tool
• Autoruns
• Process Monitor / Process Explorer
• TCPView / TCPLogView /WireShark
• Online Sandbox
• Virustotal
• Comodo
• ���� Sandbox
• CaptureBat
• Cuckoo
![Page 28: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/28.jpg)
友 ⼼心 - AutoRuns• ⼥女要 Registry Key 真 於過
![Page 29: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/29.jpg)
友 ⼼心 - ProcessExplorer • ⼥女之 家 成能
• 的
• ⼤大 到 ⼈人 (DLL) 於
![Page 30: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/30.jpg)
友 ⼼心 - TCPView• 於 天 ⼈人⾃自
![Page 31: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/31.jpg)
友 ⼼心 - SandBox 裡
• 說⼈人 什 感
• ⽤用 於⼼心開⼈人 ⼈人 什 們
![Page 32: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/32.jpg)
Sandbox 3 ſƹľŏ D!��Rǘ
![Page 33: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/33.jpg)
友 ⼼心 - VirusTotal
![Page 34: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/34.jpg)
友 ⼼心 - CaptureBAT
![Page 35: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/35.jpg)
• 間 間 ⼼心
•
![Page 36: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/36.jpg)
想(��%�) Digital Forensics
• 如 ⼥女要
(���"�) Malware Detection
• 只⼜又 三 ⼥女們
($� �) Reversing Engineering
• 於 次 會 讓 第
AllenOwn 什
![Page 37: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/37.jpg)
想(��%�) Digital Forensics
• 如 ⼥女要
(���"�) Malware Detection
• 只⼜又 三 ⼥女們
($� �) Reversing Engineering
• 於 次 會 讓 第
![Page 38: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/38.jpg)
想(��%�) Digital Forensics
• 如 ⼥女要
(���"�) Malware Detection
• 只⼜又 三 ⼥女們
($� �) Reversing Engineering
• 於 次 會 讓 第
![Page 39: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/39.jpg)
想(��%�) Digital Forensics
• 如 ⼥女要
(���"�) Malware Detection
• 只⼜又 三 ⼥女們
($� �) Reversing Engineering
• 於 次 會 讓 第
![Page 40: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/40.jpg)
• 間 Reversing Engineering
• 於 次 �� �'�
• ⼈人 ⼼心
• 明 想 →
• 主 →
![Page 41: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/41.jpg)
好• 間 Reversing Engineering
• 於 次 �� �'�
• ⼈人 ⾃自 發 &�
• 明 想 →
• 主 →
![Page 42: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/42.jpg)
好• 間 Reversing Engineering
• 於 次 �� �'�
• ⼈人 ⾃自 發 &�
• 明 想 →
• 主 →
![Page 43: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/43.jpg)
(打Д´)ノ
![Page 44: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/44.jpg)
• Reverse Engineering
• 全著 麼 友 於 次
• 會
•
• 中 有為
![Page 45: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/45.jpg)
- 這到 到
�#3 "#3
%� /������
����
31)(�6(�$����,��*�����'!
-���42����'!
�05�'! 3+���� /���&.
![Page 46: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/46.jpg)
到 友 - ⼼心 • Immunity Debugger ( ´∀`)ノ
• Olly Dbg ( ∀ )ノ
![Page 47: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/47.jpg)
這到 友 - ⼼心 • IDA ( ´∀`)ノ
• IDA Pro Interactive Disassembler 會⼩小
• 這到 友
![Page 48: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/48.jpg)
這到 友 增⼀一
• 經
•
• API
• ⼈人
![Page 49: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/49.jpg)
這到 友 增⼀一(1)• 經
• 經 經於 ⽅方經
• ⼈人 友
•
• 是 經
• 無經 ⼼心 / 無經
![Page 50: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/50.jpg)
UPX 經 知
?
![Page 51: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/51.jpg)
這到 友 增⼀一(2)•
• ⼈人
•
• String Windows
• 了信 ⼈人
![Page 52: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/52.jpg)
了信 知
![Page 53: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/53.jpg)
這到 友 增⼀一(3)• API
• IDA Windows API
• API
•
• 要
![Page 54: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/54.jpg)
API
• API (Application Programming Interface)
• ⼈人 裡
• Function
• 分
![Page 55: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/55.jpg)
Windows API 知
![Page 56: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/56.jpg)
這到 友 增⼀一(4)
• ⼈人
•
•
•
![Page 57: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/57.jpg)
這到 友 增⼀一(4)
• ⼈人
•
• ⼈人意不
• 還 電
• 有為
![Page 58: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/58.jpg)
有為 ⽣生
![Page 59: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/59.jpg)
有為
age = input(‘How old are you?’)
if (age <18):
print ‘No you can’t drink beer.’
mov edx, OFFSET HowOldAreYou;
call WriteString;
call readint;
cmp eax,18d;
jb LessThan18;
LessThan18:
mov edx,OFFSET NoYouCantDrinkBeer;
call WriteString;
Python Assembly Language於 不
![Page 60: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/60.jpg)
有為
• 得 有為
• 01010000
• 有為
• 有為 覺 家
• 和 MASM於NASM
![Page 61: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/61.jpg)
有為
• ⼈人
• .EXE (executable file) 現
•
• ⼼心會 有為
![Page 62: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/62.jpg)
有為
![Page 63: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/63.jpg)
`��®XD
![Page 64: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/64.jpg)
快
![Page 65: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/65.jpg)
Turkey 知 友
![Page 66: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/66.jpg)
![Page 67: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/67.jpg)
![Page 68: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/68.jpg)
!& SHA256:77c39cf091b0cb9f84a5d2a25e9c63f0bf9dcacb054a4f902fe36de6491aad14
~
~
![Page 69: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/69.jpg)
1.ProcessExplorer 2.ProcessMonitor 3.TCPview 4.Wireshark 5.CaptureBAT ( �
![Page 70: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/70.jpg)
ProcessExplorer & ProcessMonitor
• ProcessExplorer a�'I��@$�� Process
!
• 1����+�W$�� Processe "�+�@)�� Process e+��� ProcessMonitor d
���'I�B/ Process �W$
![Page 71: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/71.jpg)
ProcessExplorer
c
s v p @B
![Page 72: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/72.jpg)
ProcessExplorer
p v d V R@ P BTB
( R@ P BTB 75h # bki
PID
![Page 73: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/73.jpg)
ProcessMonitor
u @B 8 FP c 750 V @B h 6F PB 75F P B 7 @ AB
c
![Page 74: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/74.jpg)
ProcessMonitor
p v d V R@ P BTB
( R@ P BTB 75h # bki ) 1( A Pv 1( A P
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BD
![Page 75: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/75.jpg)
TCPView
RM�'I��2� � Process KV
![Page 76: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/76.jpg)
TCPView
p v d V R@ P BTB
( R@ P BTB 75h # bki ) 1( A Pv 1( A P
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BDq ( () )(
4 =FBSx c
![Page 77: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/77.jpg)
Wireshark• �\Z?9�8N
• <0�4[Hidns,tcp,http,......
m V h
![Page 78: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/78.jpg)
Wireshark
6F PB P@ kr ( () )(# u 4 =FBSr
w 6 S 4 P B I
![Page 79: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/79.jpg)
Wireshark
k o 3 A:BM B P
![Page 80: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/80.jpg)
6F PB A kr F PSB I S BP#F PSB I S BP pV7 ( () )(
Wireshark
![Page 81: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/81.jpg)
p v d V R@ P BTB
( R@ P BTB 75h # bki ) 1( A Pv 1( A P
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BDq 7 ( () )(
. A F PSB I S BP pV7 h( () )(
Wireshark
![Page 82: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/82.jpg)
6:C*��p
v d V R@ P BTB ( R@ P BTB 75h # bki ) 1( A Pv 1( A P
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BDq 7 ( () )(
. A F PSB I S BP pV7 h( () )(
�e#_P� [email protected] c~dfds3.reg �`S��O7���(�F/��-j
![Page 83: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/83.jpg)
CaptureBAT• ��� SandBox
• �RM�'I�+��T)gex:.5$�c`S$�%%h
##_P�`Se��>LRMbf
![Page 84: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/84.jpg)
.
![Page 85: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/85.jpg)
• W$ CaptureBAT *eGJ,DA
CaptureBAT
EQi cd C:\Program Files\CaptureCaptureBAT.exe -c -n
* �X^ihttp://travisaltman.com/malware-analysis-tool-capture-bat/
![Page 86: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/86.jpg)
CaptureBAT4 P B32 a l D m V h
deleted V
![Page 87: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/87.jpg)
CaptureBAT#_P�~dfds3.reg `S;=i
p v d V R@ P BTB
( R@ P BTB 75h # bki ) 1( A Pv 1( A P
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BD ACA ) BD h e t~8 7 B RB BTB q 7 ( () )(
. A F PSB I S BP pV7 h( () )(
![Page 88: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/88.jpg)
CaptureBAT
t~a V MSIServer.exe h n V”n ”
![Page 89: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/89.jpg)
CaptureBAT_PU(� wscsvc.exe
p v d V R@ P BTB
( R@ P BTB 75h # bki ) 1( A Pv 1( A P 1( A P h VS @ R@ BTB
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BD ACA ) BD h e t~
8 7 B RB BTB q 7 ( () )(
. A F PSB I S BP pV7 h( () )(
![Page 90: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/90.jpg)
CaptureBAT4 P B32 a l D m V h
deleted V
t~f Vn V
![Page 92: HITCON GIRLS Malware Analysis](https://reader036.vdocuments.site/reader036/viewer/2022081722/587a71e91a28ab8a2a8b803b/html5/thumbnails/92.jpg)
6:!&$�p
v d V R@ P BTB ( R@ P BTB 75h # bki ) 1( A Pv 1( A P 1( A P h VS @ R@ BTB
S @ R@ BTBv S @ R@ BTB BI l ACA ) BD
ACA ) BDv ACA ) BD ACA ) BD h e t~8 7 B RB BTB q 7 ( () )(
. A F PSB I S BP pV7 h( () )(