open source malware lab - sector 2018 open... · open source malware lab ... • moloch • ssl...
TRANSCRIPT
![Page 1: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/1.jpg)
1@ThreatConnect
October 19, 2016
Open Source Malware Lab
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 2: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/2.jpg)
2@ThreatConnect
Director of Research InnovationResearch Team
ThreatConnect, Inc.
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 3: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/3.jpg)
3@ThreatConnect
Why Do I Need A Malware Analysis Lab?
• Malware Research• Automated Malware Analysis (AMA)
• First two of four major stages• AMA can include second stage
• Enhanced Threat Intelligence• Analysis of malware in your enterprise• Stage of malware hunting process
• Network Defense• Network Traffic• Inbound Email• Host Intrusion Detection System
• Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 4: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/4.jpg)
4@ThreatConnect
Malware Analysis Process Entry Points
File URL PCAP MemoryImage
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 5: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/5.jpg)
5@ThreatConnect
CuckooSandbox Thug Bro Volatility
Open Source Malware Analysis Tools
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 6: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/6.jpg)
6@ThreatConnect
Cuckoo SandboxStatic and Dynamic File Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 7: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/7.jpg)
7@ThreatConnect
Sandbox
• A controlled, safe environment
• Leverages• Virtual machines• Bare metal computers
• Running malware
• Observing its behavior
• Dynamic malware analysis
• May also perform static malware
analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 8: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/8.jpg)
8@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic
$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
Strings
AV Detections
![Page 9: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/9.jpg)
9@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic
$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
Strings
AV Detections
![Page 10: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/10.jpg)
10@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic
$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
Strings
AV Detections
![Page 11: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/11.jpg)
11@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic
$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
Strings
AV Detections
![Page 12: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/12.jpg)
12@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 13: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/13.jpg)
13@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 14: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/14.jpg)
14@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 15: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/15.jpg)
15@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 16: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/16.jpg)
16@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 17: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/17.jpg)
17@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 18: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/18.jpg)
18@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 19: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/19.jpg)
19@ThreatConnect
More Than Just Dynamic Analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found
Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found
Sections
Resources
Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata
![Page 20: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/20.jpg)
20@ThreatConnect
Cuckoo Sandbox Flavors
© 2016 ThreatConnect, Inc. All Rights Reserved
Plain VanillaVersion 1.2 (Stable)
Cuckoo Modified(brad-accuvant / spender-sandbox)
Next GenerationVersion 2.0 RC1
![Page 21: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/21.jpg)
21@ThreatConnect
Cuckoo Modified
• Normalization of file and registry paths
• 64bit analysis
• Service monitoring
• Extended API
• Tor for outbound network connections
• Malheur integration
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 22: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/22.jpg)
22@ThreatConnect
Normalization - Why this is Great!
• Not normalized
•C:\Documents and Settings\Dumdum\Application Data\bonzo\AIDVFP.jpg
•C:\Users\Dumdum\AppData\bonzo\AIDVFP.jpg
• Normalized•%APPDATA%\bonzo\AIDVFP.jpg
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 23: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/23.jpg)
23@ThreatConnect
Cuckoo Next Generation
• Support for:• MacOS X• Linux• Android
© 2016 ThreatConnect, Inc. All Rights Reserved
• Integrations• Suricata• Snort• Moloch• SSL decryption• VPN support• 64-bit analysis• Fun, fun, fun
![Page 24: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/24.jpg)
24@ThreatConnect
What if the Malware is VM or Sandbox Aware?
• Pafish (Paranoid Fish)• Uses malware’s anti-analysis
techniques• Shows successful and
unsuccessful techniques• Pinpoint ways to improve
sandbox• VMCloak
• Automated generation of Windows VM images
• Ready for use in Cuckoo• Obfuscates VM to prevent
anti-analysis
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 25: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/25.jpg)
25@ThreatConnect
Cuckoo Output
• HTML Report
• JSON Report
• MongoDB Output
• Dropped Files
• PCAP
• Memory Image
• Visited URLs
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 26: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/26.jpg)
26@ThreatConnect
ThugLow-Interaction Honeyclient
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 27: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/27.jpg)
27@ThreatConnect
What is a Low-Interaction Honeyclient?
• Pretends to be a browser
• Trigger a drive-by download
• Capture its payload
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 28: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/28.jpg)
28@ThreatConnect
Wolf in Sheep’s Clothing
• User agent can change• Windows, Mac, Linux, Android, iOS• Limitless possibilities• http://www.useragentstring.com/pages/
useragentstring.php• http://www.browser-info.net/useragents
• Simulates vulnerable plugins with configurable versions
• Flash• Java• Acrobat Reader (PDF)
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 29: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/29.jpg)
29@ThreatConnect
Available User Agents
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 30: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/30.jpg)
30@ThreatConnect
Thug Output
• Payload Files• Other Content Files• Visited URLs• MongoDB Output• Elasticsearch Output• HPFeeds• MAEC• Native Report Format
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 31: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/31.jpg)
31@ThreatConnect
BroNetwork Analysis Framework
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 32: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/32.jpg)
32@ThreatConnect
What is Bro?
• Network Security Monitoring (NSM) Framework
• Processes• Live Packet Capture• Recorded Packet Capture (PCAP)
• Series of scripts
• Output Bro logs
• Packaged with a large group of scripts
• Rich community of open source scripts
• Write your own Bro script for specific needs
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 33: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/33.jpg)
33@ThreatConnect
Bro in Action
© 2016 ThreatConnect, Inc. All Rights Reserved
• Analysis Target: tue_schedule.doc_7387.doc
• PCAP Source: https://www.hybrid-analysis.com/
• SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e
• What can we learn from PCAP only?
![Page 34: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/34.jpg)
34@ThreatConnect
conn.log
$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 35: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/35.jpg)
35@ThreatConnect
conn.log
$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 36: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/36.jpg)
36@ThreatConnect
conn.log
$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 37: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/37.jpg)
37@ThreatConnect
conn.log
$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 38: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/38.jpg)
38@ThreatConnect
conn.log
$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 39: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/39.jpg)
39@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 40: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/40.jpg)
40@ThreatConnect
dns.log
$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 41: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/41.jpg)
41@ThreatConnect
dns.log
$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 42: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/42.jpg)
42@ThreatConnect
dns.log
$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 43: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/43.jpg)
43@ThreatConnect
Poor Man’s pDNS
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 44: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/44.jpg)
44@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 45: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/45.jpg)
45@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 46: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/46.jpg)
46@ThreatConnect
Site Content
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 47: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/47.jpg)
47@ThreatConnect
Site Content
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 48: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/48.jpg)
48@ThreatConnect
dns.log
$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 49: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/49.jpg)
49@ThreatConnect
Poor Man’s pDNS
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 50: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/50.jpg)
50@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 51: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/51.jpg)
51@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 52: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/52.jpg)
52@ThreatConnect
Poor Man’s Reverse Whois
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 53: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/53.jpg)
53@ThreatConnect
Site Content
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 54: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/54.jpg)
54@ThreatConnect
dns.log
$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 55: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/55.jpg)
55@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 56: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/56.jpg)
56@ThreatConnect
Whois Data
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 57: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/57.jpg)
57@ThreatConnect
pDNS
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 58: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/58.jpg)
58@ThreatConnect
http.log
$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 59: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/59.jpg)
59@ThreatConnect
http.log
$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 60: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/60.jpg)
60@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved
Zapoi (Russian: запой)
A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two
or more days of continuous drunkenness.
https://en.wikipedia.org/wiki/Zapoy
![Page 61: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/61.jpg)
61@ThreatConnect
/zapoy/gate.php = Pony
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 62: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/62.jpg)
62@ThreatConnect
http.log
$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 63: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/63.jpg)
63@ThreatConnect
/xdaovcny/index.php = Nymaim
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 64: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/64.jpg)
64@ThreatConnect
http.log
$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 65: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/65.jpg)
65@ThreatConnect
pe.log
$ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 66: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/66.jpg)
66@ThreatConnect
files.log
$ cat files.log | bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9\|\|F0XaRJ2XvH5Epscnqj\|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 67: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/67.jpg)
67@ThreatConnect
MAN1 Adversary Group
© 2016 ThreatConnect, Inc. All Rights Reservedhttp://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html
![Page 68: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/68.jpg)
68@ThreatConnect
What Can We Learn From PCAP Only?
• Adversary Likely Russophone
• Office Document generating network traffic
• Multi-stage malware
• One payload is Pony
• One payload is Nymaim
• Nymaim has• Dedicated infrastructure
•Rogue DNS
• Dropper uses compromised Drupal websites
• Adversary is MAN1
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 69: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/69.jpg)
69@ThreatConnect
Collected Lots of Indicators
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 70: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/70.jpg)
70@ThreatConnect
My local.bro
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 71: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/71.jpg)
71@ThreatConnect
cuddlesome.exe = Ruckguv
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 72: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/72.jpg)
72@ThreatConnect
Bro Output
• Important Logs• conn.log• dns.log• http.log• pe.log• file.log
• Extracted Files
• Alternative JSON Output for Elasticsearch
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 73: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/73.jpg)
73@ThreatConnect
VolatilityMemory Analysis Framework
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 74: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/74.jpg)
74@ThreatConnect
What is the Volatility Framework?
• Extracts artifacts from samples of volatile memory• An amazing view into what is happening in memory while a
malware sample is running
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 75: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/75.jpg)
75@ThreatConnect
Operating System Support
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 76: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/76.jpg)
76@ThreatConnect
Volatility in Action
• Analysis Target: b.exe
• Sample Source: https://www.hybrid-analysis.com/
• SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742
• What can we learn from memory analysis?
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 77: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/77.jpg)
77@ThreatConnect
Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump
• Dump a memory image from running VirtualBox VM• VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img• vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 78: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/78.jpg)
78@ThreatConnect
pslist & psscan
© 2016 ThreatConnect, Inc. All Rights Reserved
• psscan shows hidden and terminated processes
• pslist shows running processes
• pslist before and after running malware sample
![Page 79: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/79.jpg)
79@ThreatConnect
malfind
$ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D .
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 80: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/80.jpg)
80@ThreatConnect
Malware Found?
Avira: TR/Patched.Ren.Gen7Qihoo-360: HEUR/QVM40.1.Malware.Gen
Qihoo-360: HEUR/QVM40.1.Malware.Gen
0x80000
0xa000
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 81: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/81.jpg)
81@ThreatConnect
netscan
$ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 82: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/82.jpg)
82@ThreatConnect
What Can We Learn From Memory Analysis?
• Sample uses process injection
• Injects explorer.exe
• Command and Control IP Address: 216.170.126.105
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 83: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/83.jpg)
83@ThreatConnect
Volatility Output
• Files extracted from services
• Files extracted from injection
• DLLs extracted
• IP addresses extracted from network connections
• URLs extracted from IE history
• URLs extracted from malware configuration
• Suspicious mutexes
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 84: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/84.jpg)
84@ThreatConnect
Tying It All TogetherConclusion
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 85: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/85.jpg)
85@ThreatConnect
Cuckoo, Thug, Bro Process
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 86: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/86.jpg)
86@ThreatConnect
Volatility, Thug, Cuckoo Process
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 87: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/87.jpg)
87@ThreatConnect
Orchestration and Automation
• Use a message queue• Redis• Rabbit MQ• ZeroMQ <- Preferred
• Use NGINX for file transfer under message queue
• Keep all output in Elasticsearch• Cuckoo needs to be cuckoo-modified or write your own report plugin• Thug uses ES natively• Bro can export logs in JSON format• Volatility can export logs in JSON format
• Glue everything together with Python3
© 2016 ThreatConnect, Inc. All Rights Reserved
![Page 88: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad84ad27f8b9a3e578d3aef/html5/thumbnails/88.jpg)
88@ThreatConnect
Questions?
© 2016 ThreatConnect, Inc. All Rights Reserved
www.ThreatConnect.com/blog
@MalwareUtkonos @ThreatConnect