indicators of compromise: from malware analysis to eradication
TRANSCRIPT
![Page 1: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/1.jpg)
Indicators of Compromise: From malware analysis to eradicationMICHAEL BOMAN, MALWARE RESEARCH INSTITUTE
![Page 2: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/2.jpg)
About me
4th year speaking at 44CON- 2012: Malware as a hobby [P]- 2013: Controlling a PC using Arduino [WS]- 2014: Malware analysis as a big data problem [P]- 2015: Malware anti-reversing [P], Indicators of Compromise [WS]
Malware Researcher, Founder Malware Research Institute
6 kids, one more on the way…
![Page 3: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/3.jpg)
Malware Research Lab, 2012
![Page 4: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/4.jpg)
Malware Research Lab, 2015
![Page 5: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/5.jpg)
Detecting the Unknown
FBI: There are only two types of companies: those that have been hacked, and those that will be.
Always assume that you have been compromised and look for signs to confirm the assumption
![Page 6: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/6.jpg)
Where to look
There is gold in those logfiles! Firewall IDS / IPS Proxy DNS System logfiles Netflow data
![Page 7: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/7.jpg)
Firewall
New sessions are enough, no need to log every packet Ingress (incoming) AND Egress (outgoing) Denied AND Permitted
![Page 8: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/8.jpg)
IDS / IPS
Detecting attacks are ”nice”, detecting compromises are ”cool” You need actionable information from your IDS / IPS system Custom rules are the path to salvation
![Page 9: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/9.jpg)
Proxy
Detecting known bad sites Trace infections to source Detecting outliers
![Page 10: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/10.jpg)
DNS
Log queries Establish DNS query & response baseline Analyze NXDOMAIN responses Analyze successful DNS lookups Identify domain name abnormalities
![Page 11: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/11.jpg)
System logfilesWindows 7 regular expressions SOURCE EventIDNumber
.*APPCRASH.* Application 1001
.*he protected system file.* Application 64004
.*EMET_DLL Module logged the following event:.* Application 2
.*your virus/spyware.* Application Depends
.*A new process has been created\..* Security 4688
.*A service was installed in the system\..* Security 4697
.*A scheduled task was created\..* Security 4698
.*Logon Type:[\W]*(3|10).* Security 4624, 4625
.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.* Security 4657
.*service terminated unexpectedly\..* System 7034
.*service was successfully sent a.* System 7035
.*service entered the.* System 7036
.*service was changed from.* System 7040
![Page 12: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/12.jpg)
Netflow data
WHO is talking to WHOM When doing incident response, being able to narrow down the scope is
key
![Page 13: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/13.jpg)
Aquire the sample
Exctraction from network traffic File on disk Memory dump
![Page 14: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/14.jpg)
Extracting from Network Traffic
Wireshark GUI
Network Miner GUI
Foremost foremost –v –i /path/to/pcap
Dshell DShell> decode –d rip-http --rip-output_dir=output/ /path/to/pcap
![Page 15: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/15.jpg)
Extracting from Memory
Creating the memory dumpPsExec.exe \\HOSTNAME_OR_IP -u DOMAIN\privileged_account -p passwd -c mdd_1.3.exe - -o C:\MEMORY.DMP
Extracting the executable / DLL from the memory dumpvolatility dlldump -f MEMORY.DMP -D dumps/volatility procmemdump -f MEMORY.DMP -D dumps/
![Page 16: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/16.jpg)
Analyze the sample
Confirm the malicious nature of the suspected sample Identify behavior that can be used to identified infected machines
![Page 17: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/17.jpg)
Confirming the sample
Static analysis Dynamic analysis
![Page 18: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/18.jpg)
Cuckoo Sandbox
Uses DLL-injection techniques to intercept and log specific API calls Uses TCPDump to capture network traffic
![Page 19: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/19.jpg)
Minibis
Uses Microsoft ProcMon inside the instrumented environment Uses TCPDump to capture network trafic ProcDOT can be used to analyze / visualize the execution process
![Page 20: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/20.jpg)
Identify IOCs
Identifiable patterns in the sample Created files Created / Modified registry keys Network traffic Memory patterns
![Page 21: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/21.jpg)
Mandiant IOC Editor
![Page 22: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/22.jpg)
Yara
rule silent_banker : banker{ meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a and $b and $c}
![Page 23: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/23.jpg)
Snort
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \ content: "|6A 40 68 00 30 00 00 6A 14 8D 91|"; \ content: "|8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9|"; \ content: " UVODFRYSIHLNWPEJXQZAKCBGMT"; \ msg: " silent_banker : banker C2 Traffic"; \ )
Finds unknown C2 servers
![Page 24: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/24.jpg)
Mandiant IOC Finder
Collecting:mandiant_ioc_finder collect [-o output_dir] [[-d drive]...] [-q] [-v] [-h]
Reporting:mandiant_ioc_finder report [ [-i input_iocs]...] [-s source_data] [-t html|doc][-o output_folder (html) or file (doc)] [-q] [-v] [-h] [-w verbose|summary|off]
![Page 25: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/25.jpg)
Searching Network Traffic
Firewall Detection, Block specific communication
IDS / IPS Create signatures to Detect and Prevent C2 communication, additional
infections Proxy
Detection, Block specific communication DNS
Detection, Block communication to sites
![Page 26: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/26.jpg)
AnnouncementRiddle
![Page 27: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/27.jpg)
Announcement
Public VXCage-server Available at vxcage.malwareresearch.institute (http, soon https)
Feel free to apply for a personal account, free of charge: TO: [email protected] SUBJECT: VXCage Access BODY:
Who you are: name, twitter handle (if any, for cyberstalking), other contact info Why you want access Proposed username for the system (the password will be generated for you)
Please contact me at the above address for raw access to the archive
![Page 28: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/28.jpg)
VXCage API: Quick intro
REST with JSON output /malware/add – upload sample /malware/get/<sha256> - download sample /malware/find – search sample based on hash, date, tag /tags/list – list tags
Docs & Source code at https://github.com/mboman/vxcage
![Page 29: Indicators of compromise: From malware analysis to eradication](https://reader036.vdocuments.mx/reader036/viewer/2022070515/587bffcf1a28ab7c668b6523/html5/thumbnails/29.jpg)
Thank you
Contact Information Michael Boman (@mboman) [email protected] (soon
also [email protected])
Malware repository: vxcage.malwareresearch.institute
Malware blog: blog.malwareresearch.institute
Tools Mentioned Snort, DaemonLogger, PassiveDNS,
SANCP, Wireshark, Network Miner, Xplico, Dshell, PsExec, MDD, Volatility, Cuckoo Sandbox, Minibis, ProcDot, Mandiant OpenIOC Editor, Yara, Mandiant IOC Finder, Mandiant Redline