SlideShare ist ein Scribd-Unternehmen logo

Learn Malware Analysis Techniques

Als ODP, PDF herunterladen
T
Tazdrumm3r

My recent Misec presentation - 8-13-2015

Technologie
1 von 27
Malware Analysis What to learn from your invaders
Disclaimer ▪ All opinions expressed during this talk are mine and do not reflect that of my employer ▪ I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) ▪ This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. </fud scare tactic>
Agenda ▪ Whoami ▪ Tools ▪ Analysis ▪ Resources
Whoami ▪ Father ▪ Geek ▪ Drummer ▪ SIEM Manager by day, malware analyst by night... when I can...
Background
Tools ▪ VirtualBox ● Remnux ▪ Regshot ▪ FakeNet ▪ DNSChef ▪ Wireshark ▪ PEStudio ▪ Volatility
Samples ▪ “Unpaid taxes. Notice #12831” phishing email ▪ LogMeIn Spear phishing link ▪ “Vendor site cart purchase” phishing email
“Unpaid taxes. Notice #12831” phishing email
“Unpaid taxes. Notice #12831” phishing email
LogMeIn spear phishing
“Vendor site cart purchase” phishing email
Static analysis ▪ Regshot ▪ Remnux tools (imports, pescan, pescanner, pyew.txt) ▪ PEStudio
“Vendor site cart purchase” phishing email
“Vendor site cart purchase” phishing email
Behavioral analysis ▪ How does it react? ▪ What does it do?
Lab configuration ▪ Virtualbox ● Windows 7 ● (Victim of course) ● Remnux 6.0 (Ubuntu 14.04) ● Traffic capture ▪ Wireshark ▪ Procmon
Network behavior analysis – First attempt
Network behavior analysis – First attempt  174.16.157.26  130.37.198.90  203.80.102.213  88.68.117.47  75.99.113.250  184.166.216.26  212.235.62.68  172.245.217.122  24.231.61.81  27.110.203.125  221.193.254.122  183.87.238.127  198.50.128.48  82.127.150.123  85.64.52.205  24.78.17.137  79.119.228.199  219.77.136.199  76.234.37.14
Network behavior analysis – Second attempt
Network behavior analysis – Third attempt
Host analysis - Files
Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
Wrapping up  What's been learned?  Network activity  Host based activity  Where can it be used?  SIEM
Resources  Blogs  Lenny Zeltzer's blog - https://zeltser.com/  Malware Analysis blog - http://www.malware-traffic-analysis.net/  MalwareMust Die blog - http://blog.malwaremustdie.org/  Malwageddon's blog - http://malwageddon.blogspot.com/  MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/  Live samples  Contagio - http://contagiodump.blogspot.com/  Malc0de database - http://malc0de.com/database/  Tools  VirtualBox  Remnux  SysInternals  Volatility
Resources Training  OpenSecurityTraining.Info - http://opensecuritytraining.info/
Questions Twitter - @Tazdrumm3r Email – tazdrummer@gmail.com Blog - https://tazdrumm3r.wordpress.com

Empfohlen

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

Empfohlen

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Ch0 1
Ch0 1Ch0 1
Ch0 1TylerDerdun
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Tsolució
TsolucióTsolució
TsolucióBgs Company
 
La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 

Was ist angesagt? (20)

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 

Andere mochten auch

A walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commandsA walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commandsRhydham Joshi
 
Use of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research projectUse of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research projectOlivier Talon
 
Seminar programa pack
Seminar programa packSeminar programa pack
Seminar programa packAmber Denton
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesRhydham Joshi
 
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...Dr. Haxel Consult
 
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...Alban Jarry
 

Andere mochten auch (8)

Tsolució
TsolucióTsolució
Tsolució
 
La Gatera de la Villa nº 11
La Gatera de la Villa nº 11La Gatera de la Villa nº 11
La Gatera de la Villa nº 11
 
A walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commandsA walk through Windows firewall and Netsh commands
A walk through Windows firewall and Netsh commands
 
Use of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research projectUse of LCA tools in the early stages of a research project
Use of LCA tools in the early stages of a research project
 
Seminar programa pack
Seminar programa packSeminar programa pack
Seminar programa pack
 
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & AnomaliesREMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
REMnux tutorial 4.1 - Datagrams, Fragmentation & Anomalies
 
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
Final Programme - ICIC 2016 - 28th ICIC International Conference for the Info...
 
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
5eme édition des TOP20 : classements des comptes Twitter en finance et assura...
 

Ähnlich wie Learn Malware Analysis Techniques

Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] NoNameCon
 
Hunting fileless malware
Hunting fileless malwareHunting fileless malware
Hunting fileless malwareOlha Pasko
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Prossixdub
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Intro to Reversing Malware
Intro to Reversing MalwareIntro to Reversing Malware
Intro to Reversing MalwareDefCamp
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerJames Haughom Jr
 

Ähnlich wie Learn Malware Analysis Techniques (20)

Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop]
 
Hunting fileless malware
Hunting fileless malwareHunting fileless malware
Hunting fileless malware
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Intro to Reversing Malware
Intro to Reversing MalwareIntro to Reversing Malware
Intro to Reversing Malware
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Learn Malware Analysis Techniques

  • 1. Malware Analysis What to learn from your invaders
  • 2. Disclaimer ▪ All opinions expressed during this talk are mine and do not reflect that of my employer ▪ I will not be held responsible for any damage you do to your system at home. I do not condone you doing this at work, especially in a production environment. Be aware this is live malware we're talking about and if you don't take the proper precautions, it's on your dime, not mine. :) ▪ This talk is about learning of the everyday ever evolving threats which face anyone on the Internet. </fud scare tactic>
  • 3. Agenda ▪ Whoami ▪ Tools ▪ Analysis ▪ Resources
  • 4. Whoami ▪ Father ▪ Geek ▪ Drummer ▪ SIEM Manager by day, malware analyst by night... when I can...
  • 6. Tools ▪ VirtualBox ● Remnux ▪ Regshot ▪ FakeNet ▪ DNSChef ▪ Wireshark ▪ PEStudio ▪ Volatility
  • 7. Samples ▪ “Unpaid taxes. Notice #12831” phishing email ▪ LogMeIn Spear phishing link ▪ “Vendor site cart purchase” phishing email
  • 8. “Unpaid taxes. Notice #12831” phishing email
  • 9. “Unpaid taxes. Notice #12831” phishing email
  • 11. “Vendor site cart purchase” phishing email
  • 12.
  • 13. Static analysis ▪ Regshot ▪ Remnux tools (imports, pescan, pescanner, pyew.txt) ▪ PEStudio
  • 14. “Vendor site cart purchase” phishing email
  • 15. “Vendor site cart purchase” phishing email
  • 16. Behavioral analysis ▪ How does it react? ▪ What does it do?
  • 17. Lab configuration ▪ Virtualbox ● Windows 7 ● (Victim of course) ● Remnux 6.0 (Ubuntu 14.04) ● Traffic capture ▪ Wireshark ▪ Procmon
  • 18. Network behavior analysis – First attempt
  • 19. Network behavior analysis – First attempt  174.16.157.26  130.37.198.90  203.80.102.213  88.68.117.47  75.99.113.250  184.166.216.26  212.235.62.68  172.245.217.122  24.231.61.81  27.110.203.125  221.193.254.122  183.87.238.127  198.50.128.48  82.127.150.123  85.64.52.205  24.78.17.137  79.119.228.199  219.77.136.199  76.234.37.14
  • 20. Network behavior analysis – Second attempt
  • 21. Network behavior analysis – Third attempt
  • 23. Time of Day Process Name PID Operation Path Detail 9:45:03.5627178 PM Explorer.EXE 644Process Create C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04. 2014.pdf.scr PID: 2684, Command line: "C:toolsMalwaretazdrummerInvoice_06.04.2014Invoice_06.04.20 14.pdf.scr" /S 9:45:04.5837508 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:UserskeithAppDataLocalTempEttevaupeqe.exe PID: 2236, Command line: "C:UserskeithAppDataLocalTempEttevaupeqe.exe" 9:45:05.6715395 PM Invoice_06.04.20 14.pdf.scr 2684Process Create C:WindowsSysWOW64cmd.exe PID: 2316, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat" 9:45:05.6715490 PM cmd.exe 2316Process Start Parent PID: 2684, Command line: "C:Windowssystem32cmd.exe" /c "C:UserskeithAppDataLocalTempCQV2090.bat", Current directory: C:toolsMalwaretazdrummerInvoice_06.04.2014, 9:45:05.9865492 PM Invoice_06.04.20 14.pdf.scr 2684Process Exit 9:45:06.0210210 PM conhost.exe 3048Process Start Parent PID: 392, Command line: ??C:Windowssystem32conhost.exe "7004549161928483034-634817172- 12620106904102454541647554162437855351-2089999309", Current directory: C:Windowssystem32, 9:45:07.1049881 PM WinMail.exe 2588Process Start Parent PID: 608, Command line: "C:Program FilesWindows MailWinMail.exe" -Embedding 9:45:20.7850986 PM rundll32.exe 1064Process Start Parent PID: 1236, Command line: C:WindowsSystem32rundll32.exe C:WindowsSystem32FirewallControlPanel.dll,ShowNotificationDial og /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:userskeithappdatalocaltempettevaupeqe.exe", Host analysis - Processes
  • 24. Wrapping up  What's been learned?  Network activity  Host based activity  Where can it be used?  SIEM
  • 25. Resources  Blogs  Lenny Zeltzer's blog - https://zeltser.com/  Malware Analysis blog - http://www.malware-traffic-analysis.net/  MalwareMust Die blog - http://blog.malwaremustdie.org/  Malwageddon's blog - http://malwageddon.blogspot.com/  MalwareDontNeedCoffee blog - http://malware.dontneedcoffee.com/  Live samples  Contagio - http://contagiodump.blogspot.com/  Malc0de database - http://malc0de.com/database/  Tools  VirtualBox  Remnux  SysInternals  Volatility
  • 27. Questions Twitter - @Tazdrumm3r Email – tazdrummer@gmail.com Blog - https://tazdrumm3r.wordpress.com

Hinweis der Redaktion

  1. Email screen shot
  2. Traffic pattern