 okay we're about time so thank you again for being here um hopefully you've been enjoying the afghan closest ceremonies will be soon here for the village later on you can go and head out to uh closest ceremonies for the afghan if this is your first time hopefully you had a good time i hope that you made some friends and if you haven't then please talk to the person next to you then my uh being to the same things that you are uh and i really recommend you go to the closest ceremonies is always a lot of fun again thank you for being here cheers round of applause all right welcome uh really cool way to uh to finish up the day uh understudy 77 he is uh not only paranoid but he is actually a paranoid like that's that's in his title how cool is that right so um he's paranoid with Verizon um head of security operations head of security operations and um he's going to talk talk to you guys a little about uh hold on okay cool um he's going to talk with you guys about uh an introduction of malware re reverse engineering if you haven't done it before he and i were just talking um this is a really cool talk because it's going to be and anybody can do malware reverse engineering kind of talk so really looking forward to this give him a hand uh sorry just to interrupt we just we just the open so just ended so you hear a little bit of noise is because of that so why don't we just give him a good applause to everyone that participated in the open sock because they're just completed ctf it's over started for that so i want to start off at the end of the weekend by asking did everybody have a really good def con and hacker summer camp all right so i've been here most of the weekend and i want to say two things first off i want a round of applause for all the volunteers and organizers of blue team village they kicked ass did a really good job and a lot of work and secondly to open sock um it was an awesome ctf and i sat up here in the evening and watched them rebuild the whole thing because everybody killed it so they were tirelessly i'm sure they're all tired and somebody should buy them beer so let's do an introduction to malware analysis uh i'll start with the introductions and the head of the security operations center at verizon media i was an iran breach consultant once upon a time slash threat hunter um i'm probably a little bit rusty on this topic so don't hold anything too far against me management uh and i'm pretty shitty at twitter now let's talk about what this is and what this isn't um i have not done this every day in a little while i love teaching this because every time i add something new and i get to do something new and learn something new uh there's a lot more tools and different things than what i'm going to be using this is very much an introduction um i built this specifically to lower the entry barrier and make the concept of analyzing malware seem not so difficult so some people may or may not be my target market and that's okay but i just want to make sure that i'm very clear about what this is going into it so we can talk a little bit about what tools we're going to be using primarily i run a boot to 1404 with remnux remnux is an open source malware analysis distro oh i should mention as well photos are fine this way um i wouldn't take them that way but i know that's a sensitive topic so i want everybody to know i don't care um in remnux we're going to use some tools like pdf id pdf parser um ol e tools and vm's from a vm perspective we're going to be looking at things like process explorer regshot fiddler wire shark um we're also going to kind of touch a little bit on cuckoo sandbox and how you can kind of automate some of this process that we're going to go over as well so let's set up the scenario you are a security analyst for the daily bugle you received an alert or notification about a suspicious email with an attachment you got a copy of that attachment so you have a pdf right now so now we can jump right into it into the good part by the way this is all demo pretty much and i've prayed intensely to the demo gods that this is going to work out okay so we have a pdf right here here's our suspicious pdf we can do a couple things to look into this i like to start with pdf id is this big enough can everybody read it i tried to make the size really big great so i'm already in my directory and we can hit pdf id and our file name and we can see what's going on with this so if we look through this this is going to tell us in the header what's there so this is going to tell us objects this is going to tell us javascript importantly in this case this is going to tell us that we have an embedded file that's interesting why would you put a file inside your pdf so there's a couple different ways we can get it we can go to a sandbox we can open the pdf and we can get the file or we can use some other tools but let's see if we can find out some more information about it first so i'm going to go ahead and clear this out and then let's see what we can find out about that file and let's start with the file name and see if we can find that so embedded files looks like a word doc 602803 dot doc also interesting what can we find out about that file or general information about this pdf in general or more information about this pdf in general and this is where the demo stuff happens because i forget to type things so we see that there's embedded file we can go through there's the name some additional information this will basically break down the whole pdf and give you general information from it it's really useful it's not as human readable as either of the other tools that we just talked about though so here's our who wrote and who made so now we need to get that and preferably i think we'd like to get that in a safe way although i do like clicking on everything that i can click on i find that that's one of my favorite things in this world to do but we'll do it the safe way so we'll do detach again we know there's only one file there so we can do save all then we can hit step one so take a look here this is all laid out for ease of use in case something breaks but if i run this and we take a look back there we've now saved out our document easy so we've now successfully extracted a document from a pdf file so now we get into analysis of that document there is no internet for this typically i would be on a vpn and on online but i don't really want to be executing live malware throughout this experience so i'm going to go ahead i'm going to open up a vm and we're going to start there so we will start with opening up this document and seeing what we see because i find that to be fun so if we take our doc we move it over to our vm we can run a couple things here and we're going to talk more in depth about different tools as we get into the file analysis as well so soon as this pace this is the downside of live demos right i can start opening things though for anybody unfamiliar fiddler is basically a web debugger so if i have if i'm suspicious that web based callouts are going to happen or something of that nature and i'm not worried about just general tcp connections i like to use fiddler because it displays everything really nicely and very easily so i'm a big fan we'll use wire shark later as well come on you know the really crappy part about this is i practice this six times and had no issues and now everything wants to freeze cancel let's try that again hey there we go it's back right so we have a document we have something capturing web traffic and right now we're going to get something capturing processes as well for this we'll use process explorer process explorer is essentially like task manager on steroids and it'll give you a lot more information yes so interesting thing process explorer is going to be pretty live so things are going to disappear things are going to go away where fiddler is going to record so in this use case i tend to always keep process explorer top so that i can pay attention to it quickly and then i'll go back to and look at the network traffic afterward says we open up this document we can see here that there is a macro we can also shrink this down so it's out of our way and we can enable content because we like to live dangerously so we can see when word here we can see power shell just popped up and did a lot of things and now it's gone so let's move over here and see what else happened a lot of these are going to be Microsoft because i don't open word that often but i see a couple things that look kind of suspicious over here they can't go anywhere but that's not traffic i would expect that's relatively suspicious so it's trying to get something and if i expand this out a bit we can go take a look and see if it did anything although we probably won't see very much because not connected to the internet where are you so that's one way without network connection that we can get access to see this kind of stuff so here's something interesting we see two URLs at least in this use case it couldn't connect to one it jumped to another a lot of different pieces of malware will have multiple URLs built in in the case of those multiple URLs if you connect to the first one meaning if the first time you run it you're on a virtual machine that connects to the internet you might never see the second piece so i tend to run everything first offline and then run online i also tend to let a lot of this stuff sit for several hours to see if anything happens afterward but in this case i think there's an easier way to go through this data so we can go ahead and we can close out some of this stuff we'll keep some of it open and we can go back over here so there's a tool suite called OLE tools which basically will look at things and tell us what they are in this case we're going to use OLE VBA because we know there's visual basic step two so we know we have a macro user form one it can auto exact document open it may execute and or may run an executable or a system command which it launched cmd hex encoded strings detected and executable file name being that it ran cmd so if we want to see more on this hit D to decode and again pipe more so this is going to give us the full context around that so just from the beginning we can see call command line call powershell no profile so it's going to ignore any built in powershell settings window style hidden so you're not going to see it run executable bypass so it's going to try to bypass execution policy that you have on your computer and run locally and then we've got a whole bunch of other stuff going on here just numbers and numbers and numbers and numbers so what that data ends up looking like is this not really super useful yet right so we could probably assume that this entire section here is encoded actually this entire section here is decimal encoded is anybody here or everybody here familiar with a tool called cyber chef great tool for this kind of stuff makes everything very fast so I can go in here I can paste all that in and I can go from decimal well that didn't work but everything's common to limited and you have to specify that so if I specify common to limited now we have a lot more information so we can see some stuff but there's still a lot going on so I can see that there's an XOR key this looks like byte string some pieces of URLs down there but there's a lot going on with this and this is kind of an interesting way to encode an additional layer basically what they're doing is they're shifting numbers so like in URLs they're saying 10 113 and that's taking this list here and counting from that list that number so if we use that and take a look at that in another way that's the wrong oh no that's the right one because that's this we can also see an executable down there so if we use that we want to get rid of that we'll use URLs as an example so I took each one of those URL pieces I haven't found an automated way to do this by the way if anybody knows an automated way to do this that would be great because manual takes some time count them from zero up so zero to twenty and then piece these together ten H one TTP and so on and so forth and you now have three URLs so we saw two we didn't see the third one but we know that there's three hard coded URLs in the sample or in this piece of code if we do obfuscate the whole thing it gets more interesting so we see our power shell we see no profile we see hidden we see executable bypass and now we start to get into some other interesting stuff so some variable calling there's an XOR key in there for XOR encoding byte string link sets here's our URLs and then we start to get into down here so right host URL there's our file that we're going to see here's our right new object download file invoke URL and then on XOR and then write bytes on XOR and start said process so what that means and this is a little bit out of scope of what I'm going to talk about throughout the whole thing but it's worth mentioning if I go to one of those URLs and I W get and I pull down that file it's an incomplete file it's an XOR file that needs to be unencoded again which this script does I've already done that part so I already have the completed file so we can start talking about that completed file so now we get down to an EXE so we have an EXE we can take a look at it run short and now is where we get into running malicious files so same system we're going to have process explorer up in this case we're going to use wire shark and I'm going to hide that off in the bottom and we're going to use another tool called reg shot so reg shot will take two snapshots of your registry at different times so I click a button it captures the entire of my registry I click another button it captures the entire of my registry again and then compares the two files for any potential changes so we'll go ahead and pop that open and we'll take our first shot now none of this is an exact science if you have any background processes running things that can affect your registry those things may come up as well so unless it's a completely clean system you might run into some things one of the reasons why I didn't restart this is so that it would be cleaner and all background processes would finish running so that I would get the best shot possible so now we will move over our file we've got everything open I want to make sure process explorer is front and center and we'll run it so we see here it is and it's making a call to SVC host which is Windows service host file and now it's gone but SVC host with that file still there that's interesting it's doing something do we have any network traffic in this case I'm just going to filter for TCP and we have network traffic not much of any network traffic is again not connected to the internet but that's an unexpected call it I don't know why my computer would be going to 199 dot 36 dot 194 dot 27 so we have network traffic to so we have network traffic we have a suspicious SVC host running we can take a look at the properties of that and kind of go through we can continue to see the parent process here we can continue to see what it's doing what it looks like if there's an auto start location the command line that was run where it's running from get performance graphs of how it's running general performance of it GPU graph threads that it's running in strings of that file so this is strings of the actual SVC host we can run strings of the specific file as well over here strings are I don't know how to properly explain them but you can go through this and you can find some interesting things so going through this a lot of it's going to seem a little bit out of place but I might be able to find some interesting calls and I know there's a couple interesting ones in here so I can see a couple things right through here so set class registry call message filter some calls to some DLL's initializations all of these things are kind of the full word pieces of the pieces that I'm potentially interested in when I'm going through this this might give me an idea of what the file does before I run it or after I run it or whenever I'll get some idea and if we look at the registry some of that should match up so we'll go ahead and take our second shot and then we'll compare so let's see we added three keys Google one that's probably Google doing something Microsoft tracing to SVC host that's expected we saw that file kind of launched from SVC host so we expect that but now we know it's in registry we have enable file tracing enable console tracing and again this is very much a touch base on things so I'm not going to go into what every one of these things may mean just how to run it how to find it some things that might be concerning or interesting so file directory then we get into our modified values which we're also going to get some stuff in here not as good at reading text as I used to be so looking for potential current versions of different file pieces window placement so on and so forth so we have network traffic we have a rogue process that looks like a legitimate windows process and we have registry files that have changed so there's a couple different ways that you can go about this you can re-image a box like most places do or you can go kind of harp in on each one of those individual problems piece by piece there's also a much easier way to do this although I genuinely suggest that everybody kind of do it in an automated or in a manual fashion as they're learning this process I also realize that I'm speeding through this really fast so I hope I'm not like blowing anything off I tend to go a little quick speak louder sorry yeah I was standing back there yesterday and I realized I couldn't hear much either no problem so automated sandboxing is anybody not familiar familiar we'll talk about it anyway everything here is free and open source everything that I'm using throughout the course of this is free and open source so you can do it at home as we get into automated sandboxing you can build this set it up yourself you need a VM some scripts to point to it things of that nature and it's literally drag and drop so I can take this file I am drag and drop it to submit and then I can tell it a whole bunch of things do I want it to connect to the internet yes no do I want to give it a priority what's the time out so how long do I want to let this run for now again one of the things that I like about running something manually is I will let a file if I'm doing engagement or was doing an engagement I would often let a file run for like 24 hours see if it did anything else interesting in that time period in this case you're looking at 60 to 120 you can give it whatever set you want but it might not get any more information you can add remote control enable injection dump process memory dump full memory and a whole bunch of other options there's also a while the amount of add-ons that exist for this tool so you can add just about everything you want now that said even though I'm going fast if I run this right now it'll take like 10 minutes probably to go through and boot but I've already run it because again I'm terrified something's going to break so we can just look at the report so same file we looked at before let's see if anything matches up cuckoo also adds a whole bunch of base signatures so it's looking for things that look suspicious essentially so we can see a couple different things as we go through this we can I like to start with red red is bad yellow could be bad blue maybe order of priority by color attempts to identify installed AV it's looking for trend micro deletes its original binary from disk we watch that happen collects information about some other installed applications queries details from the computer so you can get a lot of general information from this just from running something in a sandbox you can also find about a bunch of them online but full disclaimer don't use like things that you're using on for work and then upload them to some website unless where you work for a school with that then by all means and then here we see our IP address although it does look like after six years that IP address is finally died the last time I did this a couple months ago it wasn't dead it was everything was still completely live and I was amazed by that because this is a six year old piece of malware proving that this stuff never really goes out of style like it's still exists and functions and runs it'll also give us any of the network connections anything that we saw again if your box isn't completely clean though you will add in some extra things that could hurt we can look at some static analysis of that file so we can look at any compile time our PDB path any imports for DLLs which we saw some of those when we went through strings any artifacts that were extracted during that time frame from that file in this case there were no other ones behavioral analysis this shows us that process tree the file itself goes to SVC host any network analysis that we have so we can look at general host connections you can also pivot to MoLoc good shout out to MoLoc even though I'm not going to cover that because Verizon Media the company that I work for makes it and open sources it so it's good shout out but you can pivot right to MoLoc for full packet capture I'll tell you about any files that potentially dropped in this case the drop file was the file we looked at process memory it'll pull as well so any potential URLs that exist in process memory again all of these might not be related to that file because this is not quite as clean as I would have liked it when I ran this sample so you get a kind of a good idea of what you can look at from this perspective and there's a lot of other tools to say you're not a Linux guy or a Windows guy if I hop back into here which is horribly horribly infected and I copy my file back in there's a tool called not that one P.E. studio that's it so P.E. studio essentially does a lot of this from a straight R.E. perspective so you can just drag a drop of file for analysis it'll kick into analysis of said file it will connect to virus total and look for that hash and give you any indicators if this thing did connect to virus total would light up like a Christmas tree I think it's like 46 out of 64 it'll give you any potential indicators based by severity so installation of hooks blacklisted libraries different section names being blacklisted again we're we see some of the same things that we saw from each investigation method and maybe a little bit more as we go through each one of these processes when you get into that it'll tell you certain sections string analysis and the strings that it found that were weird so the string analysis that we did via command line this does and it'll call out the things that are blacklisted so there's our DLL calls very very convenient tool also free but has to be run on Windows which means you have to drop it from Windows so make sure it's on a box that you don't mind completely screwing over so that's about the course of the demo so let's kind of loop back in and talk a little bit about this so as a security person all of us blue team ish what can we do with the information that we got so we have a file we know the hash we have endpoint detection software we can block that hash we can look for that hash across our network we have call outs in multiple areas so we have the initial call out from the document that downloads the file we can use that to see if anybody else potentially downloaded the file we can also use the actual call out with the cement excerpt the IP call out to see if anything went wrong or if anybody is infected with that file because just because it tried to download doesn't mean it's infected something could have stopped that so we have a whole host of information that we can use in our environment especially if this came in as an email it probably went to more than one user so we can take the whole host of all the information that we pulled and get an idea of what this looks like across the scope of our whole network which is super useful in any situation so I like to leave this kind of stuff in case anybody wants to take pictures of this kind of stuff so we have different commands that were run the very specific commands I'll give everybody a minute on that one a lot of phones up good good I keep them up because then we have the picture slide which is links to all different kinds of tools virus total is an amazing tool for seeing what AV vendors know about different stuff URL void and IP void great for IP and URL reputation malware.com is a very similar to cuckoo online sandbox that you can upload stuff to then there's a bunch of different tips reverse engineering tips a lot from Lenny's ulcer who's fantastic at this there's great sans courses on the topic and I personally love the malware analysts cookbook and practical reverse engineering if this is something that you want to get into these are some of my recommendations. The next recommendation page however is a little bit more dangerous links to live malware. And I say disclaimer right now use those at your own risk. I suggest having a separate box this box is literally the username is guest and the host name is like mower. There's no identifiable information to me on this box whatsoever I've never logged into a personal account I've never done any of that but again paranoid maybe you don't need to do quite that but that's my thing. But there you have some links to live malware. End of speech however I do have stuff for the three best questions if anybody has any. So why don't I use process hacker instead of sis internals probably just stuck in my ways and I don't do it every day anymore. So easier to use Procman to capture the log and then look through the processes afterward and I agree it's more time consuming and harder to show like this though. So VM aware malware what method would I use to test that right if it won't run on a virtual machine. So I not only have this box I have a couple other hard boxes that I can use to test this stuff on and just a base image like a base windows image wipe a lot of stuff will run in virtual machine and it's much easier to teach this because I have both tools in the same place but I have another laptop specifically with wipeable images that I can use for anything that's VM aware. What's that for the image wiping. It's some enterprise tool so how often do I see something new is the question and admittedly I don't do this every day anymore but I will say that when I did IR it was in waves. So you would see essentially the same thing a lot for a little while and then something new a lot for a little while and then something new a lot for a little while. Crypto miners when I was rolling out of IR and into management were the big thing and just personal opinion if somebody is going to hit you with that like that's it couldn't be better than that like there's not a lot of damage there but it's waves but eventually I just talked to one of my our buddies who is here the other day and he said 10 years he's seen basically the same thing over and over again it doesn't change that much. So when it comes an hour that's reaching out to CNC what do you use to spoof the connections. Typically I don't. I log into a VPN and I let it make connections. I think you get a much more full picture of what happens when you let communication happen. What's that? Why attach it to an email instead of Google Docs? Oh so why not from an attack perspective not upload the PDF to Google Docs instead of attaching it to an email and that happens a lot more now but it was just a set up scenario to start the conversation. Oh why didn't I just upload the PDF? I don't know. Go ahead. I have and I actually have a sample of it sitting on this box too. Emotes at v4 actually I believe. I worked a big case with that. You find certain things so like polymorphic malware for anybody not familiar is malware that can change enough to change its hash to make it harder to detect essentially and a couple other attributes. So Emote at v4 is a module based piece of malware that can call out and download different things and it's constantly changing itself on the system. So in one of the cases that I used for that I found common identifiers of the type which specifically in this case it was unsigned binaries under or between 60 and 74 kilobytes and I tracked it down that way and got probably 150 different hashes until we could get Navy vendor to do stuff. You come here you get a gift. So did you say static analysis to intent? Significantly more difficult from that base analysis to go into intent. You're starting to get into real serious reverse engineering to get down into the code of exactly what it does outside of what you see from a dynamic perspective. However I have found that in many cases and this is just me like I'm a horrible reverse engineer I'm not gonna lie because when I did IR no company wanted to pay for that. They just wanted to know how to find it how to get rid of it and make sure it was gone. So I just run a base VM but I'm also sitting on a Linux box and I'm only messing with executables in this case. So I don't do any specific VM isolation for this. What do I use to find different variances other than registry keys of the same malware? That's really interesting and a really good question. I actually have to think about that also come up here you get a thing. I mean register keys not being the only method of persistence in general either so any general auto runs that potentially exist or any any other normal common persistence mechanisms but man you're really stumping me with that question. So the risk of letting network connections happen and what kind of setup I have in a lab and or VPN to accept that risk and I will start that with a story of the one time I forgot to turn on my VPN and executed something that was terrifying and I thought I was screwed like I thought I was gonna get owned after I executed this thing because I completely forgot to turn it on. I was terrified for at least a week or two. I never made that mistake again though. So and all the fake DNS and stuff is really good too but it doesn't necessarily give you the full picture. So I use private internet access for a long time and I was pretty happy with it. I switched over to Nord recently and I'm pretty happy with that too. Depending on what I look at I usually run it on host system not on VM so that my host system is coming from that location. I have seen a little bit of malware that's like location specific so if you VPN it's not necessarily going to execute anyway. But again few and far between. I've been pretty happy with standard out of the box VPN service. I haven't had problems in the five or so years that I did this regularly. I don't mind sharing the slides. I have no problem with that. So is there at anywhere that I can share the slides? Perfect. It will be on blueteamvillage.org. Oh another one. Go ahead. So without getting into any of the ones that I can't talk about. One of the most interesting ones I've ever seen from a commodity perspective was that Emotet v4 sample. Because the initial payload was not malicious at all. And then it would call out and download modules including SMB spreaders, um different ransomware and like banking Trojan stuff. It could install other malware and it changed like every five minutes. So trying to get a handle and I watched it shut down a company in two hours. Like completely shut down a company in two hours. So trying to get a handle on what that was to clean it up when it kept changing was one of the most fun and stressful weekends of my life. It was also one of my birthday weekend which was wonderful because I was supposed to be on vacation. Anything else? If not thank you very much for your time everybody.