Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.
The malware is just code so, as any other code it is possible (in theory) to analyze/reverse engineer it manually.
The triage is one of the functions of the incident response program and must answer the following three questions regarded to a specific input:
- is the input malicious ?
- if yes, what is exploiting ?
- are we exposed ?
Triage is not malware analysis and should be quick and efficient. The triage workflow:
- passive analysis.
- some tools for passive analysis: VirusTotal, BlueCoat Web Pulse, PassiveTotal.org (crowdsouce intelligence about the domains and/or the urls), the “classic” whois.
- first interaction and download.
- some malware are crafted to be able to interact with the initial URL only limited number of times
- some malware could profile your browser, check the browser version, platform, or use the user agent script to decide if the exploit can be executed or not.
- some tools:useragentstring.com (to check your user agent), onlinecurl.com (on-line version of curl, copy paste a url and you get back the response), hurl.it (idem as previous one).
- web component analysis.
- use jsBeautify.org to try to have something human readable in case the code is obfuscated.
- exploit analysis.
- can use showmycode.com to understand the exploit; it is capable to decompile Java, Flash, .Net, PHP
- sometimes you can blindly search the metasploit exploit template library
- payload extraction.
- use ideone.com to de-obfuscate the exploit.
- payload analysis.
- can submit the file/s to VirusTotal or malwr (virtualized Cuckoo instances).
- malwr can give you infos about the registry keys created, network traffic.
- build IOCs (Indication Of Compromise).
- collection of indicators which can be used to describe a compromised system.
This was an workshop, so the participants had to play with some of the tools. Here is the quick workflow that i followed:
You must be logged in to post a comment.