Practical workshop on malware analysis.
How to analyze malware? Let's create one first... and then analyze it!
- Download and import VBox VMs
- Run
scripts/enable-network.sh
to allow bot VM to access Internet - Download Zeus Builder
- Configure sample (
config.txt
&webinject.txt
) - Build sample
- Upload
bot.exe
andconfig.bin
to C&C server (/var/www/ccserver
) - Infect the VM
file
,strings
- Disassemble
bot.exe
objdump
- Binary Ninja
- IDA
- Look for code injection techniques:
- (Hint)
CreateRemoteThread
- (Hint)
More on code injection: injectopi
- Install and set-up Cuckoo
- Analyze
bot.exe
- Inspect cuckoo's report
- Dump the memory
- Inspect the memory dump
- Install and use volatility
- Have a look at Yara
- Analyze Network Traffic
Automate the extraction of the WebInject targets given a sample.
- Develop a cuckoo package
- Execute the sample
- Open the browser
- Interesting info are allocated into the browser's address space!
- Dump the memory
- Look for interesting stuff! ;-)
- Automate extraction, volatility plugin?