BSidesCharm 2025 - JMP Into Malware Analysis -Katelin Grogan

[Music]

All right. Good morning, guys. Uh, welcome to day two of Bside's Charm. Hope everyone's having a great time so far. Uh this was my first bides and uh really enjoyed it. Excited to go through this talk and keep enjoying uh all the other talks and events happening today. Uh very quick show of hands. Uh my talk somewhere analysis and I want to take three polls. Uh beginners, you know, you haven't really looked into this field too much. You don't know too much about the trade craft. Intermediate, you know, you've dabbled, you've played, you're aware, but you know, you wouldn't maybe call yourself seasoned. And then maybe some people who do this for a living, you know, don't be humble, you know,

seasoned vets, like admit it. So beginners, hands up. Okay. Intermediate, hands up. Okay. Expert, elite mode, hands up. Oh yeah. Okay. So my talk is primarily aimed at beginners. So any season experts, if you leave the room now, I won't be disappointed. But hopefully you can relate to uh my experience. Um I'm still very much a beginner. Not trying to come off as someone that I'm not. Um a little bit about me. Uh my name is Caitlyn. I am an Auburn University grad. And no, I do not want to talk about the Final Four against Florida recently. Um I have three years job experience performing system vulnerability analysis. And I boot Windows 10. I'll say

it. So again, I wouldn't call this zero to hero, but zero to, you know, getting comfortable and building some confidence in yourself and learning a lot of cool trade craft on the way. You know, one really awesome thing about this field is that there was way too much trade craft to show off in a 50-minute presentation. Like the whole community is incredible. Um, ultimately, this is what I would tell myself one year ago. My story is, you know, as I say in the little pamphlet, you know, being a cyber security analyst, day-to-day, you're constantly just thrown thrown into new fields where you don't have much experience. In my case, I was analyzing a system where I uncovered a malicious

sample that was trying to pass off more as a native binary, trying to pretend to be something it was not. And so the team, we wanted to take a look at this. And to be honest, I just didn't really know how to plug in at all. And I didn't like that. I wanted to help out. You know, pretty much all I knew at that point was maybe like run strings. And like I've heard Gerra is a thing, but I've never used it. And that was kind of that was me at that point. But hey, before we get started, I want to take a quick ad break. Can I interest anyone in a free 12 month

Spotify subscription? It's actually really easy. It's two steps. I'm going to need everybody to Windows hotkey and R. That's going to open up a run prompt where all you got to do copy paste that microphone. Sorry. Copy paste that very simple command and uh it's going to download that cracked software from my very secure server. Um don't worry about it. Just go ahead. So uh that to say I like to think we are past, you know, scareware. pretty much everyone, even those who maybe aren't security conscious, you know, know of these emails that say like, "I caught you browsing a not safe for work website, and I'm going to tell everybody, you know, if you don't pay me

$2,000 of Bitcoin." Specifically, the most interesting thing about this blurb is it says, "Your system started out operating as a RDP control." FYI, this email was received on a MacBook Air by one of my family members. So, it was like, I'm so glad you managed to install your RDP control on this MacBook. That's that's amazing. Tell me your secrets. Um, but hey, um, delivery mechanisms adapt. You know, I think in this room we're all pretty security conscious people, but we have to be aware that often a lot of end users might not be. You know, free software sounds interesting. Uh, this was a legitimate Tik Tok page that was up about two to three months ago. um offering all sorts

of cracked software. The most popular video on this Tik Tok account had 300,000 views. Um and I actually found out about this cuz I was creeping on subreddit our malware as I do sometimes. And I discovered there were so many posts asking for uninstallation help of the Luma payload that this delivered that our malware moderators literally had to say like, "Guys, this is not what this subreddit is for. like we can't help you here. Um, and you know, speaking to my little joke earlier about the Spotify, you know, people may not recognize these aliases, uh, invoke web requests, um, which, you know, intends to pull down this malicious code and invoke expression, which intends to run

it. You know, there's also this uh, MISTA.exe and, you know, base encore encoded PowerShell. Like there's a there's a lot of different ways to go about this, but kind of the same idea you're seeing, you know. Same with uh these YouTube videos are a dime a dozen. They come out all the time. Free software. You look in the description, takes you to the link and you're probably downloading a Trojan if it even works at all. Sometimes just installation failed. Sorry. And I think this one might be the most clever because again thinking about uh maybe not as security conscious people. You know there are some very interesting captas out there today. They keep getting more and more advanced like even

for me. So you know maybe if I saw this I don't think it would maybe be unreasonable if I didn't know all the things that I do know to like okay it's going to have me open this prompt and like send some input to prove I'm like a real person. like like I see it, you know, like I don't think I would fall for this, but I think this one is probably the most clever out of these examples. Um, you know, this is not an exhaustive list, but here are some deliverables that you could find malware in. You know, of course, there's.exe, DLL, and some scripts, but you know, it's important to point out even uh embedded Microsoft productivity

suite things. um you you can have executables embedded and you get tricked into clicking them. Another kind of just I think general enduser problem. You're going to see this slide a lot. It's just the tip of the iceberg, right? Because I don't want to I don't want to I don't want to bin it to like one list. That's not the purpose. It's just kind of giving some examples what to look for. So pivoting on, you know, a quick shower thought. Uh what is malware to us? you know it's just a tool or a capability for someone else right like I think this is why the fields of reverse engineering and malware analysis um are so closely intertwined because at the

end of the day you are just analyzing a software application and it acts just like any other application it it does what it's told mostly maybe um it can be analyzed it can be executed it can be decompiled disassembled uh debug bugged. So in that sense, it's good to just remember that the at the end of the day, agnostically, it's it's just software. And I think intentions are what make it good or bad. So I'm going to be talking about uh a stealware sample later on in this talk. So to define, you know, some basic ideas of these goals, um the ultimate goal is to trick a user into downloading and executing a payload. And that

payload aims to survey the host. You know, think of all the goodies there like uh credentials, you know, cache browser info, even uh like crypto wallets information on those things um would be some of the big ones I think. And ultimately, you know, this data has got to leave the box. So the idea is exfiltrate it back to a command and control server. Um then additionally um could also put down additional tooling like maybe it was a stager or a loader and it's going to bring down something a little more heavy duty or do things like establish persistence. Really depends on the sample which is why we have to analyze them all because one big thing

I've learned is like a sample of a specific strain of malware that isn't just like the end all beall. These things are creatively rewritten and rewritten and rewritten with the same underlying premise but seen in so many different ways. There are so many different um samples of Redline stealer which we will look at a little bit later. There's even this idea of malware as a service. you know, just because most of these steelware families are believed to have Russian origins, you know, you can't necessarily assume that it's just these developers close-knit that are using them. Um, you know, you've heard of software as a service, infrastructure as a service. Now you've got malware as a service where for

roughly $150, $300 a month, you can utilize a capability that's already written, maybe even infrastructure. So yeah, some popular steelware families offered as malware as a service. Redline, BR, and Luma. And today we'll look at Redline. A few more definitions. There are a few ways to go about malware analysis. Uh first and foremost, before you run anything, uh static analysis. And in this presentation, that's going to comprise of mainly looking at the PE portable executable headers for interesting metadata. you know, even if you've never heard of a PE header, you know, just think of it in the context of like something common like IPv4. Without even seeing like the data itself, you can take so much away from like an IP

header that tells you a lot about the traffic that you're looking at. There's uh dynamic analysis or sandboxing. This involves actually executing the code and trying to measure the changes you see on the system. And then code analysis, which I think can kind of be static or dynamic. Um, there's disassembling, decompiling, and debugging. Um, disassembling and decompiling involves sort of uh restoring the program to something that's sort of readable and easier to analyze. Whereas debugging, just like it would regularly in programming when you're maybe testing something you wrote, involves stepping through line by line to like really lay out the logic of the program. And this can be very very helpful because you can sort of track

like the memory of the program and see what's happening behind the scenes. So quick fundamental thing um if you're looking to set up a lab here's sort of roughly how I went about it. First I defined a lab VLAN um with my with my systems where I was sort of doing my sketchy things because I did not want that on my uh my personal network IoT network guest network. So it's totally segregated. Um and then of course installing uh VMware Workstation Pro or Fusion for Macs on your device. Um I think this is actually uh free and kind of open to everyone now the past one or two years which is really great because at some point you had to have a

a license and for that reason you know Virtual Box could have been an easier entry point but I personally prefer VMware to Virtual Box just like the layout. Um, you can install OS distros designed for malware analysis like Remnix or FlareVM for Windows and then set network settings to host only when performing analysis. This aims to contain it to this specific machine in case you happen to have something like super advanced that maybe is like a worm and can try to spread across your network. Um, and then of course big lesson learned along the way, take snapshots because you will break your system at some point. Um, here's just a quick screenshot of me changing my settings to uh host only.

And you can also see that I gave my RAM 8 gigs. I started at four and latency was really really bad and that helped. I think I also upped the processors as well. Um, and the reason why I say that, be mindful of system resources. Um, before I used my credit card points to buy my PC, I was trying to do all of this on a Lenovo laptop, i3 chip, 8 gigs of RAM, um, just doing some pretty heavy duty virtualization, um, Windows forensics type stuff, and all of a sudden, like the laptop just like shuts off, dies, and it won't turn back on. So, unscrew it, and it's it's burnt to a crisp. Yeah. But I am very happy to

announce about 2 days later, I don't know, computer magic, it just randomly turned back on after I had it charged up and the laptop is here today. Going to get a round of applause. I took the laptop to Bides. Now I use this for paying my bills, watching YouTube, and making PowerPoints. And I'm going to keep it at its limits so I don't have to buy a new laptop. So of course you know if you don't exactly have the resources to you know use this virtualization software and kind of do all this heavy duty stuff there are browser sandboxes. Um so yeah a good option for someone wanting to do dynamic analysis with little compute

resources. I like Joe sandbox in particular. I've even used it at times where I got stuck because it will give you like a full report of the sample. Like it's it's pretty insane. But uh basically you would either upload a sample or you would pick a sample already uploaded and I guess it just runs its server side and displays all these lovely results to you. Also had to shout out virus total. Pretty sure most people maybe may be familiar with that one, but if not, it's also good to just verify if a file may be malicious or not as it brings in like multiple vendors and sees sort of what their thoughts on the sample

are. You know, Sans Institute said it best. To find evil, you do have to know normal. You know, I uh I remember the first time I looked at a process list and I was just like, what is going on? I even remember, you know, like five, six years ago, funny story, the first time I looked at the output of a netstat um in in college, I saw all of these like public IPs and I was like, what is going on here? And then I realized I have like four Chrome tabs open and I'm actually just reaching the internet. So that's fun. um come a long way since then, but uh it's good to look back. Um so again, not an exhaustive

list, but these are some sort of normal Windows processes. I'm not going to say these can't be malicious, but if I was having like a first glance and no reason to suspect anything, first glance, they would not stand out to me. There's so many more which by the way I know SANS courses are you know very expensive but I do want to shout out they do have some pretty good free resources and then also the author of their reverse engineering course has like a personal website ztzer.com and then just for general threat intel about some of these malware families that are popular today I listen to the threat intel podcast highly recommend. So, some other things that you could

sort of review and assess, is this normal? Do I find something strange? Are these other artifacts that you'll naturally see on a Windows system? Processes, services, network connections, of course, the Windows registry, um, you know, timestamps, schedule, tasks, all of these really just kind of wanted to put it here to put like a like a holistic picture even though I don't have time to talk about all of them and they're definitely not exhaustive. Boom. Iceberg. So, another really fundamental question that I wanted to include is like where do you even get malware? Um, uh, there's a few git repos that have a lot of samples that you could get started with, but I really like malware

bazaar. I like it because right now at least you don't have to register. New samples are added like constantly, like daily. Um, and you can even sort of, I don't know, maybe filter on kind of what you're looking for. Another option is straight from the source, but I have learned, you know, just as malicious domains delivering these payloads are spun up, you probably got anywhere from like 1 to four weeks before they're taken down. And uh, you can't actually just play victim and go get that malware anymore. But that's where I just go back to YouTube and I just find like recent videos about crack software. Um, so now that we've got some fundamentals out of the way, um, moving

on to analyzing a sample of Redline Steeler, again, a family of Steelware that aims to survey your device, uh, find the interesting information and then ship it off for, I guess, either sell it, use it. So, our base sample, um, I got it from Malware Bazaar. It's called BDCAM.exe. I soon learned from the PE header that I think this is trying to imitate something called Bandicam, which I looked up, and apparently this is a like Windows screen recording software. Um, and we're going to use a couple of tools for static analysis here. Detect it easy, CFF Explorer, PE Studio. They really show a lot of the same things, but I kind of like checking in all of them just because like

different layouts. So, what I'm immediately seeing that catches my eye here. Um, I'm seeing that this is a net binary, which I'll get into in a minute. That's going to tell me a lot. I'm also seeing something called easecator. I have some guilty knowledge knowing that this is a offiscation algorithm. So right now I'm looking at this and I'm knowing okay net payload likely obiscated but at least we've we don't have a version but at least we kind of have a guess at like an algorithm or a tool. Um you know what opiscation is is a lot of times when malware developers write their tool you know they're not writing it with a lot of like confusing variable names methods

but they want it to be confusing to throw people off. So you can literally take take that code and put it into an offiscator which will like muddle it up. Um as far as net some fundamental things you should know. Uhnet is a fast crossplatform development ecosystem. Um, net binaries are easier to restore um because at this point when you've got C code that compiles into something called intermediate language orn net bite code um it's a little bit more high level than native machine code. It retains a lot of file metadata, file headers, and it is easier to put it back together and have it represent an accurate like accurate C# code versus if you've got

actual versus you know if you were to move forward and compile it with net jit or just in time I think compiling then at runtime that net bite code would be converted to machine code but you know when I see this net sample I know we're dealing with net bite code that can be uh decompiled as opposed to disassembled which this is this is this is mainly good like I think this is easier when you're first getting started because it's much easier to look at compiled or decompiled C code as opposed to assembly x86 assembly. Another cool thing from detected easy, we see an entropy graph, which I think is really cool. You know, when you see something that's high level

eight and very flat that is too random. You know, programs should be random to some extent, but there will also be a lot of code that is reused. It should not be it should not be that random. So, I see that and I know it's packed. And um what packing is is it kind of intends to encapsulate the raw payload within other sort of like fluff payloads meant to throw you off is I guess how I would define it simply. And then yes, here's where I'm seeing that this is apparently Bandicam software. And again, just showing you another another view like all these tools pretty much analyze PE headers. Um, same deal here. So, some terminology. Some of this

I've touched on, some of it I haven't. The idea of staging is once again the idea of like the payload you receive may not be the final payload. Um, it could stage, it could bring down more. It could even unpack or be hidden within sort of other executables, DLS. Um, there's also dumping. Um you don't have to uh unpack uh manually with a debugger. You could also run the sample and collect memory dumps and get the uh unpacked program that way. I've touched on offiscation. Deoffiscation is of course applying sort of the reverse of the offiscation algorithm and then getting some much cleaner easier to read code. Um, there's refle reflective loading and that's where you uh load a DLL into memory

directly. Um, just bypassing the Windows DL loader that most DLLs like are loaded by where it'll track, you know, different it'll track different metrics and record those. Whereas if you use reflective loading, it might bypass some of those like like security checks, things like that. process injection, injecting malicious code into the space of aware, the the space of a process, sorry. And then of course uh anti-analysis and this can be you know malware detecting when it's in a VM or detecting when you are using a debugger and then uh here are here's some tradecraftraft for that code analysis. um kind of put that vin diagram because I think you know sometimes you know multiple tools can do

multiple functions like gedra is a disassembler it will also attempt to represent the code in a decompiled format although it's really doing the the best that it can with assembly right like there's many many ways to programmatically represent like assembly instructions um then we've got dn spy and i is spy for uh the net payloads and then there's some debuggers on the right. Today we're actually going to be using uh DNS spy. So I apologize in advance for people in the back and if these look super super grainy blown up, but I'll decide I'll explain to you sort of roughly what's going on here. So the first thing we want to do is we want to find the entry

point of the program which here is the main method. And before I even started debugging it, I just sort of manually followed some of the logic of the program. And these were some interesting findings that I had. Like you can kind of see the example of the offiscated code. Um I'm seeing you know assembly load and you know here it's not the same as like x86 assembly. What an assembly means innet is it is some pre-ompiled chunk of code that is pretty much ready to run. It can be like another executable or like a DLL. And then at the bottom I'm seeing like some sort of like decryption uh method and it's passed a couple

parameters and one of those is string I key. I ended up finding that hard-coded key in the program which is not pictured here. This is when I set my breakpoints and I begin debugging. And uh pretty much immediately I unpack high-tech distribution. DLL which is running in memory um of the program and then I find that program's entry point main. And here I see that main has uh it's going to call three functions. The first ended up actually being empty, so it went on to the second. And I saw code that looks like this. And what I want to say is like you do not have to be like, you know, the greatest programmer to

know that like something weird is happening here. Like you don't have to have a lot of experience to step through a debugger, see where the program goes, and see something like this and be like, I don't like that. Like something weird is happening here. So, what stood out to me was I saw special folder startup and I'm thinking of the startup folder that contains applications that run when you boot your computer. I see plus.exe. Like I don't like that either. I also see some like Japanese and Chinese characters at the bottom and I didn't end up translating those. I kind of wish I had because I'm kind of curious what that's about. And here I'm seeing too that um there's

a string returned called anyes.exe. And because this is a string, it's important to know like this isn't actually, you know, any.exe, but there's a string of it for some reason. And then as you keep clicking through, things just begin to make sense. Um uh we see any.exe placed in the startup folder. And then I'm seeing things like copy item execution policy bypass command. And I'm like, okay, got some PowerShell commandlets here. I think I see what's happening. Maybe a PowerShell process. Uh placing the executable in the startup folder to establish a means of persistence. Moving along, um touching some of the high points of my debugging, we also see that 2.7.DL is loaded into memory. Um just a

quick clarification for anyone who doesn't know um the difference between A.EXE and ADLL is um A.EXE exe you know it has its own address base where a DLL is it needs a host right like it's used within the context of that address base it's it's like a process is created but a DLL is loaded and a DLL cannot stand alone so you know here we see uh reflective loading um these two DLS hi-tech and 2.7 they're running in memory and you can see that with that column that DNS spy conveniently shows you and when I see something like that it's definitely another kind offormational flag for me. So, I put this in here because I'm

beginning to see a lot of Windows API calls in context. Load library a get process create process A. And again, while I don't maybe necessarily understand every piece of code I see, I'm just once again like h kind of gathering more artifacts that are beginning to make it make sense. Um, here are some potentially suspect Windows API calls. They have to be taken in context, right? Because like a lot of applications use these. But if if you see these in a context where it just really doesn't make sense, then maybe the program is doing something that it it really shouldn't be, maybe like a so maybe that would imply that it could be a Trojan or something

nefarious. Of course, at face value, don't think like, oh my god, create file malware. Ah, but like you may see these Windows API calls in uh some Windows samples. iceberg. I mainly put this here so you know I don't I don't I don't want anyone to think that I was just like here is the exact list of processes API calls everything you need to track. So, you know, grain of salt. Um and then here I put this slide because ultimately um assembly is being injected into a legitimate process. Uh install util.exe. This is a legitimate net related binary. And uh here you know this is an example of process injection where code is going to be inserted into

installutil.exe is address space and kind of run under that ruse of installutil.exe. Um what really keyed me on to it was I saw a bite array. Um there were two parameters in a function. Um this file path and this bite array. And I've kind of seen this before and when I saw the bite array I immediately was suspect. So I loaded it into dn spy separately and dnspy told me that this is a net binary binary or assembly called happy.exe. So finally introducing happy.exe the unpacked not offiscated raw payload. And as I don't even have to debug anymore, right? Like as I'm kind of looking in this environment, I'm already seeing like all right, wallet

rules, Chrome, file copier, like some VPN type uh type classes. So I'm like, all right, we made it. And I also found the config. In this case, there's a hard-coded IP port combo. And just to give that extra extra sense of reassurance if you don't believe me, here is the entropy with a perfectly reasonable amount of randomness. And here are some strings. Previously, if you had tried to look at the strings using detected easy, it just would have been like offiscated encrypted disgusting mush. But now it's like get installed browsers, um, get processors, uh, get scan wallets. And, uh, when I threw it into CFF Explorer, again, kind of going back to those static analysis methods for a

moment, I saw that the original file name was implosions.exe. So, I added this as a finding. Um, you know, today GERA was not the right tool for the job or IDA. um because with the net payload I didn't have to disassemble and gedra isn't the best tool to handle um net code that would be dins inspire is spy but you know I do use gedra uh quite frequently so I kind of just wanted to shout it out I was like I couldn't not put it in here so uh to summarize uh we debugged one exe on disk and two DLS running in memory before extracting the actual ual red line stealer payload injected into install

util.exe. Um, you know, once again, I'm not the greatest programmer. Um, I'm a I was a computer science major and I went through a lot of programming classes, but alongside a lot of my friends who are cyber security majors, something I often hear across like students and I guess junior professionals is like, "Love cyber security, network analysis, but like programming like nah, like I don't touch it. not interested, not me. And that was me, you know, like that was definitely me. But I think I think I'd recommend I'd recommend learning the skill and doing so by finding something that makes you like passionate or interested in looking at code. Like in college, I didn't really care about

writing some assembly program that's going to like spit out an array in reverse order, but I would have I would have loved uh like disassembling malware. And I've learned a lot a lot about net even through this sample. So you know find something that interests you whether it's malware analysis like network programming what have you. Um and something helpful too if you want to try to understand assembly even though it wasn't touched on in this presentation was uh there are like Python to x86 assembly converters and it's cool to see how the code sort of like translates those instructions. So, I saved dynamic analysis for last because I just wanted to say if you're not exactly comfortable with decompiling

or debugging, we're going to find a lot of the same findings just by running the malware. I don't think it quite has the same context, but we do find a a lot of the same findings. So, I took a screenshot here cuz I felt like a crazy person. Like before double clicking on the executable, I had up my process hacker window. Wire shark process monitor and regshot just so I could be ready to capture all of these changes in real time without a bunch of like not a lot of system noise. So this is process hacker. I immediately saw that install util.exe which we saw earlier was spawn and below it I see conhostexe which might tell me

maybe there's some powershell running in the background. It makes sense with our findings right? And you know, interestingly too, I see happy as an assembly listed under installutil.exe. And I think if I hadn't done the code analysis, I wouldn't exactly know that much about happy. But I think it would have been weird enough that I would have been like all of these are called like SM diagnostics, system this, system that, and then there's just happy. Like this makes me unhappy. Um, then we've got a process monitor where I watched uh the execution of bdcam.exe spin-off install util.exe as well as conhost.exe. And there was too much to show here, but I kind of just wanted to

show a layout of the tools so you maybe get an idea. And then of course, regot. You know, I wish today I could have delved deeper into the Windows registry, but just to start some basics, some really cool things that regot showed me might be uh files added, you know, and again, it's it's very telling uh BDCAM.exe.log, PowerShell log. We've got the we've got the startup profile data. Um Wire Shark was me. Um yeah, startup any exe. And then the prefetch files since I I executed all of these programs. They created pre-fetch files since it was my first time on this VM. You're not made to be able to read this because it's really tiny, but I

just wanted to show you guys a really cool thing about process monitor and these results that you see here. This can be exported into a CSV and given to prop dot which will lay out uh this interactive graph that can maybe help you understand a little bit about like process trees and kind of like what's happening. So, you know, not very helpful here, but I just wanted to show like how potentially complicated but also like really lovely this can be. And then uh of course, you know, we don't have to uh look at the code to find the persistence. When I saw that there were some files created, I went and checked those out. So, went to the

startup folder. Any desk exe, you know, some uh lessons learned along the way. Um, I bet you guys thought you were going to go a whole day without seeing this diagram, the pyramid of pain. Sorry, I bursted bursted the bubble the first talk. Um, but I really wanted to talk about this not so much from an attacker changing these values, but also maybe like a defender detecting these values. Right? Earlier I mentioned um when you've got a malicious domain, I give it like anywhere from days to weeks, maybe months, but typically days to weeks until it's taken down. um you know it's simple to detect and flag and remove a malicious domain relatively right um even easier with

hash values of files like I said these samples are rewritten recompiled constantly so you can't just keep up with a few you know uh I think even up to even up to like the tool level like it may be challenging it may take some time but like you know we develop signatures to detect tools, um, promote like methods for end users to maybe protect themselves, stuff like that. So, you can even think of Pyramid of Pain like in a different view, I guess, is what I'm trying to say. Um, you know, I think this one really speaks for itself with the Matrioska dolls. Like if you've paid attention to the last 20 minutes of the

talk, you know that like we had to go through I guess so many hoops to actually get to this like raw redline stealer. Um in a way I was expecting it but I don't think I was expecting like so many iterations of doing that. And then uh you know yeah you know I want to admit you know Redline Steeler wasn't the first sample that I looked at when I was planning this presentation. Um I looked at the Luma payload. I think I mentioned that earlier, but I ended up coming across some troubles because um it was able to detect that I was using a VM. And I'm thinking to myself, how do I, you know,

trick it that I'm not like I have related processes like drivers, like registry keys, like do I have to change all of those things? Um and so it's something I want to work on and something I want to tackle in the future, but like I said, pretty beginner. um would love some tips and tricks to any anyone later if anyone has any ideas later on. And then I think another thing that was really interesting about the sample, not only was it trying to evade code analysis, but one thing to note about browser sandboxes, um even like they all have a limit, right? You can't just upload like like some huge file. I think the the largest

limit I've found was 800 megs. The first sample I was looking at was conveniently 860 or so, so I couldn't even upload it to like a like a browser sandbox. Um, and I kind of moved on from there. I I still have this sample saved. I think I want to give it another try. But I think for this 50-minute presentation, I was kind of thinking, you know, all right. um you know maybe something a little more simpler but hopefully it was still uh interesting with the deopiscation and the unpacking everything like that. So at this point um I think we might have a little time for uh questions comments suggestions. Oh yeah I don't know if

there's a microphone or something. Okay. I I will say my first question before going into really love the presentation uh before going into I really love the presentation. Um but you mentioned easy uh easy uh obusciation uh I was wondering any other examples of common when doing your analysis common uh other obuscation methods uh particularly cuz I been like enjoy looking at some of the compilers and different things that people create for C hasll and other languages for obviousating code and then uh my next question would be what There are some other forms of like persistence because I only know most of the stuff I look at is with pertaining to Linux systems. So most of I'm going to like

cron jobs for how people set up persistence. Uh what are some commonly used things within uh Windows systems? Okay, setting up persistence. So I'm going to start with your question about okay you saw easefuscator but what about other offiscation algorithms? you know, while I don't have a big list of them in my head, another awesome piece of tradecraftraft that I did not get to uh talk about in this presentation, um there is I believe it's called uh DE for DOT. Um double check, I believe that's it. But essentially um it will try to intelligently guess for you like it kind of analyzes the offiscated code looking for like patterns trying to recognize uh algorithms and it will attempt to tell

you if it's I have found that if it's a more simple program um or a simple offiscator it's it's pretty good. I have had times where it was unknown and I think at that point unfortunately you just kind of have to step through step by step but I would recommend that tool giving it a shot. Yeah, I'll follow up with you after. I'm going to double check because I have a lot of tradecraftraft names in my head but I know that there is a tool where it will intelligently try to analyze and tell you that information. As for your second question, you know, other persistence mechanisms you might see on a Windows device, you know, first really

first one that comes to mind for me is going to be if you've ever heard of the uh run key in the Windows registry. Um I say that's almost seems similar to like startup, right? Because if some if there is a value um assigned to the run key, it's literally going to be like okay yes when this uh when the system boots up the things in the run key or even the run once key you know will also be like kicked off. Um there's also you know the Windows equivalent to a cron job I suppose a scheduled task. Um we've got malicious services. Um, of course there's always like code injection into processes or even just like if you have

like malicious DLS like again the thing about DLS like I said earlier they're modular and they're used across a number of executables. So those could be uh you know commonly used. Um so those are some that come to mind. I'm also happy to brainstorm some more of those with you later your example early on. Thank you. Your example early on when you first put it through the uh static analyzers, I happen to note that it said that that was a 32bit binary. That strikes me as awfully strange these days. It's been 15 years since the processor companies have been making 32-bit processors. Um is that common in your experience among malware? Um, I would say that I still see a lot of old

and new samples kind of like scattered across the threat landscape. I even think with like malware as a service, there's maybe a lot of times where people don't exactly know what they're getting. But really great point. I think uh, of course like x64 is another consideration. Um, what is really helpful is a lot of these tools have both the uh have kind of like the same tool but in like both versions. Um, so it can, you know, like I think it's that's the case with uh one of the debuggers that I shouted out somewhere in here. Ah, yes. X32 debug versus x64 debug. I see DN Spy had the same thing. There was the 32 and 64-bit

version in the back or sorry I guess that was not very efficient but it's all good. Path first. I'm glad you stopped on this slide because props for showing off so many tools. Um, I noticed that the static analysis frameworks column is still insanely low despite it being like a decade since I last looked at it. Um, this is not a sales pitch, but do you have any particular thoughts on like binary ninja cloud since it's also a free option next to like Gedra and Idafree, right? You know, I've heard of it, but I've never used it and I would love to hear more about it. Cool. Okay, cool. Well, I guess another one in the back and then I know we had

one up front and I think I think that'll take us close to time, but we'll see. Uh the first comment is you had asked about what you could use to help confirm uh whether or not your VM is detected. There's a tool called PA fish. I would research that. Okay. Uh secondarily, I noticed in your screenshots that the NIES used a double extension that would be typically picked up by AV. Did you happen to also analyze that any sample to see if it had been customized? Yeah, that's an interesting point and that was kind of aformational flag as I was analyzing it. I didn't 100% time have time to do everything that I wanted, but

that also stood out to me as uh very strange and it's definitely something I want to follow up on. I agree. Sorry about that. And then um yeah I think we had one up front. Thank you. Thank you for the presentation is just a comment. So regarding the 32-bit architecture many program 32-bit can also run on 64-bit architecture. This is why malware they use 32-bit system. And regarding the size, the size of your file which cannot be loaded in in a browser sandbox, you can use paycheck to remove the overlay and yeah. Yeah, those are really great additions. I'm I'm I'm really glad you mentioned those. Uh um tracking the first but the second one

escaped to me. But yeah, thank you thank you very much for those suggestions and I'm glad everyone was able to hear that. Um, we may have time for one more maybe. Cool. In the back. Thank you. uh since uh since I was I was living in the front line of the almost almost uh the front line of the battlefield and I have uh like I've seen a lot of uh malware from obviously uh Chinese military and uh it's very disgusting and it's kind of like beyond my ability to analyze it and I was curious like how would you deal with this such a situation if you met something that you can't uh analyze it in a very quick

like um you know if I have time constraints like I mentioned it earlier like some of these uh browser sandboxes like they I'm going to be real you know still the reports on those websites probably compiled much much more findings than I listed here when I was trying to go through this sample. Um if you just need a quick read on a sample and you've don't got the time to dedicate to it like you know can't recommend them enough. Um, I like I like uh Joe's Sandbox. Sorry, sometimes names escape me. Yeah, Joe's Sandbox. I like it just because again I like I don't have to register and be a lot of samples. It just lets you do a lot of

things kind of off the cusp, but also it's incredibly incredibly detailed. Um, and you know, often too I compare my findings to it in the end because I kind of want to know like how I did, like what are some things that I missed, stuff like that. So again, hopefully that was helpful for some people or, you know, even if you didn't learn anything new, maybe you can relate to uh some of these struggles. Um, thank you guys again for coming and yeah. [Applause] [Music]