Malware Analysis — Red Team Edition

all right good morning i'd like to welcome you all to b-sides uh this specifically is the ground floor track so uh today i have the honor of introducing uriel who'll be going ahead and talking about mail or analysis the red team edition uh before we do that of course i have a couple of those little announcements to give real quick so first we'd like to start with uh our thanking our sponsors who are responsible for making all this happen without them we literally couldn't be here doing what we do we'd like to especially thank our diamond sponsors lastpass and palo alto networks and our gold sponsors uh amazon flextrac and google it's their support along with our other

sponsors donors and volunteers that make this event possible these talks are being streamed live and they are being recorded and will be posted on youtube so there is no need for you to take photos or videos of the presentation we ask that you try to silence your cell phones keep them in your pockets as a reminder our policy is photographs is that you if you do take a photograph you should have permission for anybody who's in the shot we're very sensitive to being photographed uh some uh presenters and or uh members of the community prefer to stay anonymous so please remember that as you're taking photos around the conference uh also i'd like to remind you if we're going to do

questions and answers afterwards please step up and use the microphone it's not so much for us in the room or for the presenter but it's being recorded so that those who watch it later can hear your question clearly as it's being asked so all right uh with that i'd like to go ahead and turn it over and say there it is uh thank you so much for being here thank you very much for introducing me so first of all cheers give yourself a round of applause please oh oh come on come on open up so uh first of all cheers

cognac um so first of all my name is royal kosai thank you for presenting me uh first words of appreciation uh before we going to start with our presentation uh i want to thank uh first of all i want to thank god and my mom of course because if not for them i will not be here i want to thank besides for making this amazing conference and of course thank you amazing audience thank you for being here so let's get started so i like my talks and my presentation be less about talks and more about doing and more about practical stuff like you know we'll do a couple of demos so i'll first introduce what i will show

you in the demo so you'll have some interest the first demo will be about the dark side run somewhere and how you can as a red team learn from it and basically how you can take the same concepts and kind of implement them in your own malware you develop and another demo which i'll introduce how to implement some of the bypass antivirus bypass techniques in your own malware in order to basically evade antivirus and edr software and my goal in this presentation this talk is basically for you to open up your mind to be fluid not to be rigid and basically help security grow and become better so basically let's get started so this talk is not only for retimers

it's for everyone but the the aim is specifically more about retimers but again anyone can learn from it take the concepts take the tools and uh you know implement it so i want you to learn malware analysis now what the heck a retimer want to know about malware analysis like why any retimer has its own tools his own c2 his own thing and eventually you know most of the people that are retimers are uh you know more about infrastructure penetration testing or uh you know uh active directory and stuff like this but in the end of the day most of the adversaries or the attackers will go for your data okay they will write ransomware they will

write some info stealers they will use mostly malware so if you want to become a stronger retimer and a better security researcher you need to learn malware analysis and not only for the sake of malware analysis but for the sake of offensive security so a little bit about me my name is uriel kosair i'm the book author of antivirus bypass techniques basically the book presents you 10 practical techniques which you can implement in your own tools and will help you to bypass basically any antivirus and edr and of course this book also provides some security recommendations that you can use in order to develop better antivirus and do better detection engineering and stuff like this

i'm also the founder of malware analysis co which is basically a website that gives you all the necessary information you need for malware analysis like tools cheat sheets stuff like this you also have my courses there i provided course like basic malware analysis advanced reverse engineering and other stuff like malware development basically i like to do male research and other security related topics i'm also the red team tech leader of the biggest company uh like the biggest beer company in the world called abn bev uh just a small disclaimer i'm not talking in behalf of abby and bev talking behalf before myself but just for you to know um also youtuber blogger lecturer uh like uh one of my biggest passions

actually is to uh teach students and give them the knowledge and and given tools to become better security professionals and also uh to enter this field so i doing this for something like 10 years in israel around the world also and it's a great honor for me also to stand here so before the show begins what the heck is malware analysis i like to define things very shortly without all the wikipedia mumbo jumbo stuff you know so metal analysis basically is the art of analyzing and research of malicious software behavior and patterns and by researching malicious behaviors and patterns you can learn a lot from them for the sake of blue teaming like detecting malware extracting indicators

of compromise understanding the ttps and all this stuff but also as a rhythmer you can learn a lot from those malware from their techniques from their bypass stuff uh how they obfuscate their strings how they use their malware how they're how they actually literally move in your network so it's analyzing malware is like getting into the head of the author of this malware it's like reading a book you know for me it's like reading a book i think it's even better than mozart yeah most of people don't really like to reverse engineer assembly and sing all this mumbo jumbo stuff but for me it's actually an art so the levels of malware analysis so the basic level is you can

basically take a malware sample if it's an executable file powershell script whatever you can throw it inside a sandbox which is basically a virtualized environment with all the necessary tools um to analyze the malware and basically you have things like any run or hybrid analysis which are basically you can take a file throw it into either the sandbox and it will give you uh like the overview of what the malware actually and how is executed and all the stuff of course if there is malware with anti-sandbox and other evasion techniques most likely it will not be executed on the sandbox so it's kind of limited but it can give you a good overview of what the malware does and

also helping you to extract indicators of compromise the next level is called static analysis is basically taking a file uh extracting strings understand the the building blocks of the file before you actually execute it on your sandbox environment on your virtualized machine okay you have dynamic analysis which is basically to execute the malware on your virtual machine to see how it behaves use tools like procmon plus explorer api monitor understand what kind of windows api functions are executed and all this kind of stuff and of course the most amazing stuff that most people are i think frightened of is reverse engineering it's a god damn get get into the assembly code or whatever it is

and understand how the malwares actually work so it's kind of interesting for example if your malware opens a socket and interacts with us with you know with an external server or c2 how would actually do it okay what kind of windows api function uses how can i use it for detection engineering how can i re-implement it in my own malware my own ratings in my own attacks you know for example whenever you want to interact over http with some external server you can use various windows api functions you can use this socket you can use uh internet open url and you have all kind of ba and bunch of other api functions okay so this is only a small fraction a small

example for you to understand what you can do with the power and knowledge of malware analysis so we talked about malware analysis blah blah blah what it is what's the level of this kind of stuff so first of all cheers another ship ah amazing so what is red tv you know you will you will ask someone and they'll say you oh it's the it's the knowledge of using or takes or or you the use of tools like metasploit and cobblestrike and do that and do this and but like what is the essence what is the goal of receiving like actually so first of all right is not about achieving a d a domain admin and you know what let me

tell you another thing most of the attackers and most of the malware doesn't even care about getting a domain admin you know why because most of the networks today are very very hard to manage their permissions and their security it's very hard to be a blue team it's very hard to like literally implement security controls in the right way so even a ransomware today can encrypt your document files without having local admin or even a domain admin so what the hell it needs the domain army so most of times malware or attackers will go for domain admins if it's really necessary for them like to literally move between forests uh through other networks or just for

the fun of it yeah so writing is about simulating real world threats now what the heck is a real world trade uh doesn't running kraken up exec with metasploit with all the cobalt strike mumbo jumbo stuff is actually ready um it's the tools it's not the essence of it so the purpose of reading is to provide a real-world picture of business related threats like for example if you're a pharmacy business maybe your adversary will not be conti or reveal it will be maybe another pharmacy company i don't know uh maybe another competitor maybe some insider threat i don't know and basically you need to define as a retimer what is an actual threat to your

company that you're trying to red team purpose is to act like the adversary or the enemy based on accurate rate intelligence and of threat actors targeting your business so the use of threat intelligence will help you to become more aware of what kind of threat actors and ttps you actually need to simulate in order to give the real picture of the security posture of the company simulate potential threats actors ttps tactics techniques and procedures okay it's like understanding the tactics uh the techniques they're using maybe that the threat actors using mimikats to dump elsa's maybe they created their own version of mimikats with different api functions which most most of edrs doesn't really uh even detect them i don't know

um and based on these data like the ttps you can actually go and do your stuff for example if you have three attractors like conti which they're basically a ransomware group i hate them of course they attack a couple of my clients also but you know the world is hard but if you understand that conte is actually targeting your business and you understand their ttps you can go and simulate the threats on the company you're attacking of course in a secure manner so always take opsec into your mind when you're doing retin and eventually the real goal of red teams is not to go to blue team and say yeah you're you're you've failed or

uh be childish i i i win you and and i overcome you and all this kind of [ __ ] you know the real purpose of writing is to help organizations become better that's it and of course helping the blue team become better so if you're as a red team understand the craft the techniques the tools that the blue team uses and also if the blue team understand how the red team is operate they can basically help each other so retimer must have an adversarial mindset this is for sure you cannot be a red teamer if you don't know how to think look like your enemy like a criminal okay like a bad guy but mama always said like

told us to stay away from bad guys you know oh so sweet mommy

i like my mom and she has amazing tips for life and she's even right uh but not in the case of wretting you actually need to think like your enemy and it's kind of hard um like psychologically not only technically so uh to know your enemy you must become your enemy i know it's kind of uh hard to do it but uh if your skills of mimicking others and and to be like uh uh [Music] to mimic others basically and to understand their psychology it will be much easier for you to do this now behold the real power of retiming cobalt's right no no no don't take it seriously like cobblestrike hollow track is an amazing tool you know

it's amazing too it has a gui it has a lot of features bypass evasion modules it does amazing job okay so uh take it in the right perspective but mostly when you talk to retirees they are about the tools like writing cobalt strike my man you're not ready without cobble strike you need to have cobras right i don't agree i don't agree it's just one of the best tools out there i think but it's not what actually defines a retimer so why not doing things like this now in the left you have cobalt's right in the right you have either pro personally i like to smoke when i doing reversing kind of cool and you know opens your

mind [Music] what for me represents the right picture like ida is like go and understand your own tools go and understand your own techniques go and understand other adversaries techniques and tools and malware go and research stuff like someone asked me like uh five years ago you know what it's mimi cats and they're like uh i think so many cats this dumb tool blah blah and it's like what this and that comment does and it's like whatever dumps the elsa's memory okay it's like yeah and i asked him you know what how do you actually understand how it works you know when you're asking someone what is something do you know about something so what is the actual level of

understanding of this question like for example mimikatz what is the level of understanding of this tool how do you actually know how it operates how it acts what kind of functions it uses in what languages it was written and compiled do you or just go grab the tools execute them and you're ready which to be honest most of the time it's working it's like not maybe mimics but other tools you know but in order for you to become a better returner or a stronger security professional go and try to understand how this tool operate like go do some wireshark like understand how the network packets are going on like understand how the tool you are

using for example mimikats to dump lsas what's actually doing like opening a handle to the else's process enumerating the pids of the processes receiving it handled with open with the open process windows api function use use of the mini dump function to actually dump the lcs and after you actually understand this functionality you can think maybe maybe there's other functions or windows api functions that i can use which most likely most cdrs and antivirus will not detect it so it will open up for you a greater world now don't get me wrong both malware analysis and red teaming are not about the tools one is using but the ability to research and understand technical and abstract

concepts eventually so i think you kind of understand why malwanas need to concern returners okay but one of the reasons is because the bad guys do they go and learn from each other's malware from each other tools from each other techniques and they actually go and re-implement the same techniques the same tools or the same concept basically in their own malware for example if you heard about the log b3 ransomware also did a video about them they literally got the code from dark side ransomware copied some snippets from it for the decryption runtime decryption mechanisms and for dynamic api resolve which will talk about it and then literally copy and paste it the same technique the same concept in

their own malware it's like what the hell i'm i'm like researching the lobby transformer and it's like 50 uh like minimum 50 uh the code of dark side so if the bad guys go and learn from other malware and other tools why not the returners the good guys so threat actors evolve by learning and leveraging the craft and ttps by researching malware samples in the wild it is one of their secrets but not anymore i hope this talk will actually open your mind and give you the necessary tools and necessary mindset to become a better security professional so let's talk about uh quickly about the malware development lifecycle like the mdlc i call it it's like sdlc for

software development lifecycle but for malware which is kind of the same so you have malware development you develop your malware you know the malware need to check in which kind of environment it actually resides whether it's linux windows what kind of version what is the mac address the ip address what's so called information gathering or situational awareness so the malware need to be aware of where is actually it and then based on this information which most likely be sent to an external c2 server the malware will receive the configuration or the next stage of execution so part of our development like any other software development is to test and do qa like go and develop your malware in a secure

manner of course for good purposes uh and not for bad purposes don't be a black hat be a white hat you know it's kind of cool because for example if you want to learn c and assembly and doing this via developing malware it's much cooler than developing uh the checkmate or snake game this this my my opinion okay then you want to implement some malware defense bypass techniques inside your malware like most likely if your malware will drop in one of the computers or networks that you're targeting there will be some endpoint protections that you want to buy this like dlp edrs antivirus stuff like this then you want to actually do some offline av and edr testing before

actually distributing the malware and then it's one of the things that i want to talk about today is ioc collection and removal like it's it's fine that you actually develop your own malware you use c or python or partial whatever language that you want but after you compile your malware like with visual studio or with c or with you know gcc or whatever compiler is out there how the file is actually look like for the edr for the antivirus for the malware analyst for the researcher does the strings that you actually used or the variable names or the function names or any other ip addresses that you used in your own malware they actually presented in your malware

like in a clear text you need to obfuscate them maybe one compiler compiled it in a one way and another compiler compiler compiled your malware in a different way which will be much harder for malware analysts and edrs to detect so if you compile for example c written malware in visual studio it will be basically a different output if you compile it in for example gcc compiler okay so it's basically a research topic for you if you want to kind of test write a malware try to actually compile it with different compilers and see the difference do some diffs uh strings up code differentiation uh see how it actually the compiled versions are differs from each other

okay and then for example if you have some malicious or suspicious ioc presented in your compiled malware you want to kind of like somehow remove it obfuscate and prep it or whatever and of course uh as a white white attacker or whatever you want to use the same uh like techniques and iocs used there and like work together with the threat intelligence and like try to understand uh how they are actually relevant to other malware in the wild for other trade groups basically you do not have to develop your malware from zero and this is one of the things that basically i want to say here you can learn from real world malware samples and incidents for example you

can go for the colonial pipeline incident if you remember the same incident that actually broke half of the gas stations in the united states it was actually the dark side run somewhere like a small a piece of executable disturbed and and crashed half of the gas stations in the united states something like this not really exactly on the numbers but something like this so what one executable file one ransomware can do to your state not only for a company think about it and how much can be learned from the this runs away and i also want to dive with you into this ransomware like i don't have all the time in the world but we'll do

something simple there so let's talk about darkseid ransomware runtime code decryption and dynamic api result now don't get creepy on me please it it's going to be kind of a deep technical stuff like assembly stuff um i'll try to explain it in a like in a simple fashion and let's begin so let me just start my virtual machine here so what do we have here we just do okay can you see something here like like this maybe yeah so we have the dark side sample yeah yeah the same the same malware that disturbed half of the united states gas stations so if i open this file inside pe bearer for example i want to see the sections and

imports like the actual sections you have in the executable files and the imported functions now i just remember uh analyzing malware is like reading a book and each one each book has its own sections like you know it has a title it has the data in the title and so on so you can see here we have two text sections now most of normal files will have one text section the text section actually contains the execution code like the machine code the assembly code that is need to be actually executed on your cpu on your operating system and then you have another section called text one you know kind of weird now in most files even most malware if you

go to the imports you will see much larger dll entries and for each dls you see at least five to ten imported functions you can see where i'm going you have only one dll kernel 32dl one of the most basic and mostly used dlls in windows and they have only one function called exit process like what the hell like a normal malware or normal file will uh will include more dlls like socket and you know create file great process you know like basic stuff and here you have only one function what the hell so if you open up the if you open up the malware inside ida pro and go again to import you'll see

exit process also only present here and basically this is the starting point from where the malware actually begins now this is not the actual function names okay so this is the function names that i call okay so each call here in assembly is basically calling to a function so for example you define the function in c like for example void blah blah and it has two parameters so this what we have so you have here basically two parameters which are basically encrypted blob you know basically an encrypted mumbo jumbo stuff here and this called mumbo jumbo stuff will do something then do another something and eventually go and decrypt those encrypted blobs now if i'll do space here i'll see that

the actual code here is under the text one section that we saw which is not very normal and eventually if i go here to like for this call where [ __ ] show begins where it's actually where the run source start to encrypt your computer if you go here it's like gibberish nothing what the hell so if i double click you can see here we have the text section so it's kind of occurs to me that the decrypted blob will be uh placed in the actual text section so this mumbo jumbo stuff will be eventually decrypted and be an actual code to analyze so we have uh basically we have to execute the ransomware on my virtual machine uh so

be careful with it let's begin so basically i'll go and put a breakpoint here and start the local windows debugger whoa okay so now it got to the breakpoint so now the actual code is here so we did whatever stuff it does here then we do f8 to actually execute the function now just for understand what kind of decryption it uses here if you go double click on this function it calls this this function which i call decryption festival which actually go and call another function and eventually duke soar blah blah so it will basically store the values and in that way decrypt the content okay so let's do f8 i hate this computer okay and another f8

and now we'll need to see something like different here so before i actually go inside this code let me just undefine it in ida and reanalyze it again because for either kind it's kind of like uh hard to understand what is going on then so if i select here the code like this i go and do uh like analyze selected area or c analyze and i'll hope it will give something sensible

okay here we have some things here let's do here c worship begins amazing do another c we kind of need to help either to reanalyze the code basically so now i'll go in f7 which is basically go into the function um let me just also define it as a function like with the p now i defined it as a function and like if now i can do space and i will see everything in a fashionably mannered uh you know execution flow okay so basically i either after the decryption has occurred i i undefined the data that i just kind of like got hard time to analyze re-analyze it again and using the p button in the keyboard basically i

define it as a function for ida to understand it is what is the actually building blocks cheers okay so eventually it will go and call here two functions this first function the second one so if i go to this function it will do some weird things which will basically eventually will resolve the apis or the functions of the of the run somewhere so suddenly you will have some functions appear there so let's try to do f8 here call the first function as you can see it it resolved like a lot of dlls and now we got to actually resolve the functions also so then i do another f8 and now you can see a lot of call

blah blah something called blah blah something d word whatever it's actually a sign that is calling to the dynamically resolved iat the import address table the actual functions of the dls which are resolved in runtime okay so if i go into this call or maybe to another call like let me do i hate this computer and if i do now for example i'll do this call i'll do f7 it will go actually and call show 32 command line argument so this function didn't appear in the executable file how did it actually now appear so the two functions that i presented you here they're actually doing what's so called dynamic api result now if you're as a retimer go and

re-implement the same technique or the same concept in a different technique you can evade most of the static engines in most of the interiors and antivirus and it's kind of easy to do it yeah so for the sake of uh for our time i'll go back to my slides i actually have a run somewhere running now on my virtual machine and i don't give a hell about it okay okay so as we saw no functions in the import address table we can see that the sections are packed or encrypted okay so you see there is a high entropy most likely if there is a higher uh value than seven it will be most likely encrypted and coded or obfuscated

so first before it goes into actually resolving the apis it will do the decryption so where where i showed you the two decryption routines with the source stuff this is where actually the store is made and the text section is actually decrypted and the dynamic api result basically it takes um both functions of load library which literally loads a dll file in runtime dynamically and then uses the get proc address the get proc address function is like the uh the broad like load library and get processors like the brother and sister of resolving apis or loading functions the getpro address function will actually import the specific functions from the dlls and voila you have the result functions

in runtime

there was some confusion uh as far as double booking the room uh if you are looking for the 12 o'clock reverse engineering a dos pc fm v game from 1994 by andrew it's now down in the proving ground i'm sorry to have interrupted thank you it's fine thank you so we talked about or i showed you actually how it looks like reversing a malware or it's not always like this uh if if the for example malware like agent tesla or the yashama ransomware which i also have a youtube video on it you'll see that the malware is actually compiled c sharp like dotnet c sharp i hate oop languages i hate i hate them but they're much easier to uh analyze

because you don't need to actually analyze assembly because dot c sharp is a high level language uh it's called il assembly and if you put this executable this compiled executable into tools like d and spy it will literally decompile the code you literally will see the source code of the malware um in c plus c or c plus plus compile malware you will not see the actual source code you will see the assembly so either will do for you a disassembly not the compile so it's a different process so now let's do some offensive stuff uh present you two bypass techniques the first one is called rename obfuscation and the second one is called memory bombing which is my favorite um

again they're referred also in my book antivirus bypass techniques i'll be more than glad if you will read this book so let's take a simple reversal like the most basic stuff that retimers and pentas are like reverse shadow so you have a c plus plus or c plus plus basically code here which defines the main function it receives two to three arguments you define the ip that you want to call back or to communicate with and the port of the c2 malicious whatever server okay then it actually calls the function with the host and port and you can kind of get what where i'm getting it like if you have a function named execute shell in your code what is the

probability that antivirus and idios will detect it you know think about it so the function of execute shell basically takes two arguments uh you know the ip the port creates a socket blah blah blah blah blah blah blah stuff and you know uh defines the connection of ipv4 in this case afinet and defines the receive of data the buffer itself like whenever the city server uh as an attacker you want to execute a comment it needs to send a comment and you need to receive the output in the server side so this is the thing so now we actually compile this malware or reversal and now we'll start to look for iocs and again not only like you you

literally switch your perspective to a blue teamer now we're acting like a blue teamer this is the real power like you're already writing your malware your whatever stuff you're doing then you put the blue team head and you're okay if i'm a blue team how do i detect it what can what kind of iocs artifacts i can find and rely on in order to create my detections with the r or whatever detection language it uses so if i do your strings on the executable and i'll use find str in case sensitive on cmd like if any star is like the lame version of grep in windows okay i hate windows okay um and you have this cmd dot

something like where is it dot exit one of the reason you don't see the dot exit it's because i used uh c plus plus which is a shitty language i like c but i hate c plus plus because it's oop and and also to reverse engineer simplest plus is much harder and basically um you don't see cmd dot exit because there is a null terminated string not an alternative like a slash n in each one of the strings for example if you have i i p like 192.168.0.1 you you'll have in the strings 192 168. and then a new line zero and one what uh say plus plus don't ask me okay so if you're writing your malware z plus

plus it basically be better for you uh or easier for you to bypass rather than c because c compile executables are much easier to read you literally see the strings the you know variable names or whatever you know functions they're defined and it's much easier to understand um okay so what now so now i'll implement some rename obfuscation so as you can see it's the same code um i changed the function from execute shell like a shell what the hell to run little generic name run run what then you have host and port which again it can be benign it doesn't have to be malicious you know um you're in in the code before you saw

that actually uh music create process with the cmd dot exit and it's like cmd dot x in one line so i did a simple trick you know i basically defined two char variables cm and d dot exit and then i concatenated them together using strcat ins and in c or c plus plus whatever as a pointer variable of course and i pass this pointer variable to create process to the windows api create process function and it basically changes things in a compiled version then you validate it again die you'll see removal yeah where's the cmd thought something yeah gun got away the second technique that i want to show you is memory bombing i i think that i basically the first that

name this technique is memory bombing not something new but presented in my book and it's very it's very basic like the first technique used to bypass the static engine of antivirus and edrs this one is just for the dynamic engine like whenever you execute your malware or your executable the dynamic engine of the antivirus or the edr will basically allocate a protected virtualized memory like virtual alert or something like this it will put the code inside this emulated uh environment or memory in your computer and it will try to execute it now as we all know antivirus ddrs has one problem uh basically two problems the fear of false positives yeah and the limitation of resources in your computer

because think about it and diverse and ears are residing the same memory in the same operating system the same computer so of course there have some limitations now think about it if i allocate enough large memory like eight megabytes 20 mega whatever so dantiverse like looks in your mouth and said ah man it's too big for me move on and it let it let your malware execute because if there is any chance that it will terminate a legitimate process or a legitimate executable big problem and this is the same thing that i'm actually exploiting here the fact that any antivirus anywhere has some resource limitation and i'm allocating a big chunk of memory for him to choke out

and later malware executed and now for the detection test results before the obfuscation and memory bombing is made 35 detections after the fescation and memory bond has occurred half down f down like more than 50 it's a lot now think about it if i'll do things a little bit differently and i'll implement maybe even one or more bypass techniques i will create a fully undetectable malware zero detections yeah this is the reality we're living at this is why you need to become a better security expert this is why you need to understand both sides red team blue team whatever color you want to purple theme yellow all these colors it's not about the colors it's about

the way you're working the way you're taking the way you're approaching stuff so for you know for the sake of ending this uh presentation you know some important tips for success always understand your tools and malware go as deeper as possible understand the iocs generated in your compile malware the network packets the actual use functions everything that you can go as deep as possible you will be surprised as what you will learn the most learning experience i had in my own offensive blah blah career is through doing the blue team stuff into the response forensics now right now it's like seeing the other side of things you know what i really appreciate blue teamers because it's a hell of a hard

thing to do and always the complaints are against the blue team the writing is kind of sad but learn malware analysis to understand think like a blue teamer and again marouane is not only for bluetooth is for red teamers the bad guys do it they analyze malware and they learn from each other i actually showed you it with the dark side ransomware and if you want you can go to my youtube video about log b3 ransomware and you kind of see the same code re-implemented there research malware to gain deeper knowledge and inspirations better understanding of operating systems of coding of everything follow the mdlc model malware development is like any other sdlc process so write your malware

in a good fashion like one of the malware research like they call auto max keylogger um i actually found a vulnerability there which i exploited dll hijacking like if if you have automatic skill or in your computer and and and i'm an another attacker and i want to persist or maybe even escalate privilege in your computer i can exploit the same malware the art of skill group to be to resign in your computer so it's kind of you know so if it's very important for you for like opsec uh operational security and everything securely code securely code your malware yeah i know it's kind of funny to say that but yeah be curious passionate and innovative i

don't need to say this and take some breaks in between don't work like uh like a juggernaut take some breaks in between cooperation cooperate don't be a jackass yeah if you want to do a real adversary simulation adversary emulation writing code whatever you want you need to cooperate with teams like trade intelligence you need to or do the sort of intelligence for yourself and understand what is the actual value you provide your company based on the actual threats posed on your company and eventually take your report that research simulation you did or the retaining work with the blue team and gain a better security and money time again think like fluid water not like a

rigid rock they can operate like a criminal help security grow and become better if you want to have some more resources some more fun more learning experience you can go into malware analysis school you don't have to take my courses do whatever you want you can learn for yourselves but you can use the resources the cheat sheets everything is most of the things are for free basically um my webs is like an index you have everything there or whatever you need uh if you have some suggestions or uh things that you think you i may add to the website feel free to contact me in my twitter whatever yeah that's it thank you very much

[Applause] thank you thank you your amazing audience any questions yeah okay can you go just for the microphone they asked yeah questions questions cheers uh in terms of uh sandbox analysis uh now that cuckoo's kind of been uh not updated in a very long time i saw on your site you have a bunch of sandboxes listed but it could be closer to the background yeah okay testing amazing all right on your website i saw you listed a bunch of sandboxes um i used to use cuckoo when i used to do this kind of stuff yeah i haven't updated that forever the sandbox is you listed i see a lot of them are like paid solutions is there anything

you can still run locally similar to how cooper used to be where you could step into a process and interactively you know like make a change like click on a link or something or a button um and then go back and get your analysis at the end yeah that's not like uh running the cloud because if i'm dealing with very sensitive data i don't necessarily trust a company that says they'll keep it private and keep everything local okay thank you for the question so basically yes about uh you know plausible and workable sandbox out there so basically if you go to my website you'll see there's a bunch of uh you know sandbox that you can use maybe

there's other settings that i'm not aware of um you can you basically have two options you can implement your own automated sandbox in uh using cuckoo sandbox which is free open source i actually use it in my army service uh where i did the research and security stuff and it's kind of helped me you know to gain the first visibility and understanding of the malware it actually um also uh communicates with your virus total and brings you all the detections all this kind of stuff um so if you want to do something locally use a very strong server with you know ssd storage and whatever uh you know a zeon cpu everything um at least 32 gigs of ram because it takes

a lot of resources basically you can implement cuckoo sandbox it will do amazing job but take into account there is a lot of troubleshooting and a lot of problems that you need to face like python [ __ ] and linux [ __ ] and yada yada [ __ ] a lot of [ __ ] yeah if you want to use a cloud-based sandbox you can use any run which is amazing uh for understood it's russian-based or something i i don't know from what i heard take care good luck don't put any personal information in your malware or something [Music] uh you can use uh you know hybrid analysis um and you know other other solutions just go to bangladesh you have

their sandbox links you can use all of them other questions thank you [Applause] your amazing audience thank you very much may god bless you all thank you