Day Two: Malware Reverse Engineering

0:00 Day Start 0:41 Start of Workshop and Outline 2:18 Topic 1: Malware Traffic Interception/Decryption and Controlling a Backdoor 16:32 Walkthrough Start 21:13 UDP response setup 28:20 SSH setup for tunneling 39:09 Traffic interception/decryption 54:14 Controlling the Backdoor 1:05:20 Topic 2: Binary Unpacking 1:14:42 Demo: Mapped vs Unmapped PE 1:24:42 Walkthrough Start: UPX manual unpacking 1:37:12 Removing ASLR and demo of .reloc section's effect in case of self injection 1:48:05 Walkthrough Start: Custom packer unpacking and manual dumping 1:55:15 Types of breakpoints 2:04:45 Fixing mapped PE for static analysis 2:11:47 Identification of Crypto/Compression 2:15:48 Topic 3: Binary Patching 2:17:54 Demo: Using static patching on a flareon binary 2:27:53 Walkthrough Start: Hot patching cmd.exe 2:36:45 Hot patching "dir" command in cmd.exe 2:50:28 Static patching on a custom binary 3:05:25 Topic 4: Binary Emulation 3:11:10 Walkthrough Start: Router malware emulation 3:20:19 String decryption with emulation 3:40:57 Final Words (on the advanced topics) 3:50:38 Topic 5: Shellcode Analysis 3:56:05 Demo start 4:11:03 Topic 6: Detection Signatures (yara/snort) ------------------------------------------------ Corrections/Additions by Umair ------------------------------------------------ 1:49:30 - In case of the malwares that after multiple layers of unpacking, inject shellcode to external processes, the final payload can be directly obtained relatively easily from the injected process, rather than following the whole path as well. 2:49:58 - CryptEncrypt* 3:09:28 - The requirements stated (minimum 2 vms etc) are true only in case of non-windows hosts 3:10:12 - Petya resides* in master boot record 3:38:48 - Content-Type* Umair has been in the cyber industry for over 7 years working in the areas of OS internals, reverse engineering and malware analysis. He started his career focusing on Windows Internals R&D for FireEye's detection technologies. Later joined FireEye Labs, and switched focus to APT analysis, detection engineering and hunting. Now he is part of Kaspersky's Global Research and Analysis Team (GReAT), A team of globally spread out researchers, that has discovered and reverse engineered some of the most notorious and sophisticated APTs to date. Irshad has more than five years of hands-on experience in Threat Research/Intelligence, Malware Analysis, Reverse Engineering, and Detection. After completing his bachelors in Electrical Engineering from UET Lahore in 2015., he joined Ebryx Pvt Ltd, where he provided detection capability for ordinary and APT malwares for FireEye NX/EX products. In 2017, he moved to FireEye Labs Singapore, where he mainly focus on detailed analysis and detection of APT malware