Malware malicious software which is specifically designed to disrupt, damage, or gain authorized access to a computer system Analysis detailed examination of the elements or structure of something 101 showing the most basic knowledge about a subject
C:\>whoami “AC”\@AndrewCostis
Threat Research & Incident Response Engineer C:\>whoami Threat Research & Incident Response Engineer
Goals of Malware Analysis Risk Impact Commodity Vs Targeted Defence! IOC’s / TTP’s Attribution Threat Intel Reports Fun! Profit!$$$
Dissasemble Source Code if (varX == 001EFD70) Assembly Code mov eax,varx Machine Code 8B F0 Binary Code 01101011 Compile
:Code Patterns: mov eax, varX cmp eax, 0x01EFD704 jne code B Run code A jmp end if (varX == 0x01EFD704) { run code A } else { run code B } end
:Types of Analysis: Executable Files (. exe,. elf) Office Docs (. xls, :Types of Analysis: Executable Files (.exe, .elf) Office Docs (.xls, .doc, .pdf) Scripting (JS, Python, Perl) Memory Forensics
:Knowledge: OS Internals Intel x86 CPU & Assembly File Formats RFC’s Coding
:Tools: Network Sniffer Virtualization Vs HW Vs Cloud Sandbox Monitoring Tools Debugger (advanced) Disassembler (advanced) Malware!
Static Vs Dynamic
Static (Advanced) IDA PRO - Disassembler
Dynamic (Advanced) Olly - Debugger
Evasive Tactics
Code Obfuscation VM Escape Junk Code IsDebuggerPresent API Targets Specific OS Time/Date Based And Many More!!
:Personality Traits: Team Player Patient Persistent Inquisitive Articulate Crazy?!
Sharing IS Caring!
RTFM /Questions?