Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Legal Meetings: Extended Instructions on Movica and Screencast.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Malware Dynamic Analysis Part 5 Veronica Kovah vkovah.ost at gmail See notes for citation1
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Introduction to Web Interface Technology (CSE2030)
V0.01 © 2009 Research In Motion Limited Introduction to Java Application Development for the BlackBerry Smartphone Trainer name Date.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Reproducible Environment for Scientific Applications (Lab session) Tak-Lon (Stephen) Wu.
Automated Malware Analysis
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
Presented by…. Group 2 1. Programming language 2Introduction.
Defeating public exploit protections (EMET v5.2 and more)
INTRODUCTION TO WEB DATABASE PROGRAMMING
IT 210 The Internet & World Wide Web introduction.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Customized cloud platform for computing on your terms !
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Server-side Scripting Powering the webs favourite services.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Web application architecture
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
Amit Malik SecurityXploded Research Group FireEye Labs.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
AdLib eDocument Solutions Scott Mackey AdLib eDocument eDocument Solutions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DEV395 No Touch Deployment for Windows Forms Jamie Cool Program Manager.NET Client Microsoft Corporation.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
IBM Software Group ® Jazz Team Build – Part 1 Overview Jonathan.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
9/24/2017 7:27 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Malware malicious software which is specifically designed to disrupt, damage, or gain authorized access to a computer system Analysis detailed examination.
Malware Reverse Engineering Process
Data Virtualization Tutorial… CORS and CIS
Malware Reverse Engineering Process
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
GCED Exam Braindumps
QAD Reporting Framework
Dev Test on Windows Azure Solution in a Box
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Chapter 3. Basic Dynamic Analysis
Advanced Computing Facility Introduction
Recitation on AdFisher
Basic Dynamic Analysis VMs and Sandboxes
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Presentation transcript:

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.

Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page.Security Training page

Who am I? Monnappa  Member, SecurityXploded  Info Security Cisco  Reversing, Malware Analysis, Memory Forensics.    LinkedIn:

Content  Sandbox Overview  Why Sandbox Analysis  Sandbox Architecture  Online Sandboxes  Custom Sandbox (Sandbox.py)  Sandbox.py working  Sandbox.py report  Demo 1&2 (Sandbox Analysis)

Sandbox Overview  Execute malware in a controlled/monitored environment  Monitors file system, registry, process and network activity  Outputs the results in multiple formats  Examples of Sandboxes Cuckoo Sandbox ThreatExpert Anubis CWSandbox

Why Sandbox Analysis? To determine:  The nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  To determine identifiable patterns

Sandbox Architecture Controller ReportsArtifactsPCAPS Host Machine Analysis Machine (VM) Reports Launch Sample Samples Submit Monitoring tools

Online Sandbox –ThreatExpert results

Online Sandbox –CWSandbox results

Online Sandbox –Anubis results

Custom Sandbox – sandbox.py  Automates static, dynamic and Memory analysis using open source tools  Written in python  Can be run in sandbox mode or internet mode  In sandbox mode it can simulate internet services (this is the default mode)  Allows you to set the timeout for the malware to run (default is 60 seconds)  Stores final reports, pcaps, desktop screeshot, and malicious artifacts for later analysis

Sandbox.py (working)  Takes sample as input  Performs static analysis  Reverts VM to clean snapshot  Starts the VM  Transfers the malware to VM  Runs the monitoring tools ( to monitor process, registry, file system, network activity)  Executes the malware for the specified time

Sandbox.py (working contd)  Stops the monitoring tools  Suspends the VM  Acquires the memory image  Performs memory analysis using Volatility framework  Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)

Sandbox.py Report Static analysis results:  File type (uses magic python module)  Cryptographic hash (md5sum – uses hashlib python module)  VirusTotal results (python script using VirusTotal’s public api)  Determines packers used by malware (uses yara-python)  Determines the capabilities of the malware like IRC, P2P etc etc (uses yara-python module)

Sandbox.py report Dynamic analysis results:  Determines File system activity  Determines Process activity  Determines Registry activity  Monitor Network activity  Displays DNS summary  Shows TCP conversations  Displays HTTP requests & HTTP request tree

Sandbox.py report Memory analysis results:  uses Volatility advanced memory forensics framework  displays process, hidden process in memory  displays network connections, terminated network connections  displays listening sockets  determines api hooks, code injection and embedded executable in memory  displays DLL’s loaded by the process memory  displays services in memory  displays the registry keys (like run registry key)

All Training Demo Videos are available at

Sandbox.py – Help option The below screenshot shows the sandbox.py help option

Sandbox.py – Input The below screenshot shows the sandbox.py taking sample as input to run it for 30 seconds

Sandbox.py – Static Analysis The below screenshot shows the static analysis results after executing the sample

Sandbox.py – Dynamic Analysis The below screenshot shows the dynamic analysis results after executing the sample

Sandbox.py – Network Activity The below screenshot shows the network activity after executing the sample

Sandbox.py – Memory Analysis The below screenshot shows the memory analysis results after executing the sample

Reference Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools]

Thank You !

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.