Overcome Self-Defending Malware - Tools, Techniques and Lab Setup
Here I demonstrate how to overcome a simple self-defence tactic that some malware samples commonly utilise to target their victims and prevent sandbox / VM analysis.
I demonstrate how to setup two Virtual Machines to capture networking requests from Windows using fakedns and inetsim, both of which are pre-installed on REMnux. Then, we use ProcMon and Process Hacker to look at running processes, APIMon to capture the API calls used by the malware and x64dbg to disassemble and debug it.
Next I show you how to quickly patch the malware to remove the anti-analysis trick and this enables you to illicit networking IOCs from the sample which are super-useful for you to protect against in your own environment.
Finally I demonstrate a super-cool x64dbg plugin called BreakpointUnresolved which allows you to set a breakpoint on API calls that aren't in the IAT, i.e. API calls that the malware loads and references at runtime. This is a brilliant plugin and one very worthy of putting in your toolkit.
Sample:
MD5: c72228712e3955a28f5ea1ccbcb93b74
Tools Used:
Process Hacker - http://processhacker.sourceforge.net/
Process Monitor - https://docs.microsoft.com/en-us/sysinternals/downloads/process-utilities
API Mon - http://www.rohitab.com/apimonitor
x64dbg - https://x64dbg.com/#start
PEStudio - https://www.winitor.com/
REMnux - https://remnux.org/
BreakpointUnresolved - I've uploaded compiled versions here: http://jmp.sh/8muSqjs
If you like the video, click Like.
If you loved it, subscribe!
You can also follow me https://twitter.com/cybercdh
Thanks for watching!
Видео Overcome Self-Defending Malware - Tools, Techniques and Lab Setup канала Colin Hardy
I demonstrate how to setup two Virtual Machines to capture networking requests from Windows using fakedns and inetsim, both of which are pre-installed on REMnux. Then, we use ProcMon and Process Hacker to look at running processes, APIMon to capture the API calls used by the malware and x64dbg to disassemble and debug it.
Next I show you how to quickly patch the malware to remove the anti-analysis trick and this enables you to illicit networking IOCs from the sample which are super-useful for you to protect against in your own environment.
Finally I demonstrate a super-cool x64dbg plugin called BreakpointUnresolved which allows you to set a breakpoint on API calls that aren't in the IAT, i.e. API calls that the malware loads and references at runtime. This is a brilliant plugin and one very worthy of putting in your toolkit.
Sample:
MD5: c72228712e3955a28f5ea1ccbcb93b74
Tools Used:
Process Hacker - http://processhacker.sourceforge.net/
Process Monitor - https://docs.microsoft.com/en-us/sysinternals/downloads/process-utilities
API Mon - http://www.rohitab.com/apimonitor
x64dbg - https://x64dbg.com/#start
PEStudio - https://www.winitor.com/
REMnux - https://remnux.org/
BreakpointUnresolved - I've uploaded compiled versions here: http://jmp.sh/8muSqjs
If you like the video, click Like.
If you loved it, subscribe!
You can also follow me https://twitter.com/cybercdh
Thanks for watching!
Видео Overcome Self-Defending Malware - Tools, Techniques and Lab Setup канала Colin Hardy
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Extract Shellcode from Fileless Malware like a ProAdylkuzz CryptoMiner - A quick behavioural analysisGetting started in Cyber SecurityMalware Lab Setup - Network ConfigurationAnalysing Obfuscated VBA - Extracting indicators from a Trickbot downloaderWannaCry 2.0 RansomwareTechnical Analysis of a Word Zero Day - CVE-2017-0262 / CVE-2015-2545How To Defeat Anti-VM and Anti-Debug Packers With IDA ProFive Awesome Tools to perform Behavioural Analysis of MalwareMalware Analysis - Static, Dynamic and Code AnalysisJaff Ransomware - A quick technical analysisWannaCry 2.0 - Three ways to find the Kill SwitchReverse Engineer packed JavaScript like a Pro - Using the 'Matching Bracket Method'Three and a half ways to unpack malware using OllydbgOlympic Destroyer - Quick behavioural Analysis of this Wiper MalwareUsing WhatsApp for Malware PersistenceExcel 4.0 Macros Analysis - Cobalt Strike Shellcode InjectionStack Buffer Overflows - a primer on smashing the stack using CVE-2017-11882Coding Expectations for Malware & PentestingHow to Intercept IP Connections in a Malware Analysis Lab