Table of Contents
- General Stuff
- General Analysis
- Android
- APTs
- Botnets
- C2 Infrastructure
- Domain Generation Algorithms(DGA)
- Campaigns
- Code Injection Techniques
- DLL Related
- Embedded
- Exploit Kits
- Hashing
- Mac OS X
- Malware Repositories
- Network Analysis
- Obfuscation
- Office Documents
- Malware Scanner/Identifier Services(Is it identified/Malicious?)
- (Un)Packers/Encoders
- Persistence Mechanisms
- Process-'___'
- Virtual Machines & Anti-Analysis Tricks
- Dynamic Analysis
- Static Analysis
- Honeypots
-
https://pentest.blog/n-ways-to-unpack-mobile-malware/ https://github.com/MISP/MISP
-
Golem Malware - The Malware Hiding in Your Windows Fonts Folder - Pierre-Alexandre Braeken https://www.youtube.com/watch?reload=9&v=CGvQIgoBd3Q https://medium.com/@z3roTrust/digital-steganography-as-an-advanced-malware-detection-evasion-technique-40d4eeb19830 https://research.checkpoint.com/macos-malware-pedia/ https://objective-see.com/blog/blog_0x32.html https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html https://github.com/hfiref0x/VBoxHardenedLoader
-
Extend
- maldocs section
- Hooking techniques
- Hollowing
-
Add
- Stuxnet
- Duqu
- Flame
- Itaduke
- Packers
- mew
- ASPROTECT
- UPX
- FSG
- PESpin
https://github.com/tarcisio-marinho/GonnaCry?files=1 https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594 https://medium.com/@tarcisioma/how-ransomware-works-and-gonnacry-linux-ransomware-17f77a549114 https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9
- loffice - Lazy Office Analyzer
- Loffice is making use of WinAppDbg to extract URLs' from Office documents but also VB-script and Javascript. By setting strategical breakpoints it's possible to neutralize obfuscation and get the URL and file destination. Anti-analysis via WMI, for example detecting running processes or installed software is handled by patching the query string before the query is run.
-
Look Here First
-
Analysts Blog's
-
Becoming a Malware Analyst
-
- Analysis 101
- Reverse Engineering Malware 101 Material - Malware Unicorn
- Malware Analysis Tutorials: a Reverse Engineering Approach - Dr Xiang Fu
- Malware Analysis Tutorials: a Reverse Engineering Approach
- Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
- Reversing & Malware Analysis Training
- Making an Analysis Box
- VirtualBox Hardened Loader
- Creating a Malware Sandbox in Seconds with Noriben.
- Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide
- Cuckoo Sandbox Hardening(2013)
- Awesome Guide to building a VM for anonymous Malware Analysis and Reverse Engineering
- malboxes
- Builds malware analysis Windows VMs so that you don't have to.
- Advanced Desktop Application Sandboxing via AppContainer
- General Analysis Writeups
- Sandboxes
- Limon - Sandbox for Analyzing Linux Malwares
- Truman
- Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.
- Noriben - The Portable Sandbox System - ghettoforensics.com
- Noriben is a Python-based script that works in conjunction with SysInternals Procmon to automatically collect, analyze, and report on runtime indicators of malware and suspicious system behavior. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the system's activity after running an attack.
- Noriben - github
- General Tutorials
- A Guide to Malware Binary Reconstruction
- Automating Removal of JS Obfuscators
- In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process.
- DIY Android Malware Analysis with OBAD
- ZeroAccess Malware - Part 1 De-Obfuscating and Reversing the User-Mode Agent Dropper
- Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides
- Analysis 101
-
- How To Dissect Android Flappy Bird Malware
- Hacking Team Writeup
- Android/Beita.A malware analysis
- Analysis
- Static
- Dynamic
- Android Sandbox V1
- Automated Malware Analysis
- Cuckoo-Droid
- CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.
- Android Sandbox V1
- Obfuscators
- De-Obfuscators
- De-hoser
- Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header
- hidex
- hides or reveals a given method in a DEX file
- Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
- native-unpacker/ - Unpacker for APKProtect/Bangcle/LIAPP/Qihoo Packer that runs natively, no dependency on gdb
- hide-qemu/ - Small hacks for hiding the qemu/debuggers, specifically from APKProtect
- De-hoser
- Packers
-
- 101
- Articles/Writeups
- Decoding ZeuS disguised as an .RTF File
- Excellent step by step writeup
- FinFisher Malware Dropper Analysis
- North Korean Malware Writeup
- Regin Malware writeup by F-Secure
- Fanny Malware Writeup
- The DUQU 2.0 Technical Details - Kaspersky
- FinFisher - CodeandSec
- Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents
- Axiom Threat Actor Group Report
- Decoding ZeuS disguised as an .RTF File
- Talks & Presentations
- Unmasking Careto through Memory Analysis - Andrew Case
- Clean up on Aisle APT - Mark Parsons
- This presentation will discuss findings from running multiple sinkholes over the past year. I have purchased multiple domains associated with 'APT' activity after the domains have expired. I will discuss initial expectations before beginning this journey and then discuss actual results and findings. To assist other researchers, suggestions and lessons learned from this experiment will be shared.
- Hacking FinSpy - a Case Study - Atilla Marosi - [TROOPERS15]
- To Catch a Spy Tyler Hudak - Derbycon7
- ZitMo NoM - Derbycon2014
- A world without malware is ideal but unlikely. Many of us would prefer not to install another layer of protection on their already resource constrained handheld mobile device. Alternatively, Android malware detection sans anti-virus installation has become a reality. Learn about how it’s possible to detect mobile malware using simple text messages with ZitMo NoM. ZeuS in the mobile, known as ZitMo, is infamous for intercepting SMS transmissions then redirecting them to a Command & Control in order steal banking and personal information. Research with SMS transmissions directed at mobile malware has resulted in the ability to detect ZitMo’s presence without anti,virus applications installed. Turning their own tools against them makes this even more of a rewarding endeavor. We are looking for malware researchers to contribute to the continued development of this open tool. The presentation will include the research, the infrastructure and a demonstration of ZitMo NoM. Live malware will be used during this presentation, assuming we get it to behave.
- Malware: From your text editor, to the United States Government's Lab (SHA2017)
- How Universities in the US collaborate with the United States Government to make America stronger, and the rest weaker. Ever wonder where your malware ends up after you deploy it? Are you curious how the United States Government researches Cyber Security on the backs of students? First, this is not a technical talk. This is an informative talk on the insides of how the inner workings of an Information Security Lab in one of the Top Technical Universities in the United States works with its Government to provide insights in the world of, as the feds like to call it, "CyberSecurity". (All Americans apologize for Trump. We're sorry.)
- Modern Reconnaissance Phase by APT – Protection Layer -Paul Rascagneres
-
- 101
- Articles/Writeups
- Analysis of a Romanian Botnet
- Going from first sighting in logs to tracing attackers to their C2 IRC room
- A timeline of mobile botnets
- With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants.
- Inside Your Botnet
- Analysis of a Romanian Botnet
- Papers
- Talks & Presentations
- Tools
- Botnet Lab
- An IRC based tool for testing the capabilities of a botnet
- BYOB (Build Your Own Botnet)
- BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
- Botnet Lab
-
- 101
- Articles/Writeups
- Tools
- fastfluxanalysis
- Scripts to detect Fast-Flux and DGA using DNS query responses
- fastfluxanalysis
-
- 101
- Articles/Writeups
- Domain Generation Algorithms
- Johannes Bacher's reversing efforts
- Domain Generation Algorithms
- Talks & Presentations
- Tools
-
- Malware Attribution tracking cyber spies - Greg Hoglund - BH2010
- Repurposing OnionDuke: A Single Case Study Around Reusing Nation State Malware - BH USA 15
- Hack.lu 2016 Unveiling the attack chain of Russian-speaking cybercriminals
- Attacking Linux Moose Unraveled an Ego Market - Masarah Paquet-Clouston & Olivier Bilodeau
- For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals. This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.
-
- 101
- Articles/Writeups
- Talks & Presentations
-
- 101
- Articles/Writeups
-
- 101
- Articles/Writeups
- Talks & Presentations
- The Economics of Exploit Kits & E-Crime
- I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
- The Economics of Exploit Kits & E-Crime
-
- 101
- Articles/Writeups
- Talks & Presentations
- Tools
- binwally
- Ssdeep
- static malware comparison tool - ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
-
- 101
- Articles/Writeups
- Talks & Presentations
- Writing Bad @$$ Malware for OS X - Patrick Wardle
- Offensive Malware Analysis: Dissecting OSX FruitFly - Patrick Wardle - DEF CON 25
- FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products. We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.
- I got 99 Problems, but Little Snitch ain’t one! - Defcon2016
- Let's Play Doctor:Practical OSX Malware Detection and Analysis - Patrick Wardle
- Tools
-
- Repositories of Malware
- The Zoo
- A repository of LIVE malwares for your own joy and pleasure
- Mobile Malware dumps - Contagio
- Equation Group Malware Samples - ContagioDump
- Objective-See Mac Malware Repo
- Contagio - Malware Dump
- DAS MALWERK
- freetrojanbotnet.com
- Kernelmode Malware Sample Collection
- MalShare
- AVcaeasar
- theZoo
- Malwr
- Mac Malware - Objective-see
- VirusShare
- ViruSign
- Javascript Malware Collection
- A collection of almost 40.000 Javascript malware samples.
- [botnets](https://github.com/maestron/botnets/blob/master/)
- This is a collection of botnet source codes, unorganized. For EDUCATIONAL PURPOSES ONLY. Many projects are duplicates or revisions of each other. Many of them have outdated depedencies. My goal is to collectively put them together so that they are compilable and help people interested in malware research analyze them and learn from these samples.
- The Zoo
- Tools to Obtain Malware
- Ragpicker - Malware Crawler
- Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.
- Ragpicker - Malware Crawler
- Repositories of Malware
-
Network Analysis
- Malcom
- Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
- Malcom
-
- Data Obfuscation: Now you see me... Now you don't...
- This blog post shows how malware authors use Adobe Flash files to hide their creations' 'sensitive' data. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode.
- Protectors
- Obfuscator, Encryption, Junkcode, Anti-Debug, PE protection/modification
- Data Obfuscation: Now you see me... Now you don't...
-
- 101
- MS Office Macros
- Tools
- DDEtect
- Simple DDE object detector
- oletools
- oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
- ViperMonkey
- ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
- DDEtect
-
Malware Scanner/Identifier Services(Is it identified/Malicious?)
- Articles
- Scanner/Identifer Services - 3rd Party Hosted
- metasearch-public
- Purpose: stop searching for sample hashes on 10 different sites. This is a simple Python3 Flask application running on port 5000 interacting with various platforms (TBC) and caching the results in a Redis database for faster responses.
- metasearch-public
- Scanner/Identifer Services - Self-Hosted
- Malice
- Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.
- Wepawet
- Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files
- IRMA - Incident Response & Malware Analysis
- IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
- PlagueScanner
- PlagueScanner is a multiple AV scanner framework for orchestrating a group of individual AV scanners into one contiguous scanner. There are two basic components in this initial release: Core and Agents.
- MultiAV
- MultiAV scanner with Python and JSON API. [Not currently Maintained]
- Malice
-
- --> See 'Packers' section under 'Writeups' in RE
- 101
- Reference
- Corkami - Packers
- Beautiful.
- Corkami - Packers
- Articles/Writeups
- Papers
- One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques
- Paper on Manual unpacking of UPX packed executable using Ollydbg and Importrec
- A study of the packer problem and its solutions
- Locreate: An Anagram for Relocate
- This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper.
- Implementing a Custom X86 Encoder
- This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe.
- Using dual-mappings to evade automated unpackers
- Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attempt to dynamically unpack executables by detecting the execution of code from regions of virtual memory that have been written to. While this is an elegant method of detecting dynamic code execution, it is possible to evade these unpackers by dual-mapping physical pages to two distinct virtual address regions where one region is used as an editable mapping and the second region is used as an executable mapping. In this way, the editable mapping is written to during the unpacking process and the executable mapping is used to execute the unpacked code dynamically. This effectively evades automated unpackers which rely on detecting the execution of code from virtual addresses that have been written to.
- Talks & Presentations
- Tools
- packer-breaker
- Unpacker for a variety of packing tools.
- de4dot
- de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
- AMBER
- Amber is a proof of concept packer, it can pack regularly compiled PE files into reflective PE files that can be used as multi stage infection payloads. If you want to learn the packing methodology used inside the Amber check out below.
- EvadeML
- An Evolutionary Framework for Evading Machine Learning-based Malware Classifiers
- packer-breaker
- Tutorials
- Manually unpacking a Morphine-packed DLL with OllyDbg
- Unpacking with OllyBonE
- This is a brief tutorial giving the basic steps to unpack code using the OllyBonE plugin.
-
Portable Document Format(PDF) a>
- Articles/Writeups
- Talks & Presentations
- Tools
-
- Hooking
- 101
- Articles/Writeups
- Talks & Presentations
- Tools
- TitanHide
- TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
- TitanHide
- Hollowing
- 101
- Articles/Writeups
- Talks & Presentations
- Tools
- Hooking
-
Virtual Machines & Anti-Analysis Tricks
- 101
- VirtualDbgHide
- Windows kernel mode driver to prevent detection of debuggers.
- Win32_ComputerSystem class
- Win32_BIOS class
- VirtualDbgHide
- Articles/Writeups
- rdtsc x86 instruction to detect virtual machines
- Win64/Vabushky - The Great Code Heist
- Modeling Zero Day Malware Spread
- warbirdvm
- An analysis of the Warbird virtual-machine protection
- Knowledge Fragment: Hardening Win7 x64 on VirtualBox for Malware Analysis
- Papers
- Breaking the Sandbox - Sudeep Singh
- Abstract: In this paper, I would like to discuss various existing and interesting techniques which are used to evade the detection of a virus in Sandbox. We will also look at ways a sandbox can be hardened to prevent such evasion.
- On the Cutting Edge: Thwarting Virtual Machine Detection
- Breaking the Sandbox - Sudeep Singh
- Talks & Presentations
- Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies
- This talk catalogs the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. We validate our catalog by running these detections against a database of 4 million samples (the system is constantly running and the numbers will be updated for the presentation), enabling us to present an analysis on the real state of evasion techniques in use by malware today. The resulting data will help security companies and researchers around the world to focus their attention on making their tools and processes more efficient to rapidly avoid the malware authors' countermeasures.
- Duping the Machine: malware strategies, post sandbox detection
- Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies
- Tools
- antivmdetection
- Script to create templates to use with VirtualBox to make vm detection harder.
- Paranoid Fish
- Pafish is a demo tool that performs some anti(debugger/VM/sandbox) tricks. Most of them are often used by malware to avoid debugging and dynamic analysis. The project is open source, you can read the code of all anti-analysis checks. You can also download the compiled executable (or compile it by yourself) and reverse engineer it, which is quite recommended.
- makin
- makin - reveal anti-debugging tricks
- SubVirt: Implementing malware with virtual machines
- We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by soft- ware running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat.
- Truman
- Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.
- al-khaser
- al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
- antivmdetection
- 101
- Articles/Talks/Writeups
- Papers
- PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior
- Abstract: We introduce PyTrigger, a dynamic malware analy- sis system that automatically exercises a malware binary extract- ing its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the con- text makes the playback more accurate and avoids dependenciesand pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples
- A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web - Alexei Bulazel & Bülent Yener
- PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior
- Tools
- DRAKVUF
- DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall. It allows for in-depth execution tracing of malware samples and extracting deleted files from memory, all without having to install any special software within the virtual machine used for analysis.
- Code
- Zero Wine
- Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.
- Honeyagent
- HoneyAgent is a Java agent library that creates a Sandbox for Java applications and applets. Therefore, it uses the JVMTI as well as the JNI to intercept class loading and function calls. During runtime HoneyAgent traces function calls from the analysed application. It is displayed which class calles which function with which parameters. Reflected function calls are translated to the origin function names for simpler reading.
- Pybox
- user-level framework for monitoring processes
- Research paper on it
- INetSim
- INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.
- Regshot
- Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
- Mandiant ApateDNS
- Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use GUI. As a phony DNS server, Mandiant ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. Mandiant ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.
- Malcom - Malware Communication Analyzer
- Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
- BasicHook
- x86 Inline hooking engine (using trampolines)
- Claimsman
- Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.
- WinMerge
- WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
- API Monitor
- API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
- SpyStudio
- SpyStudio shows and interprets calls, displaying the results in a structured way which is easy for any IT professional to understand. SpyStudio can show registry keys and files that an application uses, COM objects and Windows the application has created, and errors and exceptions.
- Microsoft Message Analyzer
- Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages. Message Analyzer also enables you to import, aggregate, and analyze data from log and trace files. It is the successor to Microsoft Network Monitor 3.4 and a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture data live or load archived message collections from multiple data sources simultaneously.
- PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior
- Abstract: PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples.
- rVMI - A New Paradigm For Full System Analysis
- rVMI is a debugger on steroids. It leverages Virtual Machine Introspection (VMI) and memory forensics to provide full system analysis. This means that an analyst can inspect userspace processes, kernel drivers, and preboot environments in a single tool. It was specifially designed for interactive dynamic malware analysis. rVMI isolates itself from the malware by placing its interactive debugging environment out of the virtual machine (VM) onto the hypervisor-level. Through the use of VMI the analyst still has full control of the VM, which allows her to pause the VM at any point in time and to use typical debugging features such as breakpoints and watchpoints. In addtion, rVMI provides access to the entire Rekall feature set, which enables an analyst to inspect the kernel and its data structures with ease.
- DRAKVUF
- Tools
- Pyew
- Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
- Manalyze - static analyzer for PE files
- Manalyze was written in C++ for Windows and Linux and is released under the terms of the GPLv3 license. It is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.
- yalda - Gita Ziabari
- The tool is designed to analyze the given files and extract malicious data out of the files.
- Presentation
- Dependency Walker
- Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
- Pyew
- Techniques
- BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo
- Amoco - Static binary analysis tool
- Amoco is a python package dedicated to the (static) analysis of binaries.
-
General
- 101
- Honeypot Computing - Wikipedia
- The Honeynet Project
- The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. With Chapters around the world, our volunteers have contributed to fight against malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world. The organization continues to be on the cutting edge of security research by working to analyze the latest attacks and educating the public about threats to information systems across the world.
- Honeypots - ShadowServer
- Types of Honeypots
- Zero Interaction(Think Passive)
- Low Interaction(Think canned, limited responses to incoming data
- Medium/High Interaction(Think Emulating Graphical Services/Providing Continual Content)
- HoneyData - Strings, shares/drives, etc.
- Articles/Papers/Talks/Writeups
- Deploying Dionaea on a Raspberry Pi using MHN
- Experimenting with Honeypots Using The Modern Honey Network
- Building a Honeypot to Research Cyber-Attack Techniques
- Lessons Learn from attacks on Kippo honeypots
- An in-depth analysis of SSH attacks on Amazon EC2
- The research study investigates Secure Shell (SSH) attacks on Amazon EC2 cloud instances across different AWS zones by means of deploying Smart Honeypot (SH). It provides an in-depth analysis of SSH attacks, SSH intruders profile, and attempts to identify their tactics and purposes.
- Analysis of Attacks Using a Honeypot - Verlag Berlin Heidelberg 2011
- Abstract. A Honeypot is a software based security device, deployed to attract hackers by displaying services and open ports which are potentially vulnerable. While the attackers are diverted, t heir activities can then be monitored and an a- lysed to identify current a ttack methods and trends. A low - interaction Honeypot called Dion aea was chosen for this project because it can simulate services while preventing an attacker from gaining full control. Results were collected over the six week period of the experiment. The logged information of the o b- served attacks was analysed and compared with current vulnerabilities, the loc a- tions where the attacks were originating from and the time of day at the orig i- nating site. A profile of individual attackers can then be built to ga in an insight into the current attack trends in order to improve network defences.
- POSTER: Dragging Attackers to Honeypots for Effective Analysis of Cyber Threats
- Setting Honeytraps with Modsecurity - Adding fake hidden form fields
- Honeypots for Active Defense - A Practical Guide to Deploying Honeynets Within the Enterprise - Greg Foss
- InfoSec analysts are all somewhat familiar with honeypots. When they are given the proper attention, care and feeding, they produce invaluable information. This intelligence has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor -- how can an organization that is not focused on research gain valuable intelligence using honeypots and actively defend their network using the data obtained? The answer is honeypots for active defense. There are currently many open source security tool distributions that come pre-loaded with honeypots among other useful tools, however the honeypot software is often not deployed in an effective manner. This session will discuss techniques to deploy honeypots in ways that will not overburden the security team with massive logs to sift through and focuses on correlating active threat data observed in the honeypot with the production environment. When deploying honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network.
- Global Honeypot Trends - Elliot Brink
- Many of my computer systems are constantly compromised, attacked, hacked, 24/7. How do I know this? I've been allowing it. This presentation will cover over one year of research running several vulnerable systems (or honeypots) in multiple countries including the USA, mainland China, Russia and others. We'll be taking a look at: a brief introduction to honeypots, common attacker trends (both sophisticated and script kiddie), brief malware analysis and the statistical analysis of attackers based on GeoIP. Are there differences in attacks based on where a computer system is located? Let's investigate this together! Beginners to the topic of honeypots fear not, the basics will be covered.
- Security Onions and Honey Potz - Ethan Dodge - BSidesSLC2015
- 101
-
Miscellaneous
-
Tools
- General
- Introduction to T-Pot - The all in one honeypot - northsec.tech
- T-Pot ISO Creator
- T-Pot Universal Installer and ISO Creator
- T-Pot ISO Creator
- Modern Honey Network(MHN)
- From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale. MHN uses the HPFeeds standard and low-interaction honeypots to keep effectiveness and security at enterprise grade levels. MHN provides full REST API out of the box and we are making CEF and STIX support available now for direct SIEM integration through our Commercial platform Optic.
- Honeypot Farming: Setup Modern Honey Network
- Beeswarm
- Beeswarm is a honeypot project which provides easy configuration, deployment and management of honeypots. Beeswarm operates by deploying fake end-user systems (clients) and services (honeypots). Beeswarm uses these systems to provides IoC (Indication of Compromise) by observing the difference between expected and actual traffic.
- Github
- Honeywall Project
- The goal of this page is to provide you the latest documentation, source code, distribution, and information for the Honeynet Project's Honeywall CDROM. The Honeywall CDROM is a bootable CD that installs onto a hard drive and comes with all the tools and functionality for you to implement data capture, control and analysis.
- dionea
- dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
- Glastopf Project
- Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. The project has been kicked off by Lukas Rist in 2009 and the results we are got during this time are very promising and are an incentive to put even more effort in the development of this unique tool. Read the tool description for further information. We are working together with different people, organizations and institutions to get the best from the collected data. Find out more about collaborating with the project.
- Amun
- Amun is a low-interaction honeypot, like Nepenthes or Omnivora, designed to capture autonomous spreading malware in an automated fashion. Amun is written in Python and therefore allows easy integration of new features.
- Amun Honeypot - Github
- Amun Honeypot Paper
- Portspoof
- The Portspoof program primary goal is to enhance your systems security through a set of new camouflage techniques. As a result of applying them your attackers' port scan result will become entirely mangled and to very significant extent meaningless.
- Opens all ports, hosts seemingly legitimate services on each.
- Honeytrap
- Honeytrap is an extensible and opensource system for running, monitoring and managing honeypots.
- Introduction to T-Pot - The all in one honeypot - northsec.tech
- HoneyTokens
- Java Apps
- Honeyagent
- HoneyAgent is a Java agent library that creates a Sandbox for Java applications and applets. Therefore, it uses the JVMTI as well as the JNI to intercept class loading and function calls. During runtime HoneyAgent traces function calls from the analysed application. It is displayed which class calles which function with which parameters. Reflected function calls are translated to the original function names for simpler reading.
- Honeyagent
- Low-Interaction
- Service Simulators
- iNetSim
- INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.
- iNetSim
- Single Purpose Emulation
- PHP-ShockPot
- PHP-ShockPot is a small honeypot aimed at showing you the interesting attempts made trying to exploit your host using the now famous "Shellshock" (also known as bashbug) bug.
- HoneyBadger
- A framework for targeted geolocation.
- elastichoney0
- Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.
- PHP-ShockPot
- SSH
- PSHITT
- pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight fake SSH server designed to collect authentication data sent by intruders. It basically collects username and password used by SSH bruteforce software and writes the extracted data to a file in JSON format. pshitt is written in Python and use paramiko to implement the SSH layer.
- Kippo
- Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
- PSHITT
- Search Engine
- Google Hack Honeypot GHH
- Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence. Google has developed a powerful tool. The search engine that Google has implemented allows for searching on an immense amount of information. The Google index has swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the growth of the Google index, the spread of web-based applications such as message boards and remote administrative tools has resulted in an increase in the number of misconfigured and vulnerable web apps available on the Internet. These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users. GHH is a tool to combat this threat.
- Google Hack Honeypot GHH
- Tarpits
- Web Labyrinth
- A simple tool that creates a maze of bogus web pages to confuse web scanners. It's main goal is to delay and occupy malicious scanners that scan websites in order for incident handlers to detected and respond to them before damage is done.
- Web Labyrinth
- USB
- Ghost USB honeypot
- Ghost is a honeypot for malware that spreads via USB storage devices. It detects infections with such malware without the need of any further information. If you would like to see a video introduction to the project, have a look at this Youtube video](https://www.youtube.com/watch?v=9G9oo3b9qR4)
- Ghost USB Honeypot - Installing/Running
- Ghost USB honeypot
- Web
- Thug - Python low-interaction honeyclient
- Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.
- Wordpot
- Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.
- phpmyadmin_honeypot
- Probably one of the smallest and simplest web honeypots out there...
- Web Bug Server
- Easily embed a web bug inside word processing documents. These bugs are hidden to the casual observer by using things like linked style sheets and 1 pixel images.
- honeyLambda
- a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway
- Thug - Python low-interaction honeyclient
- Windows-based
- Omnivora
- Omnivora is a low-interaction honeypot for systems running Windows operating systems and is implemented using Borland Delphi. It is primarily designed to collect autonomous spreading malware.
- Omnivora
- Wireless
- romanHunter
- romanHunter (router man Hunter) is a wireless honeypot or closer to a sinkhole that will bait a cracker, capture the MAC address, reset the WIFI password (effectively destroying their connection) and wait for the next authorized connection. The password changes happen on a round robin basis from entries in the password file (pw_list.txt).
- romanHunter
- General
-
Integration with Other Tools
- Splunk
- Tango Honeypot Intelligence
- Honeypot Intelligence with Splunk
- Tango Honeypot Intelligence
- Splunk
-
Miscellaneous
- Hflow2
- Data Analysis System
- Hflow2
-
101
-
Articles/Writeups
-
Talks & Presentations
-
Tools
-
License to Kill: Malware Hunting with the Sysinternals Tools
-
- Scriptable dynamic runtime execution of malware
-
- Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.
-
https://www.gdata.de/rdk/dl-en-rp-Uroburos
-
Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix
-
Interesting Malware - No, I’m not kidding... by Marion Marschalek
-
- Inject JS into native apps
-
Software Distribution Malware Infection Vector
- In this paper we present an efficient mechanism as well as the corresponding reference implementation for on-the-fly infecting of executable code with malicious software. Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executables with a embedded signature when the signature is not automatically verified before execution. We briefly discuss also countermeasures such as secure channels, code authentication as well as trusted virtualization that enables the isolation of untrusted downloads from other application running in trusted domains or compartments.
-
Statistical Structures: Fingerprinting Malware for Classification and Analysis - Daniel Bilar
-
Malware Guard Extension: Using SGX to Conceal Cache Attacks
- In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.
-
Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)
-
Malvertising: Under The Hood by Chris Boyd - BSides Manchester2017
-
Computer Viruses In This Modern Age - alcopaul/brigada ocho 2014
-
Windows API resolution via hashing
- Although this method of API obfuscation is relatively old, my friend who was wanting to increase his skills in the Windows sphere confronted me about a way a few malware families seem to resolve APIs. It's pretty simple, however he could not find any documentation with a solid programming example on the matter at the time, so I thought I'd quickly write something up regarding it. I was going to write my own loader for this example (loading the desired module via LdrLoadDll within kernel32.dll, walking the InMemoryOrderModuleList to find the desired loaded module, finding the exported function we're after within the EAT..) - however I thought this might of have been a bit overkill for such a simple concept, I want to cover writing your own PE loader in the future though as it's an interesting subject.
-
Tip: how to find malware samples containing specific strings - Decalage
-
Digital Steganography as an Advanced Malware Detection Evasion Technique - z3roTrust(Masters Thesis)
https://objective-see.com/blog/blog_0x49.html
-
Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis) - fumko
-
- Several PDF analysis reassembled with additional tips and tools
-
- Generate call graphs from VBA code, for easier analysis of malicious documents. https://github.com/kevthehermit/RATDecoders
Malware writeup (use for COM)
- IcoScript: using webmail to control malware - Grooten
- Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode - James Wyke
- BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger - Bryan Lee, Josh Grunzweig
https://malpedia.caad.fkie.fraunhofer.de/
https://shasaurabh.blogspot.com/2018/01/analyzing-atm-malwares.html https://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html
https://github.com/rj-chap/CFWorkshop https://www.youtube.com/watch?v=imq8CG5oNug
- Unprotect Project
- Malware are one of the most aggressive threats in the IT field. They are often used to cause damage, steal data, or spy on a target. Companies and Security Industry are working to be more effective against this threat and detecting new variants. Malware authors spend a great deal of time and effort to develop complex code to perform malicious actions against a target system. It is crucial for malware to remain undetected and avoid sandbox analysis, antiviruses or malware analysts. With this kind of technics, malware are able to pass under the radar and stay undetected on a system. The purpose of this wiki is to try to centralise all these techniques, to understand and detect new generation of malware.
https://www.slideshare.net/matrosov/cybercrime-in-russia-trends-and-issues