adricnet

Yay, one of my favourite topics :) I'm still learning malware analysis, and here's what's helped me:

Resources

• Books: PMA, and then Malware Analyst's Cookbook, Exploits, Reversing books once you get going
• Tools: Remnux for static and a safe execution environment for dynamic[1]
• Samples from books and courses and CTFs .. virusshare is cool too, please seed!
• Online courses: The http://opensecuritytraining.info/Training.html material is all fantastic and free.
• Do follow the recommended paths (see img ) if you don't know, say, x86 ASM, or you may get lost fast and not get as much out of it.

adricnet

Get De-XRAY from Hexacorn:

• http://www.hexacorn.com/blog/category/software-releases/dexray/
• http://hexacorn.com/d/DeXRAY.pl

Ubuntu 16.04 (Xenial)

## at least these or just CPAN

adricnet

Brad says:

Review the traffic and consult the alerts if necessary. You should be able to get the following information from the pcap:

The user's first and last name
The host name of the user's Windows computer
The MAC address of the user's Windows computer
What type(s) or item(s) of malware the user's computer is infected with.

How the user's computer got infected with the item(s) of malware.

adricnet

Some DOCX samples today had the VBA script payload embedded into OLE objects in the DOCX. To a user this looks like document icons in the Word file, and for file analysis they are in the DOCX zip under word/embeddings (Thanks Brian!). After doing a few of these manaully, and then dynamically fighting with the Office debugger to get the indicators out of them individually, I took a moment to try and automate at least part of the process.

Loop through samples in a directory, yank all of the embedded OLE objects, and scan them for likely VBA script with Yara

$ for file in efax/*.docx ; do unzip -qq -o -j $file "word/embeddings*" ; \
  for y in `ls oleObject*`; do echo -n "$file  "; \
    yara -f -w vbaoleobj.yara $y;done; rm -f oleObject* ; done

adricnet

Some VBA notes

Tools

• Unix(Remnux): viper.li, oletools, & Didier's tools
• Windows: Office Excel (VBE) & Visual Studio Community (VSC), officemalscanner
• Editors: scite, VS Code

Dependencies

adricnet

root@kali:~/Desktop/live-build-config# cat kali-config/variant-light-voltron/package-lists/kali.list.chroot 
# You always want those
#kali-linux-core
kali-desktop-live

# Kali applications
#<package>
# You can customize the set of Kali metapackages (groups of tools) to install

adricnet

Thanks, Adrian and team at http://www.irongeek.com/

DerbyCon 2019

https://www.irongeek.com/i.php?page=videos/derbycon9/mainlist

• Keynote: Ed Skoudis
• Attribution and Deception for Threat Intelligence: John Strand
• BloodHound From Red to Blue: Mathieu Saulnier

adricnet

### Normalise VBA code in macros for easier code analysis, @adricnet

## Remove all the DOS newlines to start
/^[[:space:]]*$/d

## Add in newlines we want to highlight code blocks
s/end function/End Function\n/i
s/end sub/End Sub\n/i

## Fix mangled cASe obFUScaTioN while we are here

adricnet

Some obstacles overcome to get a Cuckoo 2 sandbox going on the class laptop: Win10x64 Pro. This is just my notes and rambling and intent is to write up a working build in case someone else in 610 or the community wants it.

Book

Upstream installation instructions, might give harmless cert error: http://docs.cuckoosandbox.org/en/latest/installation/guest/agent/

Python

adricnet

The live demo attempt method (FileInsight):

1. Use web developer tools or Burp to capture source of index page. (Ctrl-A, Ctrl-C)

2. Paste that HTML into a new buffer in FileInsight.

3. Trim away everything but the suspicious bitstream.

4. Select the bitstream (Ctrl-A) and use the Decode tools in the left pane to convert Hex to ASCII (no key).