The video then demonstrates how to write some Python to fully deobfuscate the strings. This is something I enjoyed as i suck at writing code and also lose interest in hello word tutorials that don’t relate to malware analysis. Next we move onto an Excel document that delivers Zloader and perform some analysis using olebrowse and olevba to identify malicious indicators. Again this is quite technical and x32dbg is used to actually debug the Excel document which is something I have never done and found quite interesting.įinally we have another Word Document which makes use of the Equation Editor exploit and we are shown how to use rtfdump to analyse the file. The next video focuses on a sample of IcedID malware and is just under 45 mins in length. This is where we are analysing malware which has been downloaded by the 1st stage malicious document, this is a common technique and was the main attack vector of Emotet. This was a video I really enjoyed as it covers how to automatically extract the config from a piece of malware which contains information such as the bad guys c2’s.
We begin with some static analysis of the sample using PEStudio and unpacking the malware using 圆4dbg and some nice pointers are given for manually unpacking malware. I always find it useful to see other peoples methodology when analysing or unpacking malware so even for somebody who has completed the SANS 610 it was nice to pick up a few little pointers. The video also begins with some very informative slides covering 0verfl0w_’s methodology for analysing a loader and developing a config extractor. What I also liked was that a different technique was demonstrated for dumping the unpacked file to the desktop than I tend to use which involved using PEBear. This is a tool that is widely used but something I have never really used myself so again I found this useful. In the video the unpacked malware is then loaded into IDA to begin static analysis. I actually used Ghidra at first but found that it wasnt resolving the Windows API function parameters, this basically rendered it useless for this part of the exercise.
0 kommentar(er)
