Atelier d’introduction au reverse de malware et à l’OSINT, et les liens entre ces deux disciplines. Le workshop cible un public novice au reverse, à l’OSINT.

1. Introduction ~45min

• OpenFacto introduction
• What is Cyber Threat Intelligence?
• What is malware analysis?
• What is OSINT? -> insist on methodology before tools, and the need to check the origins of one’s tools -> pivots
• Links between malware analysis and OSINT

2. Windows Malware analysis ~1h

2.1 Introduction on Windows Malware analysis ~15min

• Many different possible goals -> even more different methodologies
  • Exploratory : what does this malware do?
  • Detection : briefly talk about detection signatures
  • Extracting information for further analysis : mistakes made by dev (PDB, email address, etc.) and malware configuration (IP, domain names, etc)
  • Studying the evolution of the code : need to know what characteristics are unchanging, possibility to compare different versions
  • etc, etc.
• Feedback
  • The first step can be difficult to make, but there are some quick wins that can help you get started
  • A lot of people are scared of assembly, but if you don’t want to be a professional malware analyst, you don’t necessarily need to have a very deep understanding of assembly language
  • if you do want to get into it, practicing is the best way to learn, and being patient is important (try not to get frustrated with the fact that you won’t understand everything at first)
  • A lot of good resources exist (list at the end), the first one being PMA, which is really good to get started

2.2 The basics ~20min

Mostly demonstrations with possibility for the attendees to try it out at the same time

• Some important notions
  • Strings : string formats, extracting them, what strings could be interesting (PDB, function names)
  • Talk about the PE header, without getting into too many details (mostly imports/Windows API and timestamps)
• Assembly
  • There won’t be the time to get into details here, it’s a very broad subject
  • Most important tip: practice and don’t get discouraged! It’s okay not to understand everything, but you need keep in mind your goal
  • Free tools available to practice at home (show Binary Ninja)
  • A possible strategy: start with some quick wins and get into the details of assembly little by little with practice. Or just stop at the quick wins that can still be useful even if assembly isn’t your thing

2.3 Quick wins exist! ~25min

• Many tools exist online
  • Tools for extracting embedded files (like images -> OSINT)
  • Tools for unpacking (broad subject, there may not be enough time to talk about it)
• Windows API documentation
  • Show as an example 2 malware functions where you can see Windows API functions being called and roughly guess what’s going on (interactive)
• Recognizable patterns or cryptograhic constants
  • Show 2 examples of famous cryptographic functions that are easily recognizable (interactive)
• Basically, if you don’t get too intimidated, you might understand more than you’d think
• Limitations : complex packing, obfuscation techniques, …

3. OSINT ~1h

3.1 Dorks 20 min

• Starting point: we got an Windows API, yeah!
• Review of major search engines, and how to influence results we get from a request
• A few dorks
• Practice

3.2 Working on pseudonyms and email addresses 20 min

• Starting point: pseudo in PDB, that’s nice!
• How people create their pseudonyms -> get the target’s interest -> context from numbers -> sometimes get an idea of a geographical area linked to the target
• Pseudonyms -> Main tools and how they work behind – understand how it works and how to interpret results -> Alternative resources
• Email addresses: -> domain names -> blogs (mail ru) -> aggregation tools – and how they work
• Practice

3.3 Domain names 20 min

• Starting point: the configuration gave us a domain name!
• whois, historical data, RGPD and its consequences
• Domain names and IP adresses – links and false leads
• general knowledge about domain generation algorithms?
• Depending on the time left: quick wins with certificates or how to get the real IP behind a cloudflare protected domain?
• Practice

Conclusion ~15min

• Interesting resources to get into malware analysis (don’t panic!)
• Conclusion on OSINT