Overcome Self-Defending Malware – Tools, Techniques and Lab Setup
TTS
Here I demonstrate how to overcome a simple self-defence tactic that some malware samples commonly utilise to target their victims and prevent sandbox / VM analysis.
I demonstrate how to setup two Virtual Machines to capture networking requests from Windows using fakedns and inetsim, both of which are pre-installed on REMnux. Then, we use ProcMon and Process Hacker to look at running processes, APIMon to capture the API calls used by the malware and x64dbg to disassemble and debug it.
Next I show you how to quickly patch the malware to remove the anti-analysis trick and this enables you to illicit networking IOCs from the sample which are super-useful for you to protect against in your own environment.
Finally I demonstrate a super-cool x64dbg plugin called BreakpointUnresolved which allows you to set a breakpoint on API calls that aren't in the IAT, i.e. API calls that the malware loads and references at runtime. This is a brilliant plugin and one very worthy of putting in your toolkit.
Sample:
MD5: c72228712e3955a28f5ea1ccbcb93b74
Tools Used:
Process Hacker - http://processhacker.sourceforge.net/
Process Monitor - https://docs.microsoft.com/en-us/sysinternals/downloads/process-utilities
API Mon - http://www.rohitab.com/apimonitor
x64dbg - https://x64dbg.com/#start
PEStudio - https://www.winitor.com/
REMnux - https://remnux.org/
BreakpointUnresolved - I've uploaded compiled versions here: http://jmp.sh/8muSqjs
If you like the video, click Like.
If you loved it, subscribe!
You can also follow me https://twitter.com/cybercdh
Thanks for watching!
2017-10-07 18:55:32
source
Gloss