- 11
- 47 316
Anuj Soni
United States
Приєднався 13 січ 2014
I'm a Malware Reverse Engineer, SANS Certified Instructor and Course Author. I'm here to share my successes and failures analyzing malicious code.
Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710 (author)
Find Anuj Soni on X: asoni
Follow on LinkedIn: www.linkedin.com/in/sonianuj/
DMs open for work inquiries and collaboration proposals.
Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710 (author)
Find Anuj Soni on X: asoni
Follow on LinkedIn: www.linkedin.com/in/sonianuj/
DMs open for work inquiries and collaboration proposals.
5 Ways to Find Encryption in Malware
Description: In this video, I discuss five strategies to locate encryption within malware.
Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know!
SANS Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710
Samples: github.com/as0ni/youtube-files/raw/main/wc_kbdlv.zip
Password: infected
Description: WannaCry DLL
Unzipped SHA-256: 1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
Tools and Scripts
Ghidra: ghidra-sre.org/0
Capa: github.com/mandiant/capa
Capa Rules: github.com/mandiant/capa-rules
Capa Ghidra Integration: github.com/mandiant/capa/tree/master/capa/ghidra
Ghidra FindCrypt: github.com/TorgoTorgo/ghidra-findcrypt
Original FindCrypt: hex-rays.com/blog/findcrypt/
YARA: virustotal.github.io/yara/
Crypto YARA Rule: github.com/Yara-Rules/rules/blob/master/crypto/crypto_signatures.yar
Follow Anuj on X: x.com/asoni
Follow Anuj on LinkedIn: www.linkedin.com/in/sonianuj/
Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know!
SANS Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710
Samples: github.com/as0ni/youtube-files/raw/main/wc_kbdlv.zip
Password: infected
Description: WannaCry DLL
Unzipped SHA-256: 1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
Tools and Scripts
Ghidra: ghidra-sre.org/0
Capa: github.com/mandiant/capa
Capa Rules: github.com/mandiant/capa-rules
Capa Ghidra Integration: github.com/mandiant/capa/tree/master/capa/ghidra
Ghidra FindCrypt: github.com/TorgoTorgo/ghidra-findcrypt
Original FindCrypt: hex-rays.com/blog/findcrypt/
YARA: virustotal.github.io/yara/
Crypto YARA Rule: github.com/Yara-Rules/rules/blob/master/crypto/crypto_signatures.yar
Follow Anuj on X: x.com/asoni
Follow Anuj on LinkedIn: www.linkedin.com/in/sonianuj/
Переглядів: 2 699
Відео
An Intro to Binary Ninja (Free) for Malware Analysis
Переглядів 4,5 тис.6 місяців тому
Description: In this video, I introduce a workflow for analyzing malware with Binary Ninja, free edition. Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! SANS Malware Analysis Courses I Author and Teach: sans.org/for610 (co-author) sans.org/for710 Samples: github.com/as0ni/youtube-files/raw/main/wc_kbdlv.zip Password: infected Description: Wann...
Decode Malware Strings with Conditional Breakpoints
Переглядів 2,3 тис.6 місяців тому
Description: In this video, we explore how to deobfuscate malware strings using conditional breakpoints in x64dbg. Timestamps: 0:00 - Intro 1:26 - Running capa 2:39 - Analysis with Ghidra 4:20 - Static file analysis with CFF Explorer 4:40 - Debugging with x64dbg 7:32 - Introducing conditional breakpoints 14:35 - Conditional breakpoints for code deobfuscation Have malware analysis questions or t...
I Tried Ghidra's BSim Feature
Переглядів 2,1 тис.7 місяців тому
In this video, I discuss how to get started with Ghidra's BSim Feature, which helps identify similar functions across executable files. Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! Timestamps: 0:00 - Intro 1:12 - Enabling BSim in Ghidra 3:23 - Create BSim Database 4:55 - Populate BSim Database 8:20 - Register BSim Database 9:34 - Run BSim Qu...
Malware Evasion Techniques: API Unhooking
Переглядів 3,5 тис.8 місяців тому
Description: In this video, we explore a malware evasion technique - API unhooking. Timestamps: 00:00 - Intro 00:37 - Inline hooking explained 02:04 - Introducing frida-trace 04:12 - Static analysis of Gazprom ransomware 06:18 - Patching Gazprom sample 07:37 - Hooking Gazprom with frida-trace 09:50 - Identifying API unhooking code using x64dbg 12:14 - Reviewing API unhooking code using Ghidra 1...
6 Tips to Get Started with Malware Analysis
Переглядів 3,4 тис.11 місяців тому
For a limited time (expires 10/31/23), get $600 off OnDemand for both SANS Reverse Engineering Malware courses: FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques FOR710: Reverse-Engineering Malware: Advanced Code Analysis To unlock this offer, use the code FOR610_710_600. Promotional offer valid on the purchase of only FOR610 or FOR710 OnDemand course purchased between ...
Analyzing the FBI's Qakbot Takedown Code
Переглядів 5 тис.Рік тому
Description: In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques. Timestamps 0:00 - Intro 1:21 - Shellcode analysis with Malcat 7:23 - Identify functionality with Mandiant's capa 10:41 - Analyze shellcode with Ghidra 15:35 - Debug shellcode with runsc 19:40 - Review decoded executable with PEStudio 21:07 - Code analysis to confirm how Qakbot is terminated ...
How I Debug DLL Malware (Emotet)
Переглядів 14 тис.Рік тому
Have questions or topics you'd like me to cover? Leave a comment and let me know! Sample: github.com/as0ni/youtube-files/blob/main/bad.zip Password: infected Malware Family: Emotet Tools Ghidra: ghidra-sre.org/ CFF Explorer: ntcore.com/?page_id=388 x64dbg: x64dbg.com/ Process Hacker: processhacker.sourceforge.io/downloads.php REMnux: remnux.org/ SANS Malware Analysis Courses I Author and Teach:...
Identifying Code Reuse in Ransomware with Ghidra and BinDiff
Переглядів 3,5 тис.Рік тому
Have questions or topics you'd like me to cover? Leave a comment and let me know! Samples: github.com/as0ni/youtube-files/blob/main/conti_lockbit.zip Password: infected Malware Families: Conti, Lockbit Ransomware Tools Ghidra: ghidra-sre.org/ BinDiff: www.zynamics.com/software.html BinExport: github.com/google/binexport Credits vxunderground/status/1620129967874134017 Ma...
How I Execute Malicious Services
Переглядів 3,3 тис.Рік тому
In this video, I share an approach to analyzing a malicious service executable. Please subscribe to the channel to get notified about upcoming malware analysis / reverse engineering videos. Sample: github.com/as0ni/youtube-files/blob/main/12a6.zip Password: infected Malware Family: Cobalt Strike Tools Ghidra: ghidra-sre.org/ pestudio: www.winitor.com/download CFF Explorer: ntcore.com/?page_id=3...
Code Analysis with Ghidra
Переглядів 3 тис.5 років тому
This video presents a workflow for performing code analysis with Ghidra. SANS Malware Analysis Courses I Author and Teach: sans.org/for610 (co-author) sans.org/for710 Resources: Ghidra: ghidra-sre.org/ WannaCry Sample: malwology.files.wordpress.com/2019/08/24d0.zip (pw: infected) VT link: www.virustotal.com/gui/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/detection Find...
x64dbg is mostly used to crack programs dude. just protect the exe with themida with anti file patching enabled then its good
nice 🙂🙂🙂🙂🙂🙂🙂🙂
Thank you!
PLEASE DO MORE! THIS WAS SO GOOD
Working on it :-)
Really amazing video!! Since you asked for requests: anything with WinDbg. oooo maybe .NET malware too. Speaking of which... debugging managed code in windbg for analysis is super cool.
I usually don't comment on a video unless I need to, but you did great work in this video, and it is very valuable. Please make more videos!
Thanks so much, that means a lot!
Hi Anuj, just a quick question. In this decoding of the strings. Is there a way to decode them and see their associated indexes? Thanks again!
UI like VSCode and Sublime text style
I started learning not long ago, but your explanation is so good I was able to keep track and understand of what you were doing.
Wonderful to hear, thank you!
This was great. Excellent info.
Glad you enjoyed it!
Another great video Anuj! Looking forward to seeing more. It helps with my course in Advanced Malware Analysis from Zero 2 Automated!!!
Would you be willing to do subscriber sample submissions? That would be cool
I’m in!
Hi, I'm Started to Learn a Malware Analysis ... So, I have a Trouble in Recognize the Obfuscation String Types in Malware... So, if you Have a Methodology to Recognize to the Type of Obfuscation and How to Solve it, and some resourse, it will be greate Thank you for all effort that you do
I hope to cover this topic in some upcoming videos, thanks!
So the plugins tab will not work for the free version?
7:14 just wondering why there is pushed same register EDX twice? 00401b37 PUSH EDX 00401b38 PUSH EDX
Excellent Anuj! Besides knowing your stuff, I like the pace at which you explain it. Many rush through it. You don't! Outstanding Presentation!
Thank you so much for that kind feedback!
I can decrypt sqlite3 file with these methods?
This video focuses on finding encryption in malware, actually decrypting depends on many factors.
What's the added value of Binary Ninja over Ghidra? Is it worth paying for it?
Depends how you feel about what I presented in the video :-)
the UI and scripting is better, Ghidra has nice features and it's free but the UI is so bad
+ for deep dive into ghidra
thanks for all effort
More Videos, you are incredible
More to come!
Thank you for all useful explanation
thank you for all useful explanations
You are welcome!
when want to install extension --> does not point to a valid ghidra extension.
I had to go back version 10.3. Fixed
Maybe I have to fill some knowledge gap here... but how did you know the decoded strings at 7:19 in the video were UTF-16?
Great question, I could have done a better job of clarifying this. When I dumped the address in EAX to the dump window, each character was represented with two bytes. UTF-16 uses two bytes for most characters (vs. UTF-8, for example, which uses 1 byte per ASCII character).
Great video! I was wondering, as someone new to malware analysis and cybersecurity (only about 1 year worth of experience), when would be a good time to take the for610 course? I’ve been interested in taking it but I’ve only analyzed a handful of malware statically + dynamically but never down to any debugging or reverse engineering level
If you’ve analyzed any malware at all, I’d say you’re ready to take 610. We explain assembly and demonstrate disassemblers/debuggers with no expectation that you’ve seen them before. I’m not saying it’ll be easy, but if you’ve had any exposure to analyzing malware before, it’ll be a rewarding challenge. Hope that helps!
Amazing tutorial. Thank you. Super useful.
Glad it was helpful!
You're amazing! This channel deserves millions of subscribers. I'm somewhat new to emulation and feeling a bit overwhelmed. I stumbled upon this plugin for IDA (ua-cam.com/video/AwZs56YajJw/v-deo.html), and I think it's fantastic. However, I'm having trouble setting it up correctly on Windows. If it's possible, could you create a video tutorial to help beginners like me set up these emulators correctly on Windows?
Thanks for the generous compliment! And thanks for suggesting an idea. However I’m mostly focused on using Ghidra and Binary Ninja for now…if you’ve seen a plugin for one of those frameworks that you’d like to see demoed let me know!
I would welcome a comprehensive and up-to-date IDA Pro Playlist.
Thanks for the suggestion. For now I’ve decided to focus on using Ghidra and Binary Ninja because they are now/low cost…but maybe one day!
The capa ghidra script gets hung up on the directory string for me, doesnt have an option to specify.
DM me on X (@asoni) happy to help
@@sonianuj dmed!
thank you , this was helpful
Glad it helped!
Super analysis 👌 tips. ❤
Thanks! Glad you enjoyed it.
Amazing video as always Anuj! Very well done, clear and concise. Hoping my thumbs up and comment help with the YT algorithm 😄
Thanks Jai! Lol the UA-cam overlords approve of your offerings.
You are able to explain well and understandably. I would be happy to see more videos around the topic of malware analysis with Binary Ninja.
Thank you! I do plan to release more analysis videos using Binja!
Great video ❤ Curious - is the theory behind how common encryption algorithms work discussed in FOR710?
It sure is :-)
Clear, concise and to the point. Great video - keep going!
Glad you liked it!
Another amazing video. Can I call this a trick tutorial video for players? LMAO🤣🤣🤣🤣. Anyway, the content is great.
Hi Anuj, Thanks for making a video on this topic, conditional breakpoints are highly underrated. Could you pls make video on tracing and its uses. There are a few ppl taking about it uses or significance.
Thanks for the idea! That could be a good one. I'll give this some more thought.
@@sonianuj Thanks for commenting. Eagerly waiting for an another great video.
Is your vm the base FLARE install?
Actually it’s based off the SANS FOR610 VM but similar idea!
@@sonianuj it looks so much cleaner!
well explained and well presented thank you
Glad it was helpful!
I'm trying to apply your method to get password for protected file packed with InnoSetup which dropping malware. I already found function with Capa which you showed. Thanks a lot.
You’re welcome!
thanks for helpful!!!
Happy to help!
This video anwers all my questions! The quality of this video is 10/10, congrats Anuj! Im buying this now.
You made my day, thank you!
Can dll malware infect your computer even, if you are not clicking to .exe? Without dll being imported to .exe just export itself like could dll without execution .exe only download dll file do rat, redline stealer, rootkits or other malwares? Someone experienced this?
Is there to unpack rar/zip file with pw in ida pro/ghidra directly?
Anuj bhai !! thank you forrr thissss and please keep producing such top notch content on reverse engineering and malware analysis!! respect
Binary Ninja is absolutely where it’s at.
this is high quality content, make moooore!
Glad you enjoyed it!
Short video but very educative..
Thank you!
Binary Ninja is really a game-changer! Especially with v4, it’s wild
its fast af boi! very cool. does it handle big dlls and pe's, like hiberfil.sys?
Anuj, you should be an anchor man on the Evening Malware News! Outstanding presentation.
Lol thanks Terry. Hope you’re well!