Thanks for the great video! I'm curious how malware analysis tools like Capa and FLOSS can be used to identify potential APTs and similar malware. Using MITRE ATT&CK Techniques and Sub-techniques seems like a good approach. Could you explain this further or point me to a video/blog post?
i couldn't fnd the files in the GIT what are in the video could you please drop them, also at the shellcode.bin, how the jump address is taken in the IDA-PRO, from matches to stackstrings?? how can we understand to add a function at that particular point i.e. 1E5D (sorry I am kinda beginner soo!!)
Sure thing! This covers the first binary with the XORed string: github.com/jstrosch/learning-malware-analysis/tree/master/String%20Obfuscation The shellcode came from this malicious document, this contains a full analysis write-up so can see how I knew the true entry point of the code: github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises/2022/October. Now the EP into the shellcode was at offset +0xE5D, this is simply the number of bytes from the beginning of the shellcode blob. Once I wrapped that into a PE file using sclauncher, the shellcode will get loaded in the .text section, which will begin at offset +0x1000 in the PE file in memory. This means that the EP once wrapped, will be +0x1E5D (0x1000 + 0xE5D). The rest of the hashes are in the video description, let me know if you have any trouble accessing them. Hope this helps!
Thanks for the great video! I'm curious how malware analysis tools like Capa and FLOSS can be used to identify potential APTs and similar malware.
Using MITRE ATT&CK Techniques and Sub-techniques seems like a good approach. Could you explain this further or point me to a video/blog post?
At 26:08, How did you figure out the stack string address in IDA?
i couldn't fnd the files in the GIT what are in the video could you please drop them, also at the shellcode.bin, how the jump address is taken in the IDA-PRO, from matches to stackstrings?? how can we understand to add a function at that particular point i.e. 1E5D (sorry I am kinda beginner soo!!)
Sure thing! This covers the first binary with the XORed string: github.com/jstrosch/learning-malware-analysis/tree/master/String%20Obfuscation
The shellcode came from this malicious document, this contains a full analysis write-up so can see how I knew the true entry point of the code: github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises/2022/October. Now the EP into the shellcode was at offset +0xE5D, this is simply the number of bytes from the beginning of the shellcode blob. Once I wrapped that into a PE file using sclauncher, the shellcode will get loaded in the .text section, which will begin at offset +0x1000 in the PE file in memory. This means that the EP once wrapped, will be +0x1E5D (0x1000 + 0xE5D).
The rest of the hashes are in the video description, let me know if you have any trouble accessing them.
Hope this helps!
@@jstrosch thank you so much 🤟