Malware Analysis Using Cuckoo Sandbox - PowerPoint PPT Presentation

slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Malware Analysis Using Cuckoo Sandbox PowerPoint Presentation
Download Presentation
Malware Analysis Using Cuckoo Sandbox

play fullscreen
1 / 19
Malware Analysis Using Cuckoo Sandbox
1201 Views
Download Presentation
lilly
Download Presentation

Malware Analysis Using Cuckoo Sandbox

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Malware Analysis Using Cuckoo Sandbox Digit Oktavianto 21Juni 2014 http://digitoktavianto.web.id digit dot oktavianto at gmail dot com

  2. About Me • Infosec Analyst @ Noosc Global • Member Indonesian Honeynet Chapter • Member OWASP Indonesian Chapter • Coordinator in System AdminstrationCloudIndonesia • Linux Activist (KPLI Jakarta)

  3. Introduction to Malware Analysis • Malware : Any piece of code that has malicious intentions and /or performs a function that the user was not aware that it was going to do • Malware analysis : process of analyzing malware; how to analyze malware behavior; how to reverse the malware; how to disassemble the malware

  4. Introduction to Malware Analysis (Cont’d..) • Benefits from malware analysis? • We can investigate how the malware works • We can predict what it is going to do with the victims • We will know how to mitigate this malware attack (quickly assess the threat) • We can prevent further malware action • We will understand threat management better • We can secure our environment

  5. Basic Theory in Sandboxing What is Sandboxing? Sandboxing is a technique for isolating a programs (in this case, malware) by providing confined execution environments

  6. Problems •  Malwares in the wild are way too many •  Manual analysis takes a lot of time •  Static analysis requires strong skillsets •  Need to deal with packed, polymorphic, self-modifying code •  Performing dynamic analysis manually is a tedious work

  7. Pros •  Can automate the whole analysis process •  Process high volumes of malwares •  Usable by virtually anyone •  Can tweak to do cool stuff •  Automating is cool

  8. Lets you focus on another duties

  9. Cons •  Commercial solutions are very expensive •  Some portions of the malware code could be not triggered •  Environment could be detected •  Without proper consumption of the results, it gets useless

  10. Cuckoo Sandbox

  11. Cuckoo Sandbox • • Rapid7’s Cuckoo Sandbox • – Allows sandboxed execution of malicious files • – Records file and registry changes and netwok connections. • – Integrates with common virtualization platforms • – It is possible to target custom OS and architecture • – Allows user interaction during execution • – Free

  12. Cuckoo Sandbox What files can be processed by Cuckoo? - Generic Windows executables - DLL files - PDF documents - Microsoft Office documents - URLs - PHP scripts - Almost anything else

  13. Cuckoo Sandbox Output • What is the output result from Cuckoo? • - Files being created, deleted and downloaded by the malware during its execution. • - Memory dumps of the malware processes. • - Network traffic trace in PCAP format. • Screenshots of Windows desktop taken during the execution of the malware. • Full memory dumps of the machines.

  14. Cuckoo Sandbox Architecture

  15. Cuckoo Sandbox Component

  16. How Cuckoo Works?

  17. Cuckoo Sandbox Module • Analysis Packages • Machine Managers • Processing • Reporting • Signatures

  18. Demo and Practice in Lab • Let’s Start Our Lab Practice

  19. Thank You • FINISH • Q and A • Email : digit dot oktavianto at gmail dot com