Malware Analysis System empowering LE Cybercrime Investigation Division, SPO Malware Analysis System...
-
Upload
audrey-rogers -
Category
Documents
-
view
223 -
download
0
Transcript of Malware Analysis System empowering LE Cybercrime Investigation Division, SPO Malware Analysis System...
Malware Analysis System empowering LECybercrime Investigation Division, SPO
Malware Analysis System, THEMIS
The
Hacking
Evidence
Malware
Investigation
System
Background
Prevalence of Malware Crimes
Limited Expertise & Workforce
Loosing Connections
Goals
1 Automate & Normalize Analysis
2 Trace & Monitor Criminals
3 Comprehensive Management ofMalware Information
System Concept
• Correlation & Trace
• Analysis • Collection
Malware Life-Cycle based Operation
DataBase
1 Collection (internal input + external resources)
Mechanism
2 Analysis
STATIC
DY-NAMIC
PE Structure, Hash, Ssdeep, Strings, Decompiling, class/meth-ods info.. Provider, Receiver, Ser-
vice, Permission, SMS/CALL
File/Registry/Network/Process Event Monitoring
Network Re-source
IP, E-Mail, Name
Mechanism
3 Correlation & Trace
Malware Dis-tribution Site
Malware Down-load
DNS RecordIP Do-
main
MD5/SHA2
Compilier Informa-tion
Packing Info
File Creation Time
Digital Signature
IAT/EAT TimeDateS-tamp
EOP
File Size
PE Section
File Informa-tion
File Name
EntropyRe-source Section
C&C Server
Information Leakage Sites
File Access/Cre-ation/Edition/Delete
Registry Access/Cre-ation/Edition/Delete Network Comuni-
cation
Autorun
Name Server
Anti Virus
Antivirus Signature
Engine Version
Related Process/DLL
API
Registrant
CNAMEE-mail
Whois History
File Type File Ver-sion
PTRIP2Location
User
PE Header
Malicious Behavior
Mechanism
3 Correlation & Trace
Mechanism
3 Correlation & Trace
Mechanism
Results
1 Speed up Initial Investigation
See the Criminal Rings
Facilitate Collaboration
2
3
Case I
System Intrusion
to a major company
Analyze 41 malicious files, identify 10 C&C
servers
Monitor the C&Cs changing their IPs
Seize a C&C, identify additional victims
Case II
Cyber Threat
on a nuclear power
plant operator
Analyze more than 10,000 EML files
Detach 5,986 malicious files from the emails
Analyze the malicious files, clarify the function
1day
Malware Analysis System empowering LECybercrime Investigation Division, SPO