Tracing network data back to encryption

Jul 16, 2020
by Mathieu
Categories: Reven -
Tags: Reverse Engineering - Malware Analysis - Analysis API - Taint - Reven -

In this video, we demonstrate how REVEN makes it possible to connect data sent through the network with the code that generated it beforehand. In our case, this reveals a decryption routine in a malware.

  • The first step is to reconstruct a usable PCAP file from the trace to explore the network trace with Wireshark, and identify relevant buffers in the REVEN trace.
  • Then, using the tainting engine, we quickly find a simple decryption routine.
  • From there, using the Python API we extract even more information from that trace, to try and reveal as many strings from the malware binary as possible.

First time reading about REVEN?

Note this video assumes previous knowledge of REVEN and trace navigation, to which the following videos may provide a gentler introduction:

The demo


The malware we analyze here is a sample of the PocoDown family, which sha256 is ab8c93b24767c43559c03da63bb8275aa1e7babb36dc2ec3719c55b973b1f823.

Next post: Getting ready for analysis with REVEN (1/3): Importing a new VM
Previous post: Announcing REVEN version 2.5