Tracing network data back to encryption
In this video, we demonstrate how REVEN makes it possible to connect data sent through the network with the code that generated it beforehand. In our case, this reveals a decryption routine in a malware.
- The first step is to reconstruct a usable PCAP file from the trace to explore the network trace with Wireshark, and identify relevant buffers in the REVEN trace.
- Then, using the tainting engine, we quickly find a simple decryption routine.
- From there, using the Python API we extract even more information from that trace, to try and reveal as many strings from the malware binary as possible.
First time reading about REVEN?
Note this video assumes previous knowledge of REVEN and trace navigation, to which the following videos may provide a gentler introduction:
- VLC code execution: a tour of REVEN terminology & trace navigation.
- Recording a trace: a demonstration of what is recorded in a trace, and how.
- Kernel bug: from crash to input: a short example of using the tainting engine’s dataflow analysis to reveal connections between code locations.
The malware we analyze here is a sample of the PocoDown family, which sha256 is