Tracing network data back to encryption
Jul 16, 2020
by Mathieu
Categories: REVEN -
Tags: Reverse Engineering - Malware Analysis - Analysis API - Taint - REVEN -
by Mathieu
Categories: REVEN -
Tags: Reverse Engineering - Malware Analysis - Analysis API - Taint - REVEN -
In this video, we demonstrate how REVEN makes it possible to connect data sent through the network with the code that generated it beforehand. In our case, this reveals a decryption routine in a malware.
- The first step is to reconstruct a usable PCAP file from the trace to explore the network trace with Wireshark, and identify relevant buffers in the REVEN trace.
- Then, using the tainting engine, we quickly find a simple decryption routine.
- From there, using the Python API we extract even more information from that trace, to try and reveal as many strings from the malware binary as possible.
First time reading about REVEN?
Note this video assumes previous knowledge of REVEN and trace navigation, to which the following videos may provide a gentler introduction:
- VLC code execution: a tour of REVEN terminology & trace navigation.
- Recording a trace: a demonstration of what is recorded in a trace, and how.
- Kernel bug: from crash to input: a short example of using the tainting engine’s dataflow analysis to reveal connections between code locations.
The demo
Details
The malware we analyze here is a sample of the PocoDown family, which sha256 is ab8c93b24767c43559c03da63bb8275aa1e7babb36dc2ec3719c55b973b1f823.
