Daniel Plohmann daniel.plohmann@fkie.fraunhofer.de @push_pnx @malpedia
e4kWdgu
e4kWdgu
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The Malware Knowledge Archipelago<br />
A typical situation<br />
• Your [spam protection, HTTP proxy, HIPS, …] intercepts a potential malware sample.<br />
• Strings / Hex Editor?<br />
/home/analyst/work/unknown_malware $ strings ‐el 6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683_unpacked<br />
BotLoa<strong>de</strong>r<br />
ssert<br />
expir<br />
Global\MGlob<br />
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)<br />
‐‐‐‐‐‐Boundary%08X<br />
Content‐Type: multipart/form‐data; boundary=%s<br />
Content‐Length: %d<br />
Xmaker<br />
ip.anysrc.net<br />
wtfismyip.com<br />
icanhazip.com<br />
/plain/clientip<br />
/text<br />
/raw<br />
svchost.exe<br />
9<br />
© Cyber Analysis and Defense Department, Fraunhofer FKIE