• Goa 2020
  • AMMO
  • F.R.I.D.A.Y

F.R.I.D.A.Y

Shyam-Sundar-Ramaswami

Tool Name:

F.R.I.D.A.Y

Speaker:

Shyam Sundar Ramaswami

Download Link:

https://github.com/am-darkknight/FRIDAY-


Abstract:

In this Cyberworld the perfect phrase to describe malware hunting is " Catch me if you can? ". Well, this is a cat and mouse game. Researcher wins the first time and malware authors the other.

Confinement of a malware, running it in a sandbox and studying malware has been a frequent practice. Malware authors decided to burst the bubble by evading sandboxes either by exhibiting a different behaviour or staying quiet. The malware author knows how sandboxes operate and the intelligence Is passed on to malwares.

The new age malwares like Trickbot, Ryuk Ransowmare , Paradise and Annatove all evade , detect and study sandboxes. The moment it detects sandbox it either calls out to noise C&C domains or does not execute. Well, F.R.I.D.A.Y was built to defect and extract the exact behaviours of such malwares.

F.R.I.D.A.Y does the following:

  1. F.R.I.D.A.Y points out and brings out what specific process or services the malware kills to evade sandboxes
  2. F.R.I.D.A.Y sniffs packed malware and uses a concept called “Remote triggering”. This fools the malware to run on a box with no usual tools but captures every detail about the malware. ,monitors and extracts IOC like process id, loaded dlls, unsigned dlls and even the memory address of the loaded dll
  3. F.R.I.D.A.Y extracts domains from unpacked files, runs it against the open source threat intel and even takes it to a machine , runs it and captures screenshots of the C&C and gives suggestions on what domains can be blocked
  4. F.R.I.D.A.Y predicts what sort of DLL or process injection the malware is up to so that we can look for the right spots in memory for malicious dlls
  5. F.R.I.D.A.Y brings down the time to investigate a malware or make a decision on malware from 25 mins to 5 mins

Bio:

Shyam Sundar Ramaswami is a TEDx speaker, Black Hat speaker, GREM certified malware analyst, Cisco Security Ninja black belt and teaches cyber security using “Batman” & “ Avengers” characters.

Shyam has delivered talks in several conferences and universities like Black Hat (Las Vegas), Stanford University (Cyber Security Program), Qubit Forensics (Serbia), Cisco Live (Barcelona), IRespond (San Francisco), Defcon Packet Village (remote) and in several IEEE forums in India.

Shyam also teaches cyber security " Advanced malware attack and defences" in Stanford Cyber security program and runs a mentoring program called being robin where he mentors students all over the globe on cyber security.

https://www.linkedin.com/in/shyam-sundar-ramaswami-50204966/

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved