Comparing Malicious Files

Explore techniques for comparing malicious files in this 56-minute conference talk from BSides Charm 2019. Delve into the challenges faced by researchers and incident responders when dealing with malware samples. Learn about sample identification, locating associated samples, and analyzing shared engines. Discover various malware classification systems, including MITRE ATT&CK and Malpedia. Examine methods for extracting and comparing metadata, such as Exif data, code signing certificates, PE metadata, and document properties. Investigate techniques for analyzing URL structures, mutex objects, registry keys, and algorithms. Gain insights into advanced analysis methods like control flow graph analysis and explore data representation formats like STIX and JSON-LD. Conclude with an overview of graph databases and network graph tools for visualizing malware relationships.

Intro
AV Problem
Marketing Problem
Missing Criteria
Researcher's Problem
Incident Responder's Problem
Sample Identification
Locating Associated Samples
Shared Engines
Development Methods
Vendors with Usable Results
Boiling Down Results
ATT&CK & Granularity
SEH Variation
Malpedia
Malware Classification Systems
Some Hashes
Exif metadata
Code Signing Certificate
Abused Certificates
PE Metadata
Sections
Resources
Document Metadata
Filenames
URL Structure: Download
URL Structure: C2
Mutual Exclusion (Mutex)
Registry key
Algorithms
Infosec Finer Things
Diamond Model
Control Flow Graph Analysis
Schema: STIX
JSON for Linking Data: JSON-LD
RDF N-Quad
Graph Tools: Graph Databases
Network Graph