Automated Extraction of Configuration and Payloads from Sophisticated Malware

Explore an innovative solution for automated malware analysis in this 42-minute conference talk from the 44CON Information Security Conference. Delve into the challenges of reverse engineering sophisticated malware samples and discover CAPE (Automated Extraction of Configuration and Payloads), an open-source platform designed to streamline the process. Learn how CAPE combines various techniques and tools to extract payloads, configurations, and indicators from complex malware families, particularly those associated with nation-state actors. Gain insights into the system's capabilities, its potential to revolutionize threat intelligence, and how it can be expanded to combat increasingly sophisticated malware. Understand the technical aspects of malware obfuscation, manual analysis approaches, and automated techniques employed by CAPE. Witness a walkthrough demonstration of the platform and explore its extensibility features, including how to create custom packages and utilize the CAPE API for config parsing.

Intro
A bit of background..
Malware Obfuscation
Manual Approach
Automated Analysis
Techniques & tools from manual analysis
Debugger
Dumper
Import Reconstruction
CAPE Walkthrough Demo Plug
DLL Side loading
Extracting/loading modules in memory
Process injection: Shellcode or DLL
Process Hollowing (RunPE)
Executable Packers/Custom Crypto
Current Coverage
CAPE Extensibility
How do you make a package? CAPE API
Config Parsing
CAPE Resources