SlideShare a Scribd company logo

Ninja Correlation of APT Binaries

CODE BLUE
CODE BLUE

Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage. In recent years, there has been research into “similarity metrics”― methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the abilities and motivations of that adversary to conduct more effective response.

Internet
1 of 35
Download to read offline
N I N J A C O R R E L AT I O N O F A P T B I N A R I E S E VA L U A T I N G T H E E F F E C T I V E N E S S O F F U Z Z Y H A S H I N G T E C H N I Q U E S I N I D E N T I F Y I N G P R O V E N A N C E O F A P T B I N A R I E S Bhavna Soman Cyber Analyst/Developer, Intel Corp. @bsoman3, #codeblue_jp Copyright © Intel Corporation 2015. All rights reserved.
- G E O R G E P. B U R D E L L Opinions expressed are those of the author and do not reflect the opinions of his/her employer. - L E G A L Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. D I S C L A I M E R S
W H AT A D VA N TA G E C A N K N O W I N G T H E O R I G I N S O F A M A L I C I O U S B I N A RY G I V E Y O U ? ? • We can apply past analyses of motivations and capabilities of adversary • Connect disparate events into one whole picture • So what’s the best way to connect the dots?
A G E N D A • Methods to connect binaries • Getting a test dataset and ground truth • Results • Sample clusters found • Takeaways and Future direction
W H AT I S T H E B E S T WAY T O C O N N E C T S I M I L A R B I N A R I E S ? ? • Imphash— md5 hash of the import table • ssdeep— Context triggered piecewise hashing • SDhash— Bloom filters How to : 1. Get non-trivial dataset of binaries related to targeted campaigns 2. Establish ground truth without static/dynamic analyses of hundreds of binaries?
G AT H E R I N G D ATA • Published Jan-March 2015 • e.g. “Project Cobra Analysis”, “The Desert Falcon Targeted Attacks” • Extract MD5s • >10% Malicious on Virus Total MD5s Similarity Metrics • Calculate for each binary • Import hash • ssdeep • SDhash EXTRACT CALCULATE APT Whitepapers
A S S E S S I N G C O R R E L AT I O N S Are these malware related?
{Actor Names, Campaign Name, Malware Families, Aliases} APT1 APT2 {Actor Names, Campaign Name, Malware Families, Aliases} A S S E S S I N G C O R R E L AT I O N S
• No one method found all the correlations • Imphash had the most false positives • Sdhash had maximum recall • Both ssdeep and SDhash had near perfect precision S U M M A RY R E S U LT S Recall Precision
I M P H A S H E S
• 4 0 8 T R U E C O R R E L AT I O N S • 1 7 2 FA L S E P O S I T I V E S • H I G H F I D E L I T Y T R U E P O S I T I V E S • 2 C O R R E L AT I O N S A C R O S S C A M PA I G N S B Y T H E S A M E A C T O R • N O C O R R E L AT I O N S B E T W E E N D I F F E R E N T V E R S I O N S O F T H E S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N I M P H A S H S C O R E FREQUENCY
I M P H A S H
I M P H A S H • S AV s a m p l e s c i r c a 2 0 1 1 • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • A KA Tu r l a / U r u b o r o s • Ve r s i o n 1 . 5 o f Co m R AT ( Tu r l a A tt a c ke r s ) • Co m p i l e d o n M a r c h 2 5 , 2 0 0 8 • O t h e r v e r s i o n s o f t h e R AT i n t h e d a t a s e t w e r e n o t c o n n e c t e d • W i p b o t 2 0 1 3 S a m p l e s • U s e d b y t h e Wa t e r b u g a tt a c k G r o u p • Co m p i l e d o n 1 5 - 1 0 - 2 0 1 3 • A l s o r e f e r r e d t o a s Ta v d i g / Wo r l d C u p S e c / Ta d j M a k h a l
I M P H A S H
I M P H A S H • B o t h s a m p l e s o f Co m R AT • A s s o c i a t e d w i t h Wa t e r b u g G r o u p a n d Tu r l a A tt a c ke r s r e s p e c t i v e l y • S a m p l e s o f t h e Ca r b o n M a l w a r e • R e l a t e d t o Pr o j e c t Co b r a a n d T h e Wa t e r b u g A tt a c k G r o u p
I M P H A S H
I M P H A S H • C r e d e n t i a l s t e a l e r a n d d r o p p e r f r o m O P A r i d V i p e r • V s . D r o p p e r s u s e d b y A tt a c k s o n t h e Sy r i a n O p p o s i t i o n Fo r c e s • N o c o m m o n a tt r i b u t i o n o r K N O W N l i n k • B i n a r i e s f r o m S I X d i ff e r e n t c a m p a i g n s • N o c o m m o n A c t o r o r M a l w a r e Fa m i l y • D i ff e r e n t p a r t s o f t h e K i l l c h a i n
I M P H A S H
S S D E E P
• 8 5 6 T R U E C O R R E L AT I O N S • 0 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S S D E E P S C O R E FREQUENCY
S S D E E P
S S D E E P • W i p b o t 2 0 1 3 • U s e d b y t h e Wa t e r b u g a tt a c k g r o u p • Co r r e l a t i o n a c r o s s m i n o r v e r s i o n s o f Co m R AT • Co m p i l e d a t e s s p a n o v e r 3 y e a r s • S AV / U r u b o r o s s a m p l e s • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • T i m e s t a m p e d 2 0 1 3
S S D E E P
S S D E E P • B a c k d o o r s u s e d i n O P D e s e r t Fa l c o n ( Ka s p e r s k y ) • 6 3 0 Co r r e l a t i o n s . A v e r a g e s i m i l a r i t y s c o r e w a s 3 5 . 1 3 • D i ff e r e n t Ve r s i o n s o f Ca r b o n M a l w a r e c o m p l i e d i n 2 0 0 9 • Fr o m Pr o j e c t Co b r a a n d Wa t e r b u g Ca m p a i g n s .
S S D E E P
S S D E E P N O FA L S E P O S I T I V E S
S D H A S H
• T H R E S H O L D = 1 0 • 1 4 1 2 T R U E C O R R E L AT I O N S • 3 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • 1 C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S D H A S H S C O R E FREQUENCY
S D H A S H
S D H A S H • Co r r e l a t i o n b e t w e e n D r o p p e r, S t a g e 1 , S t a g e 2 a n d I n j e c t e d L i b r a r y o f Co b r a Ca m p a i g n • H i g h s i m i l a r i t y w i t h Ca r b o n To o l u s e d b y t h e Wa t e r b u g g r o u p • W i d e l y v a r y i n g AV l a b e l s e v e n c o n t r o l l i n g f o r v e n d o r • Co r r e l a t i o n s m a d e b y s d h a s h o n l y • S AV / U r u b o r o s s a m p l e s • 3 0 d i ff e r e n t B i n a r i e s c o m p i l e d o v e r 3 m o n t h s i n 2 0 1 3
S D H A S H
S D H A S H • B a c k d o o r u s e d b y O P D e s e r t Fa l c o n • V s . S c a n b o x s a m p l e ( k n o w n t o b e r e l a t e d t o A n t h e m a tt a c k s a n d D e e p Pa n d a ) • N o k n o w n r e l a t i o n s h i p b e t w e e n t h o s e a c t o r s / c a m p a i g n s / m a l w a r e f a m i l i e s • “ H tt p B r o w s e r ” m a l w a r e u s e d i n A n t h e m a tt a c k • “A m m y A d m i n ” t o o l u s e d b y t h e Ca r b a n a k g r o u p
S D H A S H
W H E R E W E S TA N D • Imphash, ssdeep or SDhash?? • Path finding-ish. Engineer systems to make connections • APT binaries may reuse code —use it against them • It pays to know your adversary.
A C K S / Q & A / T H A N K S ! @bsoman3, bhavna.soman@ {intel.com, gmail.com} • Chris Kitto and Jeff Boerio for helping me make better slides. • Wonderful folks that write Security white papers • @kbandla for creating and maintaining APTNotes • Virus Total for the great data they provide

Recommended

In pursuit of messaging broker(s)
In pursuit of messaging broker(s)In pursuit of messaging broker(s)
In pursuit of messaging broker(s)David Gevorkyan
 
AUA Data Science Meetup
AUA Data Science MeetupAUA Data Science Meetup
AUA Data Science MeetupDavid Gevorkyan
 
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesAltair
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redesAndreaGuadalupeAceve
 
C-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityC-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityMICHAEL MOSHIRI
 
Hard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesHard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesMike Crabb
 
Codecademy Live QA Presentation
Codecademy Live QA PresentationCodecademy Live QA Presentation
Codecademy Live QA PresentationJames Kim
 
Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Sam Cheema
 

Recommended

In pursuit of messaging broker(s)
In pursuit of messaging broker(s)In pursuit of messaging broker(s)
In pursuit of messaging broker(s)David Gevorkyan
 
AUA Data Science Meetup
AUA Data Science MeetupAUA Data Science Meetup
AUA Data Science MeetupDavid Gevorkyan
 
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesATC UK 2015: Enhancing Drop Testing Simulation for Luxury Smartphones
ATC UK 2015: Enhancing Drop Testing Simulation for Luxury SmartphonesAltair
 
Manejo de redes
Manejo de redesManejo de redes
Manejo de redesAndreaGuadalupeAceve
 
C-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityC-Suite Guide to Cybersecurity
C-Suite Guide to CybersecurityMICHAEL MOSHIRI
 
Hard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesHard to Reach Users in Easy to Reach Places
Hard to Reach Users in Easy to Reach PlacesMike Crabb
 
Codecademy Live QA Presentation
Codecademy Live QA PresentationCodecademy Live QA Presentation
Codecademy Live QA PresentationJames Kim
 
Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Blue Moon - Advertising Plan (Group Project)
Blue Moon - Advertising Plan (Group Project)Sam Cheema
 
Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsPlatform9
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation Sam Cheema
 
June 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingJune 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingMiami-Dade Transportation Planning Organization
 
Help Ukraine
Help UkraineHelp Ukraine
Help UkraineNastyaTsaruk
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerCliffano Subagio
 
Mapan
MapanMapan
MapanAdiba Rasib
 
Fashion Guidelines
Fashion Guidelines Fashion Guidelines
Fashion Guidelines Saad Lemgaddar
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAlvaro García Loaisa
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World ObservatoryAddison O'Connor
 
Faizal Resume
Faizal ResumeFaizal Resume
Faizal ResumeFaizal Johori
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductGyörgy Balázsi
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014Raul Fraile
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Kancil San
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar Kira Smith
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdfArissa Loh
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement ashleyyeap
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Lviv Startup Club
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWanbok Choi
 
DATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYDATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYMartina F. Ferracane
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014Nikolai Onken
 
New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyYvann Saculo
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMScott Urich
 

More Related Content

What's hot

Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsPlatform9
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation Sam Cheema
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerCliffano Subagio
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAlvaro García Loaisa
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World ObservatoryAddison O'Connor
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductGyörgy Balázsi
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014Raul Fraile
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Kancil San
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar Kira Smith
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdfArissa Loh
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement ashleyyeap
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Lviv Startup Club
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWanbok Choi
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014Nikolai Onken
 

What's hot (20)

Upgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common PitfallsUpgrading OpenStack? Avoid these 3 Common Pitfalls
Upgrading OpenStack? Avoid these 3 Common Pitfalls
 
American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation American Marketing Association - Strategy Presentation
American Marketing Association - Strategy Presentation
 
June 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual MeetingJune 29, 2020 TARC Virtual Meeting
June 29, 2020 TARC Virtual Meeting
 
Help Ukraine
Help UkraineHelp Ukraine
Help Ukraine
 
How To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum CleanerHow To Play Music On A Vacuum Cleaner
How To Play Music On A Vacuum Cleaner
 
Mapan
MapanMapan
Mapan
 
Fashion Guidelines
Fashion Guidelines Fashion Guidelines
Fashion Guidelines
 
AWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWSAWS para Torpes - Introducción a AWS
AWS para Torpes - Introducción a AWS
 
Building Legends at One World Observatory
Building Legends at One World ObservatoryBuilding Legends at One World Observatory
Building Legends at One World Observatory
 
Faizal Resume
Faizal ResumeFaizal Resume
Faizal Resume
 
Business Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as ByproductBusiness Opportunity, Disguised as Byproduct
Business Opportunity, Disguised as Byproduct
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014
 
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
Tailoring Malaysian Blockchain Regulations For Digital Economy 2018 MIGHT
 
Infographics webinar
Infographics webinar Infographics webinar
Infographics webinar
 
Integrated final-pdf
Integrated final-pdfIntegrated final-pdf
Integrated final-pdf
 
CT BM Integrated Assignement
CT BM Integrated Assignement CT BM Integrated Assignement
CT BM Integrated Assignement
 
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
Іван Ковальов “Як створити інноваційний інді проект історія g30” GameDev Conf...
 
WWDC 2019 Cheatsheet
WWDC 2019 CheatsheetWWDC 2019 Cheatsheet
WWDC 2019 Cheatsheet
 
DATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITYDATA FLOWS & NATIONAL SECURITY
DATA FLOWS & NATIONAL SECURITY
 
The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014The Art Of Practicing - WebSummit 2014
The Art Of Practicing - WebSummit 2014
 

Similar to Ninja Correlation of APT Binaries

New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyYvann Saculo
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMScott Urich
 
Test quick, build smart, be awesome
Test quick, build smart, be awesomeTest quick, build smart, be awesome
Test quick, build smart, be awesomeWP&UP
 
Malignant melanoma Oral pathology
Malignant melanoma Oral pathologyMalignant melanoma Oral pathology
Malignant melanoma Oral pathologyAkshMinhas
 
Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Guus van den Brekel
 
PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)Reymart Dellomas
 
Information Security Project Management
Information Security Project ManagementInformation Security Project Management
Information Security Project ManagementIgor Pertsovsky
 
messagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB
 
Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace AFCOM
 
4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after electionFlora Liu
 
Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Guus van den Brekel
 
Visibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureVisibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureGuus van den Brekel
 
Convention 2014Presentation 3
Convention 2014Presentation 3Convention 2014Presentation 3
Convention 2014Presentation 3Amanda Taylor
 

Similar to Ninja Correlation of APT Binaries (20)

New technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - PharmacologyNew technologies about Drugs Administration - Pharmacology
New technologies about Drugs Administration - Pharmacology
 
M|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEMM|SOURCE WORK ORDER SYSTEM
M|SOURCE WORK ORDER SYSTEM
 
Firefox OS Bus India Tour
Firefox OS Bus India TourFirefox OS Bus India Tour
Firefox OS Bus India Tour
 
Test quick, build smart, be awesome
Test quick, build smart, be awesomeTest quick, build smart, be awesome
Test quick, build smart, be awesome
 
Orla Recreio - CURY
Orla Recreio - CURYOrla Recreio - CURY
Orla Recreio - CURY
 
Paris (France)
Paris (France)Paris (France)
Paris (France)
 
Occ Cinque Terre
Occ Cinque TerreOcc Cinque Terre
Occ Cinque Terre
 
Malignant melanoma Oral pathology
Malignant melanoma Oral pathologyMalignant melanoma Oral pathology
Malignant melanoma Oral pathology
 
Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016Altmetrics in UMCG: pilot project 2016
Altmetrics in UMCG: pilot project 2016
 
PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)PEACE EDUCATION (PEACE THEME 5)
PEACE EDUCATION (PEACE THEME 5)
 
Information Security Project Management
Information Security Project ManagementInformation Security Project Management
Information Security Project Management
 
messagingLAB_thought leadership class slides
messagingLAB_thought leadership class slidesmessagingLAB_thought leadership class slides
messagingLAB_thought leadership class slides
 
Griffins Social Media
Griffins Social MediaGriffins Social Media
Griffins Social Media
 
Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace Buy vs Build Considerations in Today's Data Center Marketplace
Buy vs Build Considerations in Today's Data Center Marketplace
 
4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election4 reasons that you cannot engage your team after election
4 reasons that you cannot engage your team after election
 
Presentation
PresentationPresentation
Presentation
 
Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)Interactive media : information and libraries (#bobcatsss2017)
Interactive media : information and libraries (#bobcatsss2017)
 
Spring cleaning workbook 2018
Spring cleaning workbook 2018Spring cleaning workbook 2018
Spring cleaning workbook 2018
 
Visibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and PureVisibility and societal impact : UMCG research output, Altmetric and Pure
Visibility and societal impact : UMCG research output, Altmetric and Pure
 
Convention 2014Presentation 3
Convention 2014Presentation 3Convention 2014Presentation 3
Convention 2014Presentation 3
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 

Recently uploaded (20)

Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 

Ninja Correlation of APT Binaries

  • 1. N I N J A C O R R E L AT I O N O F A P T B I N A R I E S E VA L U A T I N G T H E E F F E C T I V E N E S S O F F U Z Z Y H A S H I N G T E C H N I Q U E S I N I D E N T I F Y I N G P R O V E N A N C E O F A P T B I N A R I E S Bhavna Soman Cyber Analyst/Developer, Intel Corp. @bsoman3, #codeblue_jp Copyright © Intel Corporation 2015. All rights reserved.
  • 2. - G E O R G E P. B U R D E L L Opinions expressed are those of the author and do not reflect the opinions of his/her employer. - L E G A L Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. D I S C L A I M E R S
  • 3. W H AT A D VA N TA G E C A N K N O W I N G T H E O R I G I N S O F A M A L I C I O U S B I N A RY G I V E Y O U ? ? • We can apply past analyses of motivations and capabilities of adversary • Connect disparate events into one whole picture • So what’s the best way to connect the dots?
  • 4. A G E N D A • Methods to connect binaries • Getting a test dataset and ground truth • Results • Sample clusters found • Takeaways and Future direction
  • 5. W H AT I S T H E B E S T WAY T O C O N N E C T S I M I L A R B I N A R I E S ? ? • Imphash— md5 hash of the import table • ssdeep— Context triggered piecewise hashing • SDhash— Bloom filters How to : 1. Get non-trivial dataset of binaries related to targeted campaigns 2. Establish ground truth without static/dynamic analyses of hundreds of binaries?
  • 6. G AT H E R I N G D ATA • Published Jan-March 2015 • e.g. “Project Cobra Analysis”, “The Desert Falcon Targeted Attacks” • Extract MD5s • >10% Malicious on Virus Total MD5s Similarity Metrics • Calculate for each binary • Import hash • ssdeep • SDhash EXTRACT CALCULATE APT Whitepapers
  • 7. A S S E S S I N G C O R R E L AT I O N S Are these malware related?
  • 8. {Actor Names, Campaign Name, Malware Families, Aliases} APT1 APT2 {Actor Names, Campaign Name, Malware Families, Aliases} A S S E S S I N G C O R R E L AT I O N S
  • 9. • No one method found all the correlations • Imphash had the most false positives • Sdhash had maximum recall • Both ssdeep and SDhash had near perfect precision S U M M A RY R E S U LT S Recall Precision
  • 10. I M P H A S H E S
  • 11. • 4 0 8 T R U E C O R R E L AT I O N S • 1 7 2 FA L S E P O S I T I V E S • H I G H F I D E L I T Y T R U E P O S I T I V E S • 2 C O R R E L AT I O N S A C R O S S C A M PA I G N S B Y T H E S A M E A C T O R • N O C O R R E L AT I O N S B E T W E E N D I F F E R E N T V E R S I O N S O F T H E S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N I M P H A S H S C O R E FREQUENCY
  • 12. I M P H A S H
  • 13. I M P H A S H • S AV s a m p l e s c i r c a 2 0 1 1 • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • A KA Tu r l a / U r u b o r o s • Ve r s i o n 1 . 5 o f Co m R AT ( Tu r l a A tt a c ke r s ) • Co m p i l e d o n M a r c h 2 5 , 2 0 0 8 • O t h e r v e r s i o n s o f t h e R AT i n t h e d a t a s e t w e r e n o t c o n n e c t e d • W i p b o t 2 0 1 3 S a m p l e s • U s e d b y t h e Wa t e r b u g a tt a c k G r o u p • Co m p i l e d o n 1 5 - 1 0 - 2 0 1 3 • A l s o r e f e r r e d t o a s Ta v d i g / Wo r l d C u p S e c / Ta d j M a k h a l
  • 14. I M P H A S H
  • 15. I M P H A S H • B o t h s a m p l e s o f Co m R AT • A s s o c i a t e d w i t h Wa t e r b u g G r o u p a n d Tu r l a A tt a c ke r s r e s p e c t i v e l y • S a m p l e s o f t h e Ca r b o n M a l w a r e • R e l a t e d t o Pr o j e c t Co b r a a n d T h e Wa t e r b u g A tt a c k G r o u p
  • 16. I M P H A S H
  • 17. I M P H A S H • C r e d e n t i a l s t e a l e r a n d d r o p p e r f r o m O P A r i d V i p e r • V s . D r o p p e r s u s e d b y A tt a c k s o n t h e Sy r i a n O p p o s i t i o n Fo r c e s • N o c o m m o n a tt r i b u t i o n o r K N O W N l i n k • B i n a r i e s f r o m S I X d i ff e r e n t c a m p a i g n s • N o c o m m o n A c t o r o r M a l w a r e Fa m i l y • D i ff e r e n t p a r t s o f t h e K i l l c h a i n
  • 18. I M P H A S H
  • 19. S S D E E P
  • 20. • 8 5 6 T R U E C O R R E L AT I O N S • 0 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • N O C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S S D E E P S C O R E FREQUENCY
  • 21. S S D E E P
  • 22. S S D E E P • W i p b o t 2 0 1 3 • U s e d b y t h e Wa t e r b u g a tt a c k g r o u p • Co r r e l a t i o n a c r o s s m i n o r v e r s i o n s o f Co m R AT • Co m p i l e d a t e s s p a n o v e r 3 y e a r s • S AV / U r u b o r o s s a m p l e s • U s e d b y t h e Wa t e r b u g A tt a c k g r o u p • T i m e s t a m p e d 2 0 1 3
  • 23. S S D E E P
  • 24. S S D E E P • B a c k d o o r s u s e d i n O P D e s e r t Fa l c o n ( Ka s p e r s k y ) • 6 3 0 Co r r e l a t i o n s . A v e r a g e s i m i l a r i t y s c o r e w a s 3 5 . 1 3 • D i ff e r e n t Ve r s i o n s o f Ca r b o n M a l w a r e c o m p l i e d i n 2 0 0 9 • Fr o m Pr o j e c t Co b r a a n d Wa t e r b u g Ca m p a i g n s .
  • 25. S S D E E P
  • 26. S S D E E P N O FA L S E P O S I T I V E S
  • 27. S D H A S H
  • 28. • T H R E S H O L D = 1 0 • 1 4 1 2 T R U E C O R R E L AT I O N S • 3 FA L S E P O S I T I V E S • 1 C O R R E L AT I O N S F O U N D C O N N E C T I N G C A M PA I G N S B Y T H E S A M E A C T O R • S E V E R A L C O R R E L AT I O N S B E T W E E N M I N O R V E R S I O N S O F S A M E M A LWA R E • 1 C O R R E L AT I O N S A C R O S S PA RT S O F T H E K I L L C H A I N W I T H I N C A M PA I G N S D H A S H S C O R E FREQUENCY
  • 29. S D H A S H
  • 30. S D H A S H • Co r r e l a t i o n b e t w e e n D r o p p e r, S t a g e 1 , S t a g e 2 a n d I n j e c t e d L i b r a r y o f Co b r a Ca m p a i g n • H i g h s i m i l a r i t y w i t h Ca r b o n To o l u s e d b y t h e Wa t e r b u g g r o u p • W i d e l y v a r y i n g AV l a b e l s e v e n c o n t r o l l i n g f o r v e n d o r • Co r r e l a t i o n s m a d e b y s d h a s h o n l y • S AV / U r u b o r o s s a m p l e s • 3 0 d i ff e r e n t B i n a r i e s c o m p i l e d o v e r 3 m o n t h s i n 2 0 1 3
  • 31. S D H A S H
  • 32. S D H A S H • B a c k d o o r u s e d b y O P D e s e r t Fa l c o n • V s . S c a n b o x s a m p l e ( k n o w n t o b e r e l a t e d t o A n t h e m a tt a c k s a n d D e e p Pa n d a ) • N o k n o w n r e l a t i o n s h i p b e t w e e n t h o s e a c t o r s / c a m p a i g n s / m a l w a r e f a m i l i e s • “ H tt p B r o w s e r ” m a l w a r e u s e d i n A n t h e m a tt a c k • “A m m y A d m i n ” t o o l u s e d b y t h e Ca r b a n a k g r o u p
  • 33. S D H A S H
  • 34. W H E R E W E S TA N D • Imphash, ssdeep or SDhash?? • Path finding-ish. Engineer systems to make connections • APT binaries may reuse code —use it against them • It pays to know your adversary.
  • 35. A C K S / Q & A / T H A N K S ! @bsoman3, bhavna.soman@ {intel.com, gmail.com} • Chris Kitto and Jeff Boerio for helping me make better slides. • Wonderful folks that write Security white papers • @kbandla for creating and maintaining APTNotes • Virus Total for the great data they provide