Cyber Security Incident Response Wannacry Ransomware
- Description
- Curriculum
- FAQ
- Reviews
Wannacry has been one of the most famous ransomware in computer history (so far) which allows us to investigate how it worked and identify indicators of compromise. The goal of the course is not to protect against Wannacry, but to provide you with a methodology to be able to quickly assess the behavour of a suspicious application in a computer. The tools we are using in this course are free for personal use, but there are way more other solutions you can use for the same purpose.
At the end of this training you will have a solid understanding how the ransomware works and how to protect you environment, also you will be able to use the tools to identify and analyse other malicious tools. You will not be a malware analyst, this is not the course for that. This course will give you the steps to be able to do incident response in a quick manner and see what areas you need to develop yourself using other courses. Deep malware analysis is a very interesting area, but not necessarily the part of the incident response team. There are companies specialized in malware analysis, or people specializing in malware analysis. One can spend hours, days, weeks, months analyzing a single malware. This course aims for quick response.
-
1
01.01 IntroductionIntroduction to the training and the instructor.
-
2
01.02 What is Wannacry?
Short introduction to the Wannacry ransomware and it's impact.
-
3
01.03 Scenario
Introduction to our scenario we will walk through in the training.
-
4
01.04 Supporting MaterialsPlease see the supporting material attached. Download this before proceeding to the next section.
The info.txt has most of the links and commands you might need to use during the course.
The zip file contains the evidences and supporting material including the presentation. Password is: "wannacry".
-
8
03.01 Goals
Introduction to the section.
-
9
03.02 Getting the tools: Windows 7 installer ISO image
Downloading the Windows 7 installer ISO.
-
10
03.03 Installing Windows 7
Installing Windows 7 in the lab environment.
-
11
03.04 Disabling Windows security features
Disabling some features in Windows to enable Wannacry to infect.
-
12
03.05 Configuring shared folders
Configure shared folders for file transfer and tool install.
-
16
05.01 Goals
Introduction to the section.
-
17
05.02 Getting the tools: Wannacry samples Ghidra and network-traffic-analysis
Getting the Wannacry malware sample from multiple sources.
-
18
05.03 Configuring the lab machines W10up, W7up, network
Making sure the lab environment is ready to be infected with Wannacry.
-
19
05.04 Infecting the Windows 10 with Wannacry
Infect the Windows 10 with Wannacry.
-
20
06.01 Goals
Introduction to the section.
-
21
06.02 Getting the tools: memory capture tool WinPMEM
Downloading the tools for taking a memory image.
-
22
06.03 Taking a memory image
Taking a memory snapshot.
-
23
06.04 Getting the tools: disk capture tool AccessData FTK lite
Downloading the disk imaging tool.
-
24
06.05 Taking a disk image
Taking a disk image using FTK Imager.
-
25
06.06 Getting the tools: Sysinternals
Downloading the Microsoft Sysinternals Suite.
-
26
06.07 Live assessment: network, processes, services, autoruns
Quick analysis of the Windows 10 machine. Network connections, processes, services, autoruns.
-
27
07.01 Goals
Introduction to the section.
-
28
07.02 Gathering system information
Gathering system information for the report.
-
29
07.03 File and Process information #1
Windows 10 analysis file and process information #1.
-
30
07.04 File and Process information #2
Windows 10 analysis file and process information #2.
-
31
07.05 File and Process information #3
Windows 10 analysis file and process information #3.
-
32
07.06 Autoruns
Autoruns analysis.
-
33
07.07 Getting the tools: hexa editor HxD
Downloading a hex editor.
-
34
07.08 Using HxD
Analysis using a hex editor HxD.
-
35
07.09 Getting the tools: static exe analysis: Exeinfo, PeiD, PEStudio, x64dbg
Downloading the tools for static exe file information extraction.
-
36
07.10 Exe analysis – exinfo, PeiD, pestudio
Static exe file analysis.
-
37
07.11 Getting the password for the embedded ZIP file
Getting the password for the embedded payload in the Wannacry executable.
-
38
07.12 Getting the tools: Registry tools WRR and Registry Explorer
Downloading Registry editing tools.
-
39
07.13 Using Registry tools
Analysing the registry using the registry explorer tools.
-
40
08.01 Goals
Introduction to the section.
-
41
08.02 Getting the tools: Wireshark, RegShot
Downloading network capturing and registry snapshot tools.
-
42
08.03 Preparing the lab machines and tools
Preparing the lab for the sandbox analysis.
-
43
08.04 Monitor and execute the malware
Executing Wannacry in the lab and capturing the activity.
-
44
08.05 Preparing for analyzing the results
Prepare the sandbox analysis results for analysis.
-
45
08.06 Analyzing Network traffic capture
Analysing network traffic capture.
-
46
08.07 Analyzing Procmon results
Analysing procmon capture.
-
47
08.08 Analyzing Regshot results
Analysing registry changes.
-
48
08.09 Getting the tool and configure Redline
Using Redline automated forensics tool to capture the system activity.
-
49
08.10 Analyzing using Redline
Analysing Redline capture.
-
50
08.11 Download tools: fakenet
Download fakenet networking tool.
-
51
08.12 Analyzing the killswitch domain
Analysing the killswitch domain in the network traffic.
-
52
08.13 Analyzing one more file
Analysing one more executable in the Windows 7.
