From f0c2f212540a9ee0720adbf9739c9af8d7e88861 Mon Sep 17 00:00:00 2001
From: Amanda Rousseau <amanda@amanda-mbp.local>
Date: Mon, 20 Mar 2017 16:55:23 -0700
Subject: [PATCH] adding malware page 2

---
 malware.md  | 230 +-------------------------------------------------
 malware2.md | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 239 insertions(+), 228 deletions(-)
 create mode 100644 malware2.md

diff --git a/malware.md b/malware.md
index faaa447..9fa348a 100644
--- a/malware.md
+++ b/malware.md
@@ -5,7 +5,7 @@ title: Malware Techniques
 ---
 [Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
 
-# Section 2: Malware Techniques #
+# Section 2: Malware Overview #
 
 ## Typical Attack Flow ##
 
@@ -33,231 +33,5 @@ title: Malware Techniques
 | **Adware** | automatically renders advertisements in order to generate revenue for its author.|
 | **PUP/PUA** | Potentially Unwanted Program, sometimes added to a system without the user's knowledge or approval |
 
-## Techniques Overview
-* [Compression](#compression) 
-* [Obfuscation](#obfuscation)
-* [Persistence](#persistence) 
-* [Privilege Escalation](#privilege-escalation)
-* [Defense Evasion](#defense-evasion) 
-* [Credential Theft](#credential-theft)
-* [Reconnaissance](#recon) 
-* [Lateral Movement](#lateral-movement)
-* [Execution](#execution)
-* [Collection](#collection) 
-* [Exfiltration](#exfiltration) 
-* [Command and Control](#command-and-control)
 
----
-
-## Compression
-
-* Combining the compressed data with decompression code into a single executable
-* Runtime packers
-* Self extractive archives
-* List of packers
-  * [Themida](http://www.oreans.com/themida.php)
-  * [Armadillo](http://www.siliconrealms.com/armadillo.php)
-  * [ASPack](http://www.aspack.com/aspack.html)
-  * [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html)
-  * [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker)
-  * [CExe](http://www.scottlu.com/Content/CExe.html)
-  * [dotBundle](http://www.dotbundle.com)
-  * [Enigma Protector](http://www.enigmaprotector.com)
-  * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
-  * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
-  * [eXPressor](http://www.cgsoftlabs.ro/express.html)
-  * [FSG](http://xtreeme.prv.pl/)
-  * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
-  * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&amp;id=dev)
-  * [MPRESS](http://www.matcode.com/mpress.htm)
-  * [Obsidium](http://www.obsidium.de)
-  * [PESpin](http://pespin.w.interia.pl)
-  * [Petite](http://www.un4seen.com/petite)
-  * [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml)
-  * [Smart Packer Pro](http://www.smartpacker.nl)
-  * [Themida](http://www.oreans.com/themida.php)
-  * [UPX](https://upx.github.io/)
-  * [VMProtect](http://vmpsoft.com/products/vmprotect)
-  * [XComp/XPack](http://soft-lab.de/JoKo)
-  
- [Goto Top^](#techniques-overview)
-
----
-  
-## Obfuscation
-
-* Deliberate act of creating obfuscated code that is difficult for humans to understand
-* Plain text strings will appear as base64 or Xor
-* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
-    * Control-Flow Flattening
-    * String Encryption
-    
-![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation")
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| EXTRAC32.EXE | f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051 | [virustotal](https://www.virustotal.com/en/file/f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051/analysis/) |
-
-
- [Goto Top^](#techniques-overview)
-
----
-
-## Persistence 
-
-* Once malware gains access to a system, it often looks to be there for a long time. 
-* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
-
-![alt text](https://securedorg.github.io/images/Persistence.png "Persistence")
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| Banker Trojan| cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff | [virustotal](https://www.virustotal.com/en/file/cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff/analysis/) |
-
-
-[Goto Top^](#techniques-overview)
- 
----
-
-## Privilege Escalation
-
-* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
-* Common Techniques:
-  * Dll Search Order Hijacking
-  * Dll injection
-  * Exploiting a vulnerability
-    * BufferOverflow
-    * StackOverflow
-    * Headspray
-    * Return Orientated Programming (ROP)
-  * Credential Theft
-  * UAC Bypasses
-
-Example: Dll Search Order Hijacking
-![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading")
-
-[Goto Top^](#techniques-overview)
-
----
-
-
-## Defense Evasion   
-* Evading detection or avoiding defenses.
-* Common Techniques:
-  * Killing AV
-  * Deleting itself after a run
-  * Timebombs/Timestomping
-  * Stolen Certificates
-  * Dll Side Loading
-  * Masquerading
-  * Process Hallowing
-  * Code Injection
-  
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| darkcomet backdoor | 1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee | [virustotal](https://www.virustotal.com/en/file/1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee/analysis/) |
-  
-[Goto Top^](#techniques-overview)
-
----
-
-## Credential Theft
-
-* Going after password storage
-* Keylogging passwords
-* Screenshots
-
-Example: Mimikatz
-Credential theft
-![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating")
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| mimikatz | b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25 | [virustotal](https://www.virustotal.com/en/file/b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25/analysis/) |
-
-[Goto Top^](#techniques-overview)
- 
----
-
-## Reconnaissance   
-
-* Gain knowledge about the system and internal network.
-
-[Goto Top^](#techniques-overview)
-
----
-
-## Lateral Movement   
-
-* Enable an adversary to access and control remote systems on a network and could  
-
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe | c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb | [virustotal](https://www.virustotal.com/en/file/c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb/analysis/) |
-
-
-[Goto Top^](#techniques-overview)
-
----
-
-## Execution
-
-* Techniques that result in execution of adversary-controlled code on a local or remote system
-* scripts
-* post-exploitation
-
-[Goto Top^](#techniques-overview)
-
----
-
-
-## Collection
-
-* Identify and gather information, such as sensitive files, from a target network prior to exfiltration
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| keylogger | 5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa | [virustotal](https://www.virustotal.com/en/file/5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa/analysis/) |
-
-[Goto Top^](#techniques-overview)
-
----
-
-
-## Exfiltration
-
-* Removing files and information
-
-[Goto Top^](#techniques-overview)
-
----
-
-
-## Command and Control
-
-* Communicate with systems under their control 
-
-### Example Malware
-
-| Name | Hash | Link |
-| --- | --- | --- |
-| backdoor | 02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76 | [virustotal](https://www.virustotal.com/en/file/02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76/analysis/) |
-
-
-
-[Goto Top^](#techniques-overview)
-
-[x86 Assembly <- Back](https://securedorg.github.io/RE101/section1.3) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)
+[x86 Assembly <- Back](https://securedorg.github.io/RE101/section1.3) | [Next -> Malware Techniques](https://securedorg.github.io/RE101/section2.1)
diff --git a/malware2.md b/malware2.md
new file mode 100644
index 0000000..864b7be
--- /dev/null
+++ b/malware2.md
@@ -0,0 +1,237 @@
+---
+layout: default
+permalink: /RE101/section2.1/
+title: Malware Techniques
+---
+[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
+
+# Section 2.1: Malware Techniques #
+
+## Techniques Overview
+* [Compression](#compression) 
+* [Obfuscation](#obfuscation)
+* [Persistence](#persistence) 
+* [Privilege Escalation](#privilege-escalation)
+* [Defense Evasion](#defense-evasion) 
+* [Credential Theft](#credential-theft)
+* [Reconnaissance](#recon) 
+* [Lateral Movement](#lateral-movement)
+* [Execution](#execution)
+* [Collection](#collection) 
+* [Exfiltration](#exfiltration) 
+* [Command and Control](#command-and-control)
+
+---
+
+## Compression
+
+* Combining the compressed data with decompression code into a single executable
+* Runtime packers
+* Self extractive archives
+* List of packers
+  * [Themida](http://www.oreans.com/themida.php)
+  * [Armadillo](http://www.siliconrealms.com/armadillo.php)
+  * [ASPack](http://www.aspack.com/aspack.html)
+  * [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html)
+  * [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker)
+  * [CExe](http://www.scottlu.com/Content/CExe.html)
+  * [dotBundle](http://www.dotbundle.com)
+  * [Enigma Protector](http://www.enigmaprotector.com)
+  * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
+  * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
+  * [eXPressor](http://www.cgsoftlabs.ro/express.html)
+  * [FSG](http://xtreeme.prv.pl/)
+  * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
+  * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&amp;id=dev)
+  * [MPRESS](http://www.matcode.com/mpress.htm)
+  * [Obsidium](http://www.obsidium.de)
+  * [PESpin](http://pespin.w.interia.pl)
+  * [Petite](http://www.un4seen.com/petite)
+  * [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml)
+  * [Smart Packer Pro](http://www.smartpacker.nl)
+  * [Themida](http://www.oreans.com/themida.php)
+  * [UPX](https://upx.github.io/)
+  * [VMProtect](http://vmpsoft.com/products/vmprotect)
+  * [XComp/XPack](http://soft-lab.de/JoKo)
+  
+ [Goto Top^](#techniques-overview)
+
+---
+  
+## Obfuscation
+
+* Deliberate act of creating obfuscated code that is difficult for humans to understand
+* Plain text strings will appear as base64 or Xor
+* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
+    * Control-Flow Flattening
+    * String Encryption
+    
+![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation")
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| EXTRAC32.EXE | f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051 | [virustotal](https://www.virustotal.com/en/file/f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051/analysis/) |
+
+
+ [Goto Top^](#techniques-overview)
+
+---
+
+## Persistence 
+
+* Once malware gains access to a system, it often looks to be there for a long time. 
+* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
+
+![alt text](https://securedorg.github.io/images/Persistence.png "Persistence")
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| Banker Trojan| cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff | [virustotal](https://www.virustotal.com/en/file/cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff/analysis/) |
+
+
+[Goto Top^](#techniques-overview)
+ 
+---
+
+## Privilege Escalation
+
+* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
+* Common Techniques:
+  * Dll Search Order Hijacking
+  * Dll injection
+  * Exploiting a vulnerability
+    * BufferOverflow
+    * StackOverflow
+    * Headspray
+    * Return Orientated Programming (ROP)
+  * Credential Theft
+  * UAC Bypasses
+
+Example: Dll Search Order Hijacking
+![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading")
+
+[Goto Top^](#techniques-overview)
+
+---
+
+
+## Defense Evasion   
+* Evading detection or avoiding defenses.
+* Common Techniques:
+  * Killing AV
+  * Deleting itself after a run
+  * Timebombs/Timestomping
+  * Stolen Certificates
+  * Dll Side Loading
+  * Masquerading
+  * Process Hallowing
+  * Code Injection
+  
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| darkcomet backdoor | 1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee | [virustotal](https://www.virustotal.com/en/file/1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee/analysis/) |
+  
+[Goto Top^](#techniques-overview)
+
+---
+
+## Credential Theft
+
+* Going after password storage
+* Keylogging passwords
+* Screenshots
+
+Example: Mimikatz
+Credential theft
+![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating")
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| mimikatz | b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25 | [virustotal](https://www.virustotal.com/en/file/b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25/analysis/) |
+
+[Goto Top^](#techniques-overview)
+ 
+---
+
+## Reconnaissance   
+
+* Gain knowledge about the system and internal network.
+
+[Goto Top^](#techniques-overview)
+
+---
+
+## Lateral Movement   
+
+* Enable an adversary to access and control remote systems on a network and could  
+
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe | c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb | [virustotal](https://www.virustotal.com/en/file/c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb/analysis/) |
+
+
+[Goto Top^](#techniques-overview)
+
+---
+
+## Execution
+
+* Techniques that result in execution of adversary-controlled code on a local or remote system
+* scripts
+* post-exploitation
+
+[Goto Top^](#techniques-overview)
+
+---
+
+
+## Collection
+
+* Identify and gather information, such as sensitive files, from a target network prior to exfiltration
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| keylogger | 5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa | [virustotal](https://www.virustotal.com/en/file/5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa/analysis/) |
+
+[Goto Top^](#techniques-overview)
+
+---
+
+
+## Exfiltration
+
+* Removing files and information
+
+[Goto Top^](#techniques-overview)
+
+---
+
+
+## Command and Control
+
+* Communicate with systems under their control 
+
+### Example Malware
+
+| Name | Hash | Link |
+| --- | --- | --- |
+| backdoor | 02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76 | [virustotal](https://www.virustotal.com/en/file/02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76/analysis/) |
+
+
+
+[Goto Top^](#techniques-overview)
+
+[Malware Classes <- Back](https://securedorg.github.io/RE101/section2) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)