Hello, welcome to the Friday, May 22nd, 2020 edition of the Sansonet Storms and Stormers Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

One thing I've sometimes seen or heard security people do is sort of try to impress others by stating how many samples of malware

they're analyzing each day. And of course, in a reasonably large network, you quickly end up

with a large number of samples. But the real question is always which one of these samples

actually matter.

So if you are analyzing hundreds, thousands of samples, why do you do this if most of them

are really pretty similar to each other and not really all that different in their function

and what they're trying to accomplish?

So triaging Malver samples is a big task.

And today, Xavier introduced us to a nice tool called Fame, which stands for Fame

automates Malvert evaluation, that has a plug-in architecture that you can use to quickly analyze Malver and at least come up with a quick

conclusion. Is this something old or something new or is it interesting? In particular, he's pointing

out the Floss module. Now, Floss was written by Fire Eye and it does stand for Fire Eye Labs

obfuscated string solver. And what it does is it finds obfuscated strings inside these

mal-resembles without actually having to execute them. And And then of course, if you see, for example, some standard library names, API calls,

or maybe host names or email addresses and such, that can be useful to gauge whether or not

this particular malware sample is worth further analysis.

And Xavier is going through a couple of examples here, like for example, how to find out whether

or not a particular sample, maybe taking advantage of process hollowing, which of course, one

of the little bit more interesting techniques.

...