{"id":16791,"date":"2019-11-05T18:41:36","date_gmt":"2019-11-06T02:41:36","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10530\/"},"modified":"2019-11-05T18:41:36","modified_gmt":"2019-11-06T02:41:36","slug":"news-10530","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10530\/","title":{"rendered":"BlackHat 2019 Arsenal &amp; BLACKPHENIX Framework"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\" width=\"100%\" height=\"420\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This year I attended BlackHat 2019 and <a href=\"https:\/\/github.com\/fortinet\/ips-bph-framework\/raw\/master\/docs\/BH19_BLACKPHENIX_CHRISNAVARRETE.pdf\">presented a framework<\/a> at the Arsenal that I have been working with in the lab for some time called \u201c<a href=\"https:\/\/www.blackhat.com\/us-19\/arsenal\/schedule\/#blackphenix-malware-analysis--automation-framework-16941\">BLACKPHENIX \u2013 Malware Analysis + Automation Framework<\/a>.\u201d I had a great time meeting new people and answering interesting questions from attendees. I would like to extend my gratitude to the BlackHat staff for such a great experience.<\/p>\n<p>Here are some pictures taken during my presentation:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/blackhat-black-phenix-framework\/_jcr_content\/root\/responsivegrid\/image_1829600696.img.png\/1571424227543\/bh-bp.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>What is BLACKPHENIX?<\/h2>\n<p>BLACKPHENIX is an open-source malware analysis automation framework composed of services, scripts, plug-ins, and tools based on a Command-and-Control (C&amp;C) architecture. It relies on virtual machine software to operate and scripts to remotely control (GUI and console) tools and scripts running on a guest (analysis) virtual machine. It reports back results to a controller machine to perform further deep data analysis and execution decisions.<\/p>\n<h2>Why Develop this Framework?<\/h2>\n<p>In general terms, the purpose of BLACKPHENIX is to help malware analysts speed-up their \u201cpost-Sandbox\u201d analysis process by automating tasks through the creation of python (BPH Scripts) scripts and analysis (BPH Analysis) modules. Instead of waiting for Sandbox reports to start investigating, an analyst can leverage the framework to do the hard work for them \u2013 automatically.<\/p>\n<p>Today\u2019s malware analysis process is composed of combinations of tools and various environment requirements that often delay analysis. The BLACKPHENIX framework provides a single execution point whereby well-known malware\/system analysis tools can be used programmatically.<\/p>\n<p>Lab infrastructure is also a common problem for analysts because setting up the right environment consumes time and resources, and sometimes requires certain skills to do so. This is another problem that BLACKPHENIX is trying to solve. For instance, the following video showcases how the framework has the ability to dynamically modify its virtualized network environment, switching between NAT (Open-Internet access) and the TOR Network, all from a single (BPH) Script.<\/p>\n<h3><b><i>Automatic Internet &amp; TOR redirection \u2013 (BPH Virtual Machine Manager + Python)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/H3W7r8AaHlI?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>During the early development of the framework, we used BPH Scripts to detect new malware and variants. One of our malware research engagements resulted in two <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows.html\">blog<\/a> <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/microsoft-word-file-spreads-malware-targeting-both-mac-os-x-and-windows-part-ii.html\">posts<\/a> that were posted on Fortinet\u2019s threat research blog, showcasing our findings by leveraging BLACKPHENIX collected data.<\/p>\n<h2>Features<\/h2>\n<ul>\n<li>Easy Installation &amp; Deployment<\/li>\n<li>Tool automation modules<\/li>\n<li>Virtual Machine management<\/li>\n<li>Scripting support (Python)<\/li>\n<li>Internet emulation<\/li>\n<li>Traffic redirection<\/li>\n<li>TOR support<\/li>\n<\/ul>\n<h2>Architecture Overview<\/h2>\n<p>The following picture shows the architectural overview of the framework.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/blackhat-black-phenix-framework\/_jcr_content\/root\/responsivegrid\/image_628999648.img.png\/1571424420898\/bh-fig-five.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Your Tool == My Python Object<\/h2>\n<p>In the context of BLACKPHENIX, every tool and malware artifact (sample) are Python objects. For instance, the packer detection tool \u201cPEiD\u201d can be instantiated as <i>peid = Peid(\u201cMySample.exe\u201d)<\/i>, then its methods can be defined as <i>peid.deep_scan()<\/i>, all from a BPH Script. A Sample\u2019s Object\u2019s methods (<i>sample.symbols()<\/i>) and its attributes (<i>sample.md5<\/i>, <i>sample.path<\/i>, etc.) can be accessed as well. A single \u201cBPH Script\u201d can execute several tools (bundled execution), and the data generated by such tools can be automatically analyzed via a \u201cBPH Analysis\u201d module. BLACKPHENIX users can also easily integrate their own tools\/scripts into the framework.<\/p>\n<h2>How This Tool Can Be Used<\/h2>\n<p>Analysts can use the framework to perform automated, virtual machine-based malware analysis activities by automating the execution of well-known analysis tools, custom tools, and scripts that run in a remote virtual machine. They can do this through the execution of python scripts called \u201cBPH Scripts\u201d and \u201cBPH Analysis Modules\u201d to perform parsing and further data analysis.<\/p>\n<p>A malware analyst can use the framework to fulfill a specific requirement that needs to be performed within a tight schedule, such as writing a quick prototype to collect specific data when a malware sample behaves in certain way.\u00a0<\/p>\n<h2>What Are BLACKPHENIX (BPH) Scripts?<\/h2>\n<p>BPH Scripts are python scripts that import Windows tools python modules (BPH Plug-ins) and contain execution instructions for one or more imported tools (bundled execution). For instance, a BPH script can call the UPX tool to unpack a compressed UPX executable and the next instruction can call another tool, such as ExeInfoPe or any other tool selected by the user. Since BPH Scripts are simply python scripts, a user can introduce non-BPH python code written to adapt the results to specific analysis or research requirements.<\/p>\n<p>The following code illustrates the BPH Script structure of the ExeInfoPe tool. Once this script is executed, BLACKPHENIX processes the file, executing its tool\u2019s default options. After its execution, the data is gathered and sent back to the C&amp;C. The \u201coutput()\u201d call displays the tool\u2019s response in its console, and the \u201cfiles()\u201d call lists the absolute path of such files.<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: green;\"># Tool imports<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><strong><span style=\"font-family: 'Courier New'; color: blue;\">from<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> bph<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">tools<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">windows<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">exeinfope <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">import<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> BphExeInfoPe <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">as<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> ExeInfoPe<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">&nbsp;<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: green;\"># Core Imports<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><strong><span style=\"font-family: 'Courier New'; color: blue;\">from<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> bph<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">core<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">server<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">template <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">import<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> BphTemplateServer <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">as<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> TemplateServer<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><strong><span style=\"font-family: 'Courier New'; color: blue;\">from<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> bph<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">core<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">session <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">import<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> BphSession <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">as<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> Session<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><strong><span style=\"font-family: 'Courier New'; color: blue;\">from<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> bph<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">core<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">sample <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">import<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> BphLabFile <\/span><strong><span style=\"font-family: 'Courier New'; color: blue;\">as<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> LabFile<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">&nbsp;<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">session <\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> Session<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">(<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">project_name<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><span style=\"font-family: 'Courier New'; color: gray;\">&#8216;blackhat_arsenal_2019&#8217;<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">)<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">session<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">start<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">session<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">set_launcher<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">(<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">move_sample<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><strong><span style=\"font-family: 'Courier New'; color: blue;\">False<\/span><\/strong><strong><span style=\"font-family: 'Courier New'; color: navy;\">)<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">&nbsp;<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">templateserver <\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> TemplateServer<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">templateserver<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">start<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">&nbsp;<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">sample_file <\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> LabFile<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">(<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">session<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">launcher_abs_path<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">)<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">&nbsp;<\/span><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">exeinfope <\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">=<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\"> ExeInfoPe<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">(<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">sample_file<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">)<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">exeinfope<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">default<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">exeinfope<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">execute<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">exeinfope<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">output<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; background: white; font-family: Calibri, sans-serif;\"><span style=\"font-family: 'Courier New'; color: black;\">exeinfope<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">.<\/span><\/strong><span style=\"font-family: 'Courier New'; color: black;\">files<\/span><strong><span style=\"font-family: 'Courier New'; color: navy;\">()<\/span><\/strong><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>BPH Scripts &#8211; Execution Demos<\/h2>\n<p>To help users better understand how this all works, I am sharing some videos I presented at BlackHat Arsenal 2019 showcasing BPH script executions and interactions between the BPH Controller and Analysis virtual machines \u2013 all together.<\/p>\n<p>All BPH Scripts can be found in the \u201cexamples\u201d folder of the framework\u2019s package.<\/p>\n<h3><b><i>Malware Initial Assessment (PEStudio)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/g2fm_pVlBzI?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>Packer Detection &amp; Automatic Unpacking (ExeInfoPe + UPX)\u00a0<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/N6pKygN0C5s?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>Behavioral Analysis (Procmon)\u00a0<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/T2ei1AHLDqs?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>XOR-Key Scanning (XorSearch)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/B2KddNK2MTU?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>Debugger Execution (OllyDbg + OllyScript)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/jkG1Xe34Xjg?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>Memory Dumping &#8211; Malware Execution &#8211; W32\/Farfli.PZ!tr (pd32)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/0jV-H_ndFbQ?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b><i>Network Traffic &#8211; Malware Execution \u2013 W32\/Agent.J!tr (NetworkTrafficView)<\/i><\/b><\/h3>\n<\/p><\/div>\n<div class=\"video aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/CX7dsNN3-g4?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Supported Tools (v1.0.0)<\/h2>\n<p>BLACKPHENIX provides support for the following tools:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/blackhat-black-phenix-framework\/_jcr_content\/root\/responsivegrid\/image_742806487.img.png\/1571424565245\/bh-fig-thirteen.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>*Upcoming release<\/p>\n<h2>Where Can I Download BLACKPHENIX?<\/h2>\n<p>The BLACKPHENIX Framework can be downloaded from the following URL:<\/p>\n<p><a href=\"https:\/\/github.com\/fortinet\/ips-bph-framework\">https:\/\/github.com\/fortinet\/ips-bph-framework<\/a><\/p>\n<p>Users can refer to the \u201c<b>BPH Implementation Manual<\/b>\u201d and \u201c<b>BPH Script Development<\/b> <b>Guide\u201d<\/b> documentation which is located in the \u201cdocs\u201d folder.<\/p>\n<h2>Contact<\/h2>\n<p>BLACKPHENIX Dev Team<br \/> <a href=\"mailto:bph_framework@fortinet.com\">bph_framework@fortinet.com<\/a><\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/xj_HnX4lnuw\/blackhat-black-phenix-framework.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/blackhat-black-phenix-framework\/_jcr_content\/root\/responsivegrid\/image_1829600696.img.png\/1571424227543\/bh-bp.png\"\/><br \/>Learn more about BLACKPHENIX, an open-source malware analysis automation framework composed of services, scripts, plug-ins, and tools based on a Command-and-Control (C&amp;C) architecture.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/xj_HnX4lnuw&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16791","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16791"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16791\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16791"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}