Main conference (21 to 23 May 2025 in Angers, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on May 20th.

Main conference (21 to 23 May 2025 in Angers, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on May 20th.

Only available for law enforcement personnel. Specific checks will be made before payment.

Main conference (21 to 23 May 2025 in Angers, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on May 20th.

Only available for students or people registered as unemployed. Specific checks will be made before payment. Pleae use a student email when registering as a student.

This option allows you to bring a friend or a partner at the gala dinner (Thursday 22nd May 2025)

Federico Valentini, Alessandro Strino and Michele Roviello

Understanding Android malware can initially feel daunting and disorienting, but with a solid foundation of knowledge and a touch of automation, the process becomes much easier. This workshop teaches participants the essential concepts required to analyze Android malware effectively. The knowledge gained here can be applied to other security domains, such as malware detection, classification, and automation. By attending, participants will develop technical expertise and gain a deeper understanding of the techniques and methodologies commonly used in malware analysis. Another key goal of this workshop is to delve into the analyst's mindset, helping attendees adopt the critical thinking and problem-solving approach required for reverse engineering tasks.

Designed for both aspiring analysts and those with intermediate experience, this workshop emphasizes the development of critical thinking and systematic problem-solving approaches essential for effective reverse engineering. Participants will analyze prominent malware families, including Toxic Panda, DroidBot, Bingomod, etc.. through a combination of static and dynamic analysis techniques enhanced by practical Python scripting and Frida instrumentation.

[...]

Éric Leblond and Peter Manev

The objective of this workshop is to demonstrate how Suricata can be used to leverage network information when tracking malware.

With the logging of protocols transactions (NSM), Suricata provides an exhaustive view of network activity that can be used when the intrusion detection part of Suricata has failed detecting the malware. But did it really failed ? In a lot of cases, generic signatures are highlighting the activity of malware but they need to be look at and understood to be able to detect the malicious activity.

On top of that, some other techniques such as learning dataset can also be used to detect malware activity.

Once the network characteristics of the malware have been established, it is then time to determine which IOCs can be used and/or write signatures to have a detection dedicated to this malware.

Max 'Libra' Kersten

This four-hour workshop primarily focuses on the analyst mindset and fundamental knowledge with regards to reverse engineering, including but not limited to understanding Ghidra’s core capabilities such as the disassembly and decompiler views, creating and retyping data structures, writing scripts to extend and automate tasks, and the creation and use of function recognition databases for FunctionID and BSim.

The concepts behind the capabilities of Ghidra are the focus of the theory and during the hands-on exercises, allowing one to transfer the gained knowledge to another tool if so desired. As such, this class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts.

The workshop’s materials will partially consist of multiple malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees. A laptop with a preinstalled Intel based 64-bit Ubuntu 22.04 VM, along with Ghidra, Eclipse, and OpenJDK 21 is required.

Additionally, knowing how to read C/C++ is required when dealing with decompiled code. Being able to read and write Java is required for the automation scripting, even though Python 2 can be used as well. If you cannot write Java and would still like to participate, you are welcome, but do note that this will impede some parts of the workshop’s exercises.