It took me quite a bit to finally find time to work through this amazing course made by @0verfl0w_ and @VK_Intel. If you always wanted to get started into malware analysis or enhance your skills as SOC analyst, don’t hesitate to enroll into this course, they dive as deep as possible into analysis and have a LOT of samples to analyze during course.
Custom Sample background
Hi there,
During an ongoing investigation, one of our IR team members managed to locate an unknown sample on an infected machine belonging to one of our clients. We cannot pass that sample onto you currently as…
The other day I read amazing presentation from Black Hills Information Security about how Blue Team can benefit from using Red Team tools and techniques to improve general security posture and their detection capabilities and started thinking if this works the other way. How Red Team can apply Blue Team tools, techniques and tactics to improve their foothold, stay under radar as much as possible and move detection and response to the next level.
Just imagine — you established initial access to the network, and before running mimikatz or network scan you started collecting Windows logs. From log information you…
Because Ransomware attacks are currently number one cyber threat — techniques, tools and procedures for their detection and response become more and more important. There are a lot of ways how you can start detecting ransomware activity on your endpoint or network. For example catching creation of thousands DECRYPT_ME.txt on the file system or bunch of suspicious WinAPI calls collected with Sysmon. And today I would like to share my experience building ransomware detection tool.
During research I found amazing collection of ransomware prevention techniques from @cyb3rops with his Ransomware Overview. So go and check it out!
Theory
Before we dive…
So far you got your first sample either during ongoing Incident Response or your are just studying (you can use this automated tool to collect in the wild samples). What are your next steps? Load sample to IDA and give it a try? Or maybe upload a sample to hybrid analysis to get some insights about its behavior?
In this article I would like to take a step back and get a bird’s eye view on the malware analysis process. In general when you dissecting sample you’re looking for answers like is this file benign or how it communicates with…
Special thanks to FLARE team for their annual FLARE-On challenges!
In this article I would like to show you how reverse engineering process looks like, where to put attention and some tricks I use.
Let’s get started! I will use special FLARE-On Level from BHUSA2019 as example. Link to the archive with password is on the picture below.
Downloaded archive contains two files — our binary and note which says: “Solve the challenge to get a sticker”.
First thing I usually do is checking binary file with file utility (https://linux.die.net/man/1/file) to get insight about its file extension.
$ file MemeCatBattlestation.exe…
When you only start learning malware analysis, it is always frustrating to find malicious samples, as those from practical malware analysis labs are a little bit old and you have already mastered them. These thoughts pushed me to research different malware sources and ways to automate this routine.
Here is a great list of malware samples sources: https://www.megabeets.net/fantastic-malware-and-where-to-find-them
Also @0xffff0800 has a nice malware library available with the tor link http://iec56w4ibovnb4wc.onion
There are a lot of different platforms where you can get malicious files —VirusTotal, VirusBay, VirusShare or maybe you have your own custom honeypot network. It’s up to you…
