Category: Malware Analysis
-
Malware Analysis : Static String Analysis
Strings extraction is the process of finding and extracting printable and meaningful sequences of characters from a file. This can be used to identify the functionality of a malicious file, as well as indicators of compromise (IOCs). The most common tool for extracting strings is Sysinternals’ Strings. FLOSS from FireEye can also be used to…
-
BTLO : Malware Analysis – Ransomware Script
One of our web servers recently got compromised and was hit with ransomware. Luckily we had a restore point just before the files were encrypted, and managed to recover a suspicious script file that didn’t appear to have been run yet. What is the malicious IP address referenced multiple times in the script? The script…
-
2014-11-23 Traffic analysis exercise
https://www.malware-traffic-analysis.net/2014/11/23/index.html QUESTIONS 1) What is the IP address of the Windows VM that gets infected? To find an address OS, I usually check the User-agent section in the headers. Use the http filter and follow the stream. Answer : 172.16.165.132 2) What is the MAC address of the infected VM? Statictics –> Endpoints 3) What…
-
LetsDefend : Presentation As a Malware
Can ppt file be malware? File link: https://app.letsdefend.io/download/downloadfile/PO00187.zip/Password: infected Load up the malware in VirusTotal and examine the analysis. Sign up for an account to view more details. Question 1 What was the general name / category of the malicious file in the analyzed ppt file? A number of security vendor’s have labeled them as…
-
LetsDefend : Remote Working
https://app.letsdefend.io/challenge/remote-working/ Analysis XLS File File link: https://app.letsdefend.io/download/downloadfile/ORDER_SHEET_SPEC.zip/Password: infected NOTE: Do not open on your local environment. It is malicious file. Tools : VirusTotal.com This malware contains a XLS file. We can upload the file into VirusTotal to examine some details. Question 1 What is the date the file was created? The History section of the…
-
LetsDefend: Dynamic Malware Analysis Example #2
https://app.letsdefend.io/training/lesson_detail/dynamic-malware-analysis-example-2 Connect to the Hands-On Practice lab in the page. LetsDefend has set up a system with the necessary tools for the malware analysis. Since it is dynamic analysis we should set up the following tools before running the malware. Start up Process Hacker which is a free, powerful, multi-purpose tool that helps you monitor…
-
LetsDefend: Dynamic Malware Analysis Example #1
https://app.letsdefend.io/training/lesson_detail/dynamic-malware-analysis-example-1 Connect to the Hands-On Practice lab in the page. LetsDefend has set up a system with the necessary tools for the malware analysis. Since it is dynamic analysis we should set up the following tools before running the malware. Start up Process Hacker which is a free, powerful, multi-purpose tool that helps you monitor…
-
LetsDefend : Malicious VBA
https://app.letsdefend.io/challenge/Malicious-VBA/ One of the employees has received a suspicious document attached in the invoice email. They sent you the file to investigate. You managed to extract some strings from the VBA Macro document. Can you refer to CyberChef and decode the suspicious strings? Please, open the document in Notepad++ for security reasons unless you are…
-
LetsDefend : Malicious Doc
Analyze malicious .doc file File link: https://app.letsdefend.io/download/downloadfile/factura.zip/Password: infected NOTE: Do not open on your local environment. It is malicious file. Tools used: Upload the malware in VirusTotal and examine the report. A through examination can be seen with the detection, details, relations and behaviors tabs. To have a more graphically examination the AnyRun sandbox environment…
-
Practical Malware Analysis : Lab 3-3
Tools used: Questions Execute the malware found in the file Lab03-03.exe while monitoring it using basic dynamic analysis tools in a safe environment. 1. What do you notice when monitoring this malware with Process Explorer? Run the malware and check Process Explorer. Once the malware is executed it creates a svchost.exe and deletes itself. 2.Can…
-
Practical Malware Analysis : Lab 1-4
Tools used: VirusTotal.com PEview PEiD Dependency Walker Malcode Analyst Pack Resource Hacker Questions 1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. No…
-
Practical Malware Analysis : Lab 1-3
Tools used: VirusTotal.com PEview PEiD Dependency Walker Malcode Analyst Pack Questions 1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. The file is…
-
Practical Malware Analysis : Lab 1-2
Tools used: VirusTotal.com PEview PEiD UPX Dependency Walker Malcode Analyst Pack Questions 1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. The file…
-
Practical Malware Analysis : Lab 1-1
Tools used: VirusTotal.com PEview PEiD Dependency Walker Malcode Analyst Pack Questions Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures? 2. When were these files compiled? PEview 3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?…
Persecure : my learning archive 