How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros
Part 1:
https://security-soup.net/extractnetworkindicators-part1/
Part2:
https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-2/
Part3:
https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-3/
Part 1:
https://security-soup.net/extractnetworkindicators-part1/
Part2:
https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-2/
Part3:
https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-3/
Forwarded from MalScanBotChannel
This media is not supported in your browser
VIEW IN TELEGRAM
Here is a quick video demonstrating how @MalScanBot can be used to quickly analyze xls file for malicious indicators from your mobile device.
Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
https://github.com/a0rtega/pafish
https://github.com/a0rtega/pafish
NEW URSNIF VARIANT TARGETS JAPAN PACKED WITH NEW FEATURES
https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features
https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features
Auto-renaming dummy-named functions, which have one API call or jump to the imported API
https://github.com/a1ext/auto_re
https://github.com/a1ext/auto_re
Indicators of Compromise vs. Tactics, Techniques, and Procedures
https://azeria-labs.com/iocs-vs-ttps/
https://azeria-labs.com/iocs-vs-ttps/
Azeria-Labs
IOCs vs. TTPs
Forwarded from Web Security | Bug hunting
Embed and hide any file in HTML:
https://github.com/Arno0x/EmbedInHTML
https://github.com/Arno0x/EmbedInHTML
GitHub
GitHub - Arno0x/EmbedInHTML: Embed and hide any file in an HTML file
Embed and hide any file in an HTML file. Contribute to Arno0x/EmbedInHTML development by creating an account on GitHub.
Corona DDoS bot
In this article, multiple phases will be described using the usual step-by-step approach. Firstly, the main function is analysed in order to get an overview of the malware’s lay-out. Secondly, the local address is obtained. Thirdly, the mutex that is used by the malware is described. Fourthly, the decryption routine for the encrypted strings will be analysed and rewritten in Java. Using this decryptor, the actual values of the encrypted strings can be obtained. Fifthly, the bot’s registration at the command & control server will be analysed, including a connectivity check. Sixthly, the process of dispatching incoming commands will be analysed. Lastly, a conclusion is made based upon the findings
https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/
In this article, multiple phases will be described using the usual step-by-step approach. Firstly, the main function is analysed in order to get an overview of the malware’s lay-out. Secondly, the local address is obtained. Thirdly, the mutex that is used by the malware is described. Fourthly, the decryption routine for the encrypted strings will be analysed and rewritten in Java. Using this decryptor, the actual values of the encrypted strings can be obtained. Fifthly, the bot’s registration at the command & control server will be analysed, including a connectivity check. Sixthly, the process of dispatching incoming commands will be analysed. Lastly, a conclusion is made based upon the findings
https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/
Reverse Engineering Gootkit with Ghidra Part I
https://dannyquist.github.io/gootkit-reversing-ghidra/
https://dannyquist.github.io/gootkit-reversing-ghidra/
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
https://github.com/idaholab/Malcolm
https://github.com/idaholab/Malcolm
A Deep Dive into the Emotet Malware
Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server.
https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server.
https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html