This is a basic static malware analysis of a Banking Trojan named Dyre. This sample can be found at The Zoo. We are analyzing the Unpacked.DLL which contains two payloads for 32 and 64 bit architecture.
Before interacting with the live sample, we first use PEStudio to gain some initial…
In the room we are introduced to several tools:
For Key 1 we have a .jpeg file. We first run exiftool to look at the metadata and find a hint under document name.
Windows Event Log are divided into three main core logs:
Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.
Some notes that I’ve used when to identify suspicious activity searching through packet captures.
Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. …
File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.
Files that are encrypted will…
Malware infection via malicious macros (or scripts within Microsoft Office products such as Word and Excel) are some of the most successful attacks to date.
For example, current APT campaigns such as Emotet, QuickBot infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However…
PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:
remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf
Warning: PyV8 is not installed!!File: notsuspicious.pdf
My notes on THM Room.
This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
Scan the machine with nmap, how many ports are open?
Not shown: 993 closed ports