Analyze the malware found in the file Lab07–01.exe. How does this program ensure that it continues running (achieves persistence) when the computer is restarted? Looking into the imports, there is a CreateServiceA at 00404000. This is most likely used to establish persistence. We can see that this function is called…

In this lab, you will analyze the malware found in the file Lab06–01.exe. What is the major code construct found in the only subroutine called by main? sub_401000 is the only subroutine called in what looks to be an if else statement. …

Analyze the malware found in the file Lab05–01.dll using only IDA Pro. The goal of this lab is to give you hands-on experience with IDA Pro. If you’ve already worked with IDA Pro, you may choose to ignore these questions and focus on reverse-engineering the malware. What is the address…

Executive Summary RedLine Stealer is information-stealing malware that harvests login credentials and other sensitive data from a victim’s Windows host. This Wireshark quiz uses a packet capture (pcap) that “crosses a line” separating normal traffic from malicious activity. The malicious activity in this pcap is a RedLine Stealer infection from July 2023…

Background Earlier this month, Palo Alto Networks Unit 42 tweeted about Agent Tesla-style activity from a possible OriginLogger infection that was found Thursday, Jan. 5, 2023. The original tweet contains our initial analysis. You can also find further information on the associated malware binary. For this month’s exercise, we generated a…

Scenario Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host. Download the pcap from this page, which also has the alerts. Don’t open or review the alerts yet, because they give away the answer. Background…

Link to exercise QUESTION What the heck is going on here? Analysis We are given a pcap and the .txt and .jpg of the alerts: First starting off with the alerts, our affected internal IP is 10.12.25.101. All alerts look to occur on port 80 (HTTP) and involve .101 and an external…

SCENARIO Do you have an office job? Are you tired of sitting at your computer all day? If so, don’t get a career in IT network security (buzzword: cyber). You won’t be able to escape the desk! Where’s the scenario in all of this? Some office person was infected with malware…

SCENARIO You are working as an analyst reviewing suspicious network events at your organization’s Security Operations Center (SOC). Things have been quiet for a while. However, you notice several alerts occur within minutes of each other on 3 separate hosts. Said one analyst to another: A lot of these alerts contain…