This sample, question, and answers are all from malware-traffic-analysis.net. Shout out Brad. Opening up this PCAP file we can automatically see that there is large amount of HTTP traffic. …

This sample, questions, and answers are based off the post on Malware Traffic Analysis. LEVEL 1 QUESTIONS: What is the IP address of the Windows VM that gets infected? The host most likely is infected via the internet so we can filter wireshark by http.request and see that almost all requests have 172.16.165.165…

In this post, we are looking to manually unpack the sample called Redaman, which is a banking trojan. Some of its capabilities include: Monitor browser activity, Downloading files to the infected host Keylogging activity Capture screen shots and record video of the Windows desktop Collecting and exfiltrating financial data, specifically…

Malware Analysis of Olympic Destroyer. PEStudio:

This is a basic static malware analysis of a Banking Trojan named Dyre. This sample can be found at The Zoo. We are analyzing the Unpacked.DLL which contains two payloads for 32 and 64 bit architecture. Phase 1: Static Analysis PEStudio Before interacting with the live sample, we first use PEStudio to gain some initial…

Writeup on THM Room. — In the room we are introduced to several tools: Steghide zsteg exiftool Stegoveritas Spectograms The final slide introduces us to three challenges, here are my solutions: For Key 1 we have a .jpeg file. We first run exiftool to look at the metadata and find a hint under document name. exiftool exam1.jpeg…

Windows Event Log are divided into three main core logs: Application Logs — contain events logged by applications or user programs System Logs — contain events from drivers loaded and unloaded, network configurations, and windows service events Security Logs — contain events related to Windows authentication and security processes such…

Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake. Checklist: What is the expected parent process? Is it running on the expected path? Is it spelled correctly? Is it running under the correct SID? Is…

Some notes that I’ve used when to identify suspicious activity searching through packet captures. Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. …