This is a basic static malware analysis of a Banking Trojan named Dyre. This sample can be found at The Zoo. We are analyzing the Unpacked.DLL which contains two payloads for 32 and 64 bit architecture.

Phase 1: Static Analysis


Before interacting with the live sample, we first use PEStudio to gain some initial…

Writeup on THM Room.

In the room we are introduced to several tools:

  • Steghide
  • zsteg
  • exiftool
  • Stegoveritas
  • Spectograms

The final slide introduces us to three challenges, here are my solutions:

For Key 1 we have a .jpeg file. We first run exiftool to look at the metadata and find a hint under document name.

exiftool exam1.jpeg…

Windows Event Log are divided into three main core logs:

  • Application Logs — contain events logged by applications or user programs
  • System Logs — contain events from drivers loaded and unloaded, network configurations, and windows service events
  • Security Logs — contain events related to Windows authentication and security processes such…

Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.


  1. What is the expected parent process?
  2. Is it running on the expected path?
  3. Is it spelled correctly?
  4. Is it running under the correct SID?
  5. Is…

Some notes that I’ve used when to identify suspicious activity searching through packet captures.

Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. …

PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:

  • Javascript
  • Python
  • Executables
  • Powershell Shellcode

We can use peepdf to analyze a pdf file to see if there is JavaScript.

remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf 
Warning: PyV8 is not installed!!
File: notsuspicious.pdf

My notes on THM Room.

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

Enumeration with Nmap

Scan the machine with nmap, how many ports are open?


Not shown: 993 closed ports


cyber enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store