SANS FOR610 Training The full name of the FOR610 training from SANS is “Reverse-Engineering Malware: Malware Analysis Tools and Techniques”. The goal is to learn how to efficiently analyze malwares in various forms (mainly Windows and Script files) depending on what is the purpose of the analysis : to understand how a security incident started, […]
SANS FOR610 Training & GREM Certification Review Read More »
Attackers started recently to use Microsoft OneNote file to distribute malwares by email. I’ve decided to take a to public sample and analyse it (Thanks @pr0xylife for sharing it !). To proceed, I’ll use my Malware Analysis Lab as described here. I’ll start with a static analysis of the file to discover what will be
From OneNote to Quakbot (BB12) Read More »
In order to safely analyze malwares, the very first step is to setup a lab. I’ve read multiple articles about it but I’ve decided to write my own guide compiling all the small details that were important to me. This guide is for beginners and I hope it can help someone starting his journey into
Installing a Malware Analysis Lab Read More »
I recently received a phishing email to analyze, let’s see how to unbox all the components and identify them using Malcat. We can notice how good is this phishing attempt :– the sender was known by the recipient– the mail was written in correct french (quite unusual)– the mail contains and old discussion from 2021
Unboxing a Quakbot Campaign with Malcat Read More »
*.doc MS Word Document in binary proprietary file format (Compound File Binary Format) used in Office < 2007 *.xls MS Excel Workbook in binary proprietary file format (Compound File Binary Format) used in Office < 2007 *.docx MS Word Document in “Microsoft Office Open XML” file format used since Office 2007, no macro.Zip container with
MS Office Documents Analysis Read More »
This is a small write-up of the “Sniffed Traffic” challenge from SEECTF 2022 (Forensics Category). Description : Author: EnyeiWe inspected our logs and found someone downloading a file from a machine within the same network.Can you help find out what the contents of the file are?For beginners: https://www.javatpoint.com/wiresharkMD5: 71cd3bdbecece8d7919b586959f2d3b7 Solution : Once the capture file
SEETF 2022 – Sniffed Traffic Read More »
This is a small write-up of the “x-sixty-what” challenge from picoCTF 2022 (Binary Exploitation Category). The challenge is now available in picoGym here ! Description : Overflow x64 code Most problems before this are 32-bit x86. Now we’ll consider 64-bit x86 which is a little different! Overflow the buffer and change the return address to
picoCTF 2022 – x-sixty-what Read More »
This is a small write-up of the “Torrent Analyze” challenge from picoCTF 2022 (Forensics Category). The challenge is now available in picoGym here ! Description : SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that
picoCTF 2022 – Torrent Analyze Read More »
I’ve been asked to investigate a case in which a user received a phishing email, asking the user to click on a link to open a PDF Document. The link points to a Google Drive hosted file, which is not a PDF but a VBS (Visual Basic Script) file. Please note that the file is
Malware Analysis 11/02/2022 Read More »