Executive Summary: This report is prepared for the client as part of the investigations regarding a cyber attack. The goal of this report is to outline the detailed investigation from the review of the network logs (PCAP) captured between 11:35:57 EDT on 29th July 2020 and 11:36:01 EDT 29th July…

Today, I performed a static code analysis on a sample of Clownic Ransomware, obtained from vx-underground, the program was developed in C# and analysed using dnSpy. Demo for the analysis is on my YouTube. File Identification The following were extracted during the file identification phase: md5: 711486A19E8B011528DEE34A5D25776E sha1: 7E131940FCE4D157D0A338B8285E8E2298E8677D sha256: 880823DD9DF0CA6047CD829A1031E8A167CCEC0629FDEAC40A097DD555DEBF7C file-size: 143872 (bytes) signature: Microsoft…

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Today, I analyse a HTA malware sample from vx-underground. The demo for this analysis can be found on my YouTube. File Identification and Identification of malicious indicators

Today, I decided to pick a random file from the Emotet family on vx-underground repo. The demo for this analysis can be found on my YouTube. File Identification and Identification of malicious indicators The file is a Microsoft Word 2007+ Macro-Enabled Document (.docm) with a High risk macro embedded in stream ‘A5'. file-size,146070 (bytes) md5,8DF71E674C2A891330651D3ACA0C6F7F sha1,FDD6E375BC0F789F5691AF8624DA5493D3ABE9E6 sha256,02F9ECDD1DE018BDFAA27979567C7CC39FAE5CD066288C9EC1342508C05E0CDC Macro: Stream -A5, 10452…

This will definitely bring back some childhood memories for some! FLAMES is a game we played as kids to determine our ‘relationship status’. FLAMES is an acronym which stands out for “Friends Lovers Admirers Marriage Enemies ‘Situationship’”. …

15 November 2021 saw the return of Emotet. Check Point Research (CPR) observed that the Emotet botnet started to re-emerge with Trickbot after disappearing for 10 months. Trickbot and Emotet are considered some of the largest botnets in history. In this article, I provide a quick summary from my analysis…

This is the part two (2) of my Methodology for malware analysis series, in part one (1), I discussed the static analysis of PE files. In this article, I will highlight methodology and some tools that can be used for analysing DOC and PDF files. When analyzing PDFs, there are…