Previous posts in this series have demonstrated how unpack.py, when used on a CryptoLocker variant, extracts the malicious PE file injected in to explorer.exe, and how it can also be used to analyse the injected PE file. This post demonstrates how unpack.py can now be used to analyse our CryptoLocker variant’s network communications by dumping the cleartext traffic sent over its HTTPS connections.
My automated unpacking script (which really needs a sensible name!) is a few years old now, so I was interested to see how it would go with some malware that was developed after it was. That is, I wanted to answer the question ‘is my script still useful?’. It turns out it is still useful, and this post is the first of a few posts that aim to demonstrate why. Continue Reading
… and without touching Perl I might add. So, someone has just handed you a collection of Microsoft Word documents that they believe are malicious and you’re keen to investigate them to see if you can get your hands on some more malware to analyse. Here is how you can analyse Microsoft Word documents in a Linux environment, without using Microsoft Word (and without using Perl). Continue Reading
I was just in the middle of doing a post on analysing a malware sample and I thought that I should start it off by documenting my setup. It then occurred to me that doing so was making my post somewhat longer, and since the setup would apply pretty much to all of my malware analysis work, I should document it separately. So here it is — my malware analysis setup. Continue Reading
My t-shirt provider (RedBubble) is having a 15% off site-wide promotion to celebrate Geek Week, making this a good time to try out some of my malwear t-shirts. Continue Reading
SSH’s TCP forwarding feature allows users to tunnel arbitrary TCP connections over an encrypted SSH connection, which in turn can allow them to make connections to internal hosts from outside your network — connections which can be hard to detect as SSH traffic is encrypted. So, is it possible to infer what an SSH connection is being used for when you don’t have access to the unencrypted data?