Poking malware one at a time.


This website is dedicated to malware analysis. Over time I will add pages for tools, resources, and in-depth analysis of malware samples.

Latest from the Blog

Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

Dropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933Backdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7 In May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish further analysis regarding that individual sample, however there has been many changes to the distributed malware since that time. As a reminder and abbreviated summary, a particular malware author or group of authorsContinue reading “Mars-Deimos: From Jupiter to Mars and Back again (Part Two)”

Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

Part One: Persistence Script Analysis (Note: This post is outside of my series on theZoo. ) Mars-Deimos-RS-2.MD5: 88E60DFE5045E7157D71D1CB4170C073Mars-Deimos-RS-2:SHA256: 8A57BD2598057EE784711B47B9B61B4ECBA5311FAC800B55070D560480F86EAC Overview: Mars-Deimos-RS-2 is .NET binary injected into memory. It has also been documented as Solarmarker by CrowdStrike. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer byContinue reading “Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)”

theZoo: Win32.OnionDuke.B

Win32.OnionDuke.DLL md5: c8eb6040fd02d77660d19057a38ff769  Win32.OnionDuke.DLL sha256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b  Overview: Win32.OnionDuke.B is reported as part of a backdoor from 2013-2015. The company F-Secure associates the malware with the threat actor “The Duke” (aka APT29, CozyBear). I am able to perform some Static Analysis, but due to a mixture of the malware’s complexity and my inexperience I am unableContinue reading “theZoo: Win32.OnionDuke.B”

Get new content delivered directly to your inbox.