Poking malware one at a time.


This website is dedicated to malware analysis. Over time I will add pages for tools, resources, and in-depth analysis of malware samples.

Latest from the Blog

Solarmarker: Registry Key Persistence Walkthrough

Binary: 1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21Infostealer: 6852699e4420f08ab63a9a4e0b126d73d0ac3d7e21da06ad77bc3fe67c9a2e1fBackdoor: 8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3 This is a follow up blogpost regarding the malware known as Solarmarker / Jupyter Infostealer / Yellow Cockatoo / Polazert. This post can be read on its own but consider reading my first post on Solarmarker that discusses the persistence mechanism for April – May and my second post for informationContinue reading “Solarmarker: Registry Key Persistence Walkthrough”

Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

Dropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933Backdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7 In May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish further analysis regarding that individual sample, however there has been many changes to the distributed malware since that time. As a reminder and abbreviated summary, a particular malware author or group of authorsContinue reading “Mars-Deimos: From Jupiter to Mars and Back again (Part Two)”

Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

Part One: Persistence Script Analysis (Note: This post is outside of my series on theZoo. ) Mars-Deimos-RS-2.MD5: 88E60DFE5045E7157D71D1CB4170C073Mars-Deimos-RS-2:SHA256: 8A57BD2598057EE784711B47B9B61B4ECBA5311FAC800B55070D560480F86EAC Overview: Mars-Deimos-RS-2 is .NET binary injected into memory. It has also been documented as Solarmarker by CrowdStrike. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer byContinue reading “Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)”

Get new content delivered directly to your inbox.