Blog

Poking malware one at a time.

Solarmarker: by any other name

Payload SHA256: c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9aBackdoor SHA256: 0e673eb418c87268aa3bcb262e8e03a3f719a95a8e118ba99515c57c9aa02d38Backdoor C2: 149.255.35.179 Solarmarker (AKA JupyterInfostealer AKA YellowCockatoo AKA Polazert) is still a trending malware. According to Expel.io the malware accounted for 33% of their identified malicious payloads in September 2021. Several companies have published write-ups: they often dig deep and the writeups and detection methods often fall out of dateContinue reading “Solarmarker: by any other name”

Solarmarker: Registry Key Persistence Walkthrough

Binary: 1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21Infostealer: 6852699e4420f08ab63a9a4e0b126d73d0ac3d7e21da06ad77bc3fe67c9a2e1fBackdoor: 8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3 This is a follow up blogpost regarding the malware known as Solarmarker / Jupyter Infostealer / Yellow Cockatoo / Polazert. This post can be read on its own but consider reading my first post on Solarmarker that discusses the persistence mechanism for April – May and my second post for informationContinue reading “Solarmarker: Registry Key Persistence Walkthrough”

Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

Dropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933Backdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7 In May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish further analysis regarding that individual sample, however there has been many changes to the distributed malware since that time. As a reminder and abbreviated summary, a particular malware author or group of authorsContinue reading “Mars-Deimos: From Jupiter to Mars and Back again (Part Two)”

Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

Part One: Persistence Script Analysis (Note: This post is outside of my series on theZoo. ) Mars-Deimos-RS-2.MD5: 88E60DFE5045E7157D71D1CB4170C073Mars-Deimos-RS-2:SHA256: 8A57BD2598057EE784711B47B9B61B4ECBA5311FAC800B55070D560480F86EAC Overview: Mars-Deimos-RS-2 is .NET binary injected into memory. It has also been documented as Solarmarker by CrowdStrike. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer byContinue reading “Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)”

theZoo: Win32.OnionDuke.B

Win32.OnionDuke.DLL md5: c8eb6040fd02d77660d19057a38ff769  Win32.OnionDuke.DLL sha256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b  Overview: Win32.OnionDuke.B is reported as part of a backdoor from 2013-2015. The company F-Secure associates the malware with the threat actor “The Duke” (aka APT29, CozyBear). I am able to perform some Static Analysis, but due to a mixture of the malware’s complexity and my inexperience I am unableContinue reading “theZoo: Win32.OnionDuke.B”

Dedicated Machine

Update: I had originally planned for 32GB RAM, but ended up with 64GB RAM and so I updated the page accordingly. I could imagine instances where 32GB RAM was insufficient, so it seemed reasonable to get more. 64GB RAM is the maximum supported by this CPU. I am currently in process of putting together aContinue reading “Dedicated Machine”

theZoo: An Overview

If you have not read my introduction to this series, I suggest doing so. It gives the goals and plan behind this series as well as a slight introduction to theZoo, the OpenSource malware repository. The purpose of this post is to give an overview of theZoo as a whole and some basic analysis. ForContinue reading “theZoo: An Overview”


Follow My Blog

Get new content delivered directly to your inbox.

%d bloggers like this: