Review: Practical Malware Analysis and Triage (PMAT)

I have often recommended the book Practical Malware Analysis (PMA) by Michael Sikorski and Andrew Honig; however, the book was originally published in 2012 and there have been no updates to the core book, so if I recommend the book, I always have to give caveats regarding the age and the age of some ofContinue reading “Review: Practical Malware Analysis and Triage (PMAT)”

Solarmarker: by any other name

Payload SHA256: c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9aBackdoor SHA256: 0e673eb418c87268aa3bcb262e8e03a3f719a95a8e118ba99515c57c9aa02d38Backdoor C2: 149.255.35.179 Solarmarker (AKA JupyterInfostealer AKA YellowCockatoo AKA Polazert) is still a trending malware. According to Expel.io the malware accounted for 33% of their identified malicious payloads in September 2021. Several companies have published write-ups: they often dig deep and the writeups and detection methods often fall out of dateContinue reading “Solarmarker: by any other name”

Solarmarker: Registry Key Persistence Walkthrough

Binary: 1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21Infostealer: 6852699e4420f08ab63a9a4e0b126d73d0ac3d7e21da06ad77bc3fe67c9a2e1fBackdoor: 8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3 This is a follow up blogpost regarding the malware known as Solarmarker / Jupyter Infostealer / Yellow Cockatoo / Polazert. This post can be read on its own but consider reading my first post on Solarmarker that discusses the persistence mechanism for April – May and my second post for informationContinue reading “Solarmarker: Registry Key Persistence Walkthrough”

Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

Dropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933Backdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7 In May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish further analysis regarding that individual sample, however there has been many changes to the distributed malware since that time. As a reminder and abbreviated summary, a particular malware author or group of authorsContinue reading “Mars-Deimos: From Jupiter to Mars and Back again (Part Two)”

Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

Part One: Persistence Script Analysis (Note: This post is outside of my series on theZoo. ) Mars-Deimos-RS-2.MD5: 88E60DFE5045E7157D71D1CB4170C073Mars-Deimos-RS-2:SHA256: 8A57BD2598057EE784711B47B9B61B4ECBA5311FAC800B55070D560480F86EAC Overview: Mars-Deimos-RS-2 is .NET binary injected into memory. It has also been documented as Solarmarker by CrowdStrike. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer byContinue reading “Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)”

theZoo: Win32.OnionDuke.B

Win32.OnionDuke.DLL md5: c8eb6040fd02d77660d19057a38ff769  Win32.OnionDuke.DLL sha256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b  Overview: Win32.OnionDuke.B is reported as part of a backdoor from 2013-2015. The company F-Secure associates the malware with the threat actor “The Duke” (aka APT29, CozyBear). I am able to perform some Static Analysis, but due to a mixture of the malware’s complexity and my inexperience I am unableContinue reading “theZoo: Win32.OnionDuke.B”

Dedicated Machine

Update: I had originally planned for 32GB RAM, but ended up with 64GB RAM and so I updated the page accordingly. I could imagine instances where 32GB RAM was insufficient, so it seemed reasonable to get more. 64GB RAM is the maximum supported by this CPU. I am currently in process of putting together aContinue reading “Dedicated Machine”

Introduction: theZoo – Museum of Malware History

theZoo is a project at GitHub which makes malware available for researchers. (Malware being defined as “software that does harm to a computer or network.”) The repository is great in that it makes the malware accessible without a paywall so that hobbyists like me can access it. I had heard about theZoo and did notContinue reading “Introduction: theZoo – Museum of Malware History”