Happy New Years! As part of the new year, let’s make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample malware analysis sandbox script to use for the analysis and reverse engineering that I performed on a daily basis. Let’s …
A Walkthrough for FLARE RE Challenges
The FireEye Labs Advanced Reverse Engineering (FLARE) challenge was causing a bit of a buzz when it was announced and launched in early July. It read like a recruitment campaign for a new division within FireEye, but still a fun challenge to partake in. The challenge started … and I was on-site at a client …
Malware with No Strings Attached Part 2 – Static Analysis
In the previous post I showed some dynamic analysis procedures for a variant of a trojan known to Symantec as Coreflood. Based on the dynamic analysis, we discovered that the analyzed sample contained very few strings of use. It decrypted an embedded executable, which was injected into memory for execution. It dropped an encrypted file to …
Malware with No Strings Attached Part 1 – Dynamic Analysis
I had the honor of lecturing for Champlain College’s graduate level Malware Analysis course this week. One of the aspects of the lecture was showing off dynamic analysis with my Noriben script and some of the indicators I would look for when running malware. While every malware site under the sun can tell you how …
Is Google Scanning Malware Email Attachments Between Researchers
Disclaimer: This post is based upon experiences I found when sending malware via GMail (Google Mail). I’m documenting them here for others to: disprove, debate, confirm, or to downplay its importance. Update: In the comments below, a member of Google’s AntiVirus Infrastructure team provided insight into this issue. A third-party AV engine used by GMail …
A GhettoForensics Look Back on 2013
This site, Ghetto Forensics, was started this year as the beginning of an effort to better document some of the side work that I do that I thought would be appealing, or humorous, to the overall industry. This content was originally posted to my personal web site, thebaskins.com, but really needed a site of its …
Noriben version 1.4 released
It’s been a few months since the last official release of Noriben. The interim time has been filled with a few ninja-edits of updated filters, and wondering what to put in next. Noriben started out as a simple wrapper to Sysinternals procmon to automatically gather all of the runtime details for malware analysis within a …