Friday, April 4, 2014

New analysis

Hey all,

I know its been a while since I posted, events events. After my first analysis I received a naughtygram form my ISP, actually just them letting me know that I might be infected! Well, I took some time and eventually found some new ways to do my analysis, hopefully with less risk. I do want to take a second to give a shout to TekDefense and their YouTube channel https://www.youtube.com/user/TekDefense - some great videos there with introductions to Malware Analysis. So since this is my first real day back, i'll just review some info. Yesterday I was able to get my Security Onion (https://code.google.com/p/security-onion/)distro back up and running, and was able to test it out, so the goal is to do separate tests now, and perhaps at some point to integrate malware analysis and IDS testing, seeing what the IDS detects, and writing custom rules to detect what it misses.  So what did I see today from this version of cryptolocker? Probably not much that wouldn't be found in an in depth analysis paper written by an experienced analyst with hours to examine it, but I did notice a few things. The original file (Sorry, I don't have the name) spawned a new process, windtre.exe. windtre can be found in the user's temp directory and has an MD5 of 2BEDEF64E5A615619356219E44E5082D which was not in Virustotal. In the future I will be looking for ways to safely upload these files to sites for further analysis. Finally the malware did make some get requests for wpad.dat unfortunately I missed the ip's it requested. Future analysis reports will have this info, but i'll have to do it on days where I don't have to work! Well, thanks for reading guys, hope you all have a great day, please leave feedback. - SecTest

1 comment:

  1. Thanks for posting your analysis and experience.
    Is there a place where I can get all the tools and samples.

    ReplyDelete