Friday, February 27, 2015

Interesting event

Hi all.

I was not expectingto write this post today, I am still prepping for the SANS 560 course by studying programming. Slowly but surely I am getting it thanks to a combination of the Intro to programming course from Infinite Skills, and a series of courses from Udemy.

However while I was browsing the internet today I was on a website of dubious nature. Naturally when I clicked 'there to watch" I was redirected to If that doesn't look suspicious right? being the interested body i am, I fired up a PC and started doing some analysis.

As of now, the site is scanning clean all day

I'll try to keep this short, the website displays a popup on entry (in i.e) saying the user needs to update their flash player. Thats strike 2 for danger. There is an element on the page which my browser did not display, I need to find out what it is. in any case, clicking some of the links will send you to a subpage that ends in /NATakplayer2.US.html. I have not yet done analysis on this page, but VT has a scan of the page. Of note, the page mentions at the bottom, that they are not offering the original adobe file, and that their download may include additional software...

clicking the install button sends the user to 

And the user gets a file, mediaplayer_setup.exe (note, file is digitally signed by InstallX, LLC) MD5 74DD09FAA1E0B1FD4A19B0C233926C05

I performed static analysis of the file, as well as uploading it to some sites including MALWR and VT, it appears its new to them

The PCAP I took was uploaded to VT and generated some alerts:

In the end the file possibly had some anti-WM and Anti-debugging technologies so I decided for an automated analysis over running the malware dynamically. In any case we see the exe has some hooking functionality, drops numerous files (mainly zip files) some outbound traffic, and at the very least offer's the user the opportunity to download some additional crapware.

See you guys around.

Monday, January 12, 2015

1st post 2015

Hi all.

So, just to update from last month, my big news, I passed the SANS GPEN examination. As you may know, it covers penetration testing. My goal is to at some point be able to pentest my lab, add malware and to attempt to detect the intrusion, analyze the hacked system and be able to re-mediate the system and detect future intrusions. as such I will need to learn a lot. One  part of that will be malware analysis.

Later this year I plan to take the SANS 560 course which deals with malware analysis. In preparation for that, I will need to learn a lot including programming, which has been a big stumbling block for me. But I am confident that I can overcome it. What I am doing now is attempting to read Practical Malware Analysis by Michael Sikorski ( Getting through this with my limited knowledge should be a challenge that will be interesting. I've finished chapter one but will be going back over it. I do wish they had put Ch. 2 first as it deals with setting up your lab. Ch. 1 has you analyzing malware without a lab setup. Not a great idea. What I found interesting is that the malware included is not detected by my current A/v software, a few years after the book was published. :o Anyway, i'll keep those of you who may be reading informed.