Week 36 – 2016

Last week of vacation, this time, I’m writing overlooking Bangkok!
Also, less than 2000 words! closest thing I get to a slow news week 🙂


  • Willi Ballenthin updated his Windows Event Log parser, python-evtx, to version 0.5.0. The update adds py3 support.
    Check out @williballenthin’s Tweet

  • Microsystemation updated XRY to version 7.1; adding support for iOS 10, Pokémon GO, Android backup extraction of blocked apps, decoding Outlook PST files, as well as approximately 1,000 new device profiles. The release notes can be found here.
    XRY Just Got Better!

  • Eric Zimmerman updated JLECmd to version to support a condition where a Jumplist has more directory entries than identified in the DestList. As a result, there’s a new argument that allows users to extract information of just the entries located in the DestList, or print all of the available directory entries.
    JLECmd v0.9.6.0 released

  • Eric also updated his AppCompatCache Parser to version, improving the OS detection. The updated parser can be found here

  • Mark Woan released Exe finder v 1.0.3, which contained updated regexes used to find suspiciously located files
    Check out @woanware’s Tweet

  • Katana Forensics released a new version of Lantern, version 4.5.9 to provide a fix for connections to iOS Devices.
    Katana Forensics Customer Portal

  • YARA 3.5.0 was released. The release notes indicate various bug fixes, performance improvements and updates.
    YARA 3.5.0 Released

  • GetData’s Forensic Explorer was updated to version v3.6.8.5740 with some minor bug fixes and improvements.
    Download Forensic Explorer

  • X-Ways Forensics 18.8 SR-12 was released, however, is only available on request. It incorporates some of the fixes introduced in later versions.
    X-Ways Forensics 18.8 SR-12

  • X-Ways Forensics 18.9 SR-8 was released with various minor updates and bug fixes.
    X-Ways Forensics 18.9 SR-8

  • X-Ways Forensics 19.0 was updated to Beta 1 and then 2. This update added the ability to set “multiple text interpretations of binary data in the hex editor’s text display at the same time depending on the license type”, a file system offset column, improved verification, revised comparison function, increased size of block hash matches, and other minor improvements .
    X-Ways Forensics 19.0 Beta 2


  • Mark Woan released lookuper (version 0.0.1). This tool “performs lookups against VirusTotal/ThreatExpert/Google Safe Browsing data for data types such as MD5, SHA256, URL, IP, Domains, Strings e.g. mutexes” as is compiled for Linux and Windows.
    Check out @woanware’s Tweet

  • Simon Key at Guidance Software tweeted out a couple of Enscripts.
    • The first is a new Enscript that converts Mac OS X Mail. The script appears to take mail files located in Users Outlook folder and parse them into the Artifacts tab (shown in Encase 8).
      Check out @SimonDCKey’s Tweet
    • The second is version 2.2 of the PST/OST deleted file recovery script.
      Check out @SimonDCKey’s Tweet



  • Harlan Carvey at Windows Incident Response provided his thoughts on a few articles and explained some code that he has written to parse .pub files. These files follow the OLE structured storage format so he modified one of his existing Perl scripts to extract stream information, including dates. The script appears to be complementary to Didier’s oledump.
    More Updates

  • The Int’l Man of Leisure has started a blog, aptly named, 4n6tacoHut “because all of the good DFIR blog names were already taken”. The inaugural post covers stitching together and mounting LVM2 virtual hard disks (apparently the major forensic suites don’t do a good job at combining multiple VMDKs together into a single volume (for mounting the file system and/or creating a forensic image of the entire thing). The author uses SIFT to take two VMDK-turned-DD images and combine them together into one logical volume which he’s then able to mount (and image if required).
    Mounting and imaging Logical Volume Manager (LVM2)

  • Michael Maurer at Distributed Forensic Timeline shared Virtual File Tools (vftools), “a small collection of Sleuth kit-esque command line digital forensics tools designed to provide read only access to a large range of digital storage”. VFtools only has three commands, vfls, vfcat, and vfinfo, and uses pathspec’s instead of inodes.
    vftools – first look


  • Amanda at Secured.Org created a video showing how she creates malware diagrams using Photoshop. She downloaded a fresh sample of the Zepto ransomware, which is a derivative of locky, and walked through the breakdown of the tool, culminating in a useful diagram.
    Zepto Ransomware Diagram How-To

  • There was a post on the VMRay blog that covers a JAR archive that, if executed, will modify certain Windows security settings, inject itself into Explorer, and maintain persistence by surprise surprise, the run key; the Run key is really one of the first places to look when looking for malware infection. Especially because it appears that the files the malware downloads are stored in the “Public” user profile, which may evade a cursory glance. Interestingly, the downloader downloads DLL’s (in the form of txt files) and executes them with regsvr32, which was mentioned here by Casey Smith.
    Malware uses Java Archive (JAR)

  • Casey Smith explains how to use the DynamicWrapperX DLL which “advertises that you can execute win32 calls inside of Jscript / VBScript”. According to the comments section, “this is the technique used in metasploit vbsmem payload. They say it’s a “fileless” payload, but they first drop dynawrap.dll to disk”. I’d imagine a quick look on a system for dynawrap.dll would probably alert a responder to a potential attacker.
    Shellcode Via JScript / VBScript – Happening Now!

  • Orkhan Mamedov and Fedor Sinitsyn at SecureList describe a new version of the RAA cryptor that works in conjunction with the Pony stealer Trojan. The downloader is an obfuscated JS file that’s located within a password protected ZIP file. Once executed the script will conduct the usual ransomware operations, and also execute a Trojan that will package up a variety of passwords and bitcoin password wallets and send them off to the scammers.
    A malicious pairing of cryptor and stealer

  • Xavier Mertens, on the SANS ISC Handler Diaries, identified a few instances of malicious macros located in Microsoft Publisher (pub) files. Apparently, a lot of the sandbox environments don’t have Publisher installed which makes the sample impossible to analyse.
    Malware Delivered via ‘.pub’ Files

  • Mohamed Morad provided a static and dynamic analysis of a malicious .pub file.
    The case of Malicious .pub file Attachments

  • Joe Security at Automated Malware Analysis describes two malware samples that he has come across recently. The first checks for the Zone Identifier ADS which wouldn’t be available on an EXT file system, which many sandboxes utilise, and also examines the RecentDocs key. The second attempts to determine if the compromised machine is part of a corporate environment by checking the Domain settings. Joe explains that “deep malware analysis” enables examiners to spot evasion techniques, and open platforms assist in preventing the evasions.
    Will it blend? This is the Question, new Macro based Evasions spotted


And that’s all for Week 36! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s