Week 39 – 2016

I would like to mention that my site is not a replacement for reading the actual material. I just write a brief summary of the article (or just mention it) and use the site search when I need to jog my memory.
Anyone that would like me to stop covering their blog, or would like to discuss what I’ve written (maybe I missed a key point or misinterpreted something), shoot me an email!


  • Belkasoft has released Belkasoft Evidence Centre v.8.0 with a host of new updates, as well as a new imaging tool called BelakImager.
    Belkasoft Releases Evidence Center 2017 And New Free Acquisition Tool

  • Cellebrite updated UFED Physical Analyser during the week but haven’t uploaded their release notes here yet. The release fixes an issue with the “Advanced logical extraction process when the iTunes versions below 12.5.5 are not installed on the computer”, as well as a decoding issue with the Vkontakte app for Android.

  • MOBILedit Forensic Express 3.5.3 has been released adding support for the iPhone 7 and improved iTunes Backup password cracking (taking advantage of the flaw in password security in backups taken using iOS 10)
    Utilize critical iOS 10 vulnerability to break 30% of iPhones in 1 sec

  • Microsystemation released a micro release for XRY v7.1, as well as Kiosk/Tablet v7.1. “The new XRY v7.1 micro release includes support for 55 new app versions as well as Apple’s latest release, iPhone 7”. The updates to the kiosk/tablet include updated Default Settings, hiding export functions in Kiosk Viewer, as well as the addition of Kiosk Windows Support
    XRY v7.1 Micro Release & Kiosk/Tablet v7.1 Released Today

  • Paraben updated Device Seizure to version 7.6 adding a new Android Samsung Bootloader Physical plug-in, support for iOS 10 and Android Marshmallow as well as additional bug fixes and improvements.
    Paraben’s DS 7.6

  • Darryl at Kahu Security has updated a Converter (v0.14), Registry Dumper (v0.2), Text Decoder Toolkit (v0.2) and URL Revealer (v0.2).
    Tools Update

  • Passware has released Passware Kit 2016 v4  adding support for iOS 10, macOS Sierra and VeraCrypt, introduces a substitution attack modifier, and is now twice as fast on NVIDIA GTX 1080 graphics cards.
    New In Passware Kit 2016 v4

  • GetData’s Forensic Explorer was updated to version v3.6.8.5740 with some minor bug fixes and improvements.
    Download Forensic Explorer

  • X-Ways Forensics 19.0 Beta 4 was released improving multithreading support, and adding the “Ability to parse Ext* file systems with a block size that is smaller than the sector size of the surrounding physical image” among other minor improvements.
    X-Ways Forensics 19.0 Beta 4




  • Christian at CYINT Analysis has a write-up of the recently published TekDefense PCAP challenge.
    TekDefense PCAP Challenge Write-Up

  • Serge Petrov at WeAre4n6 continues his series on picture forensics by talking a bit more about Error Level Analysis and shows how it can be used to detect images that have been modified with fragments containing a different error level.
    Error Level Analysis

  • Not strictly Forensics but good to know anyways; Daniel Miessler has done some investigation into macOS Sierra’s iCloud Drive, and accessing the files through the command line. Files in the iCloud Drive are stored under ~/Library/Mobile Documents.
    Accessing iCloud Drive via Terminal.app

  • The folks at Senrio have a fairly lengthy post on the history of JTAG, what it is and isn’t, and how to go about decoding the information. The authors then show how to use JTAG to root the firmware of a router.
     JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care

  • Patrick Olsen at Sysforensics identified that VMWare Fusion “uses a pre-formatted HFS+ volume”, aptly named preformattedHFSVolume.vmdk, when building a new Mac VM. As a result, they will all have the volume header timestamp of 0xC4D48244 (which is HFS+ 32bit Big Endian Hex Value for 2008-08-22 14:48:36 UTC).
     Mac DFIR – HFS+ VMware Fusion Volume Header Timestamp

  • Arsenal Consulting have made some updates to their case study on the work they did in the Odatv case in Turkey. I’m not exactly sure what’s been added since their previous updates, but it’s worth a look. Also for those that haven’t looked at Mark Spenser’s work on Anchor Relative Time, this may be an interesting article.
    Odatv: A Case Study in Digital Forensics and Sophisticated Evidence Tampering


  • Adam at Hexacorn has a couple of posts this week
    • The first post documents how to obtain decompiled Lua scripts from the Flame malware.
      Old Flame Never Dies (a.k.a. decompiling LUA)
    • Secondly, he shared a method of process execution that, from the sounds of things, most probably won’t be seen too often, if at all. The DLL must be placed in the system32 directory, signed, compiled with the /INTEGRITYCHECK option on, and “change the owner to modify the access rights and grant the permissions to add/modify the keys”.
      Beyond good ol’ Run key, Part 47

  • Chad Loeven at VMRay has started a series covering sandbox evasion techniques commonly used by today’s malware. The first post explains the three categories of approaches malwriters are using to evade sandbox detection.
    • “Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection)
    • Exploiting Sandbox Gaps: Exploiting weaknesses or gaps in sandbox technology or in the ecosystem
    • Context-Aware Malware: Using time/event/environment-based triggers (that are not activated during sandbox analysis)”
      Sandbox Evasion Techniques – Part 1

  • Kafeine at Malware Don’t Need Coffee shares a small data drop about a fork of the Pony trojan, called Fox stealer.
    Fox stealer: another Pony Fork

  • The author at Malwaretech has a quick write-up of an instance of Dridex that has found it’s way to the UK. The malicious RTF file was encrypted with a password provided by e-mail, which would prevent anti-virus from scanning it. It also includes a ping to Google’s DNS server to delay execution.
    Dridex Returns to the UK With Updated TTPs

  • Joie Salvio at Fortinet has a descriptive post on a new piece of ransomware called Mamba. This malware installs DiskCryptor, an open-source disk encryption tool and then encrypts your disk. It even uses NirSofts netpass tool to try and identify cached network passwords to encrypt the files on network attached drives. Due to the time it takes to perform the full-disk encryption the author believes that this is not going to become a trend.
    Dissecting Mamba, the Disk-Encrypting Ransomware

  • Floser Bacurio, Rommel Joven and Roland Dela Paz at Fortinet provide an overview of Locky’s development this year.
    We’re Up All Night To Get Locky

  • There were a few posts on the SANS ICS Diary of interest
  • There were two posts on Malwarebytes Labs
    • Thomas Reed has a write-up of the Komplex Mac malware identified by Palo Alto Networks. Thomas explains that this malware is most probably linked to a piece of malware that was discovered last year.
      Komplex Mac backdoor answers old questions

  • Hasherezade talks about the lesser-known tricks that social engineers are using to encourage execution of their malware. The first is the use of the .pif extension, which “hides the real extension even if the user has disabled the feature of extension hiding on Windows”. The second is RTLO – Right To Left Override, which hides the actual file extension in the name of the file – ie malexe.txt.
    Lesser known tricks of spoofing extensions

  • Ben Baker, Edmund Brumaghin, and Jonah Samost at Talos/Cisco have a very thorough post covering the GozNym malware, which combines features of the Gozi and Nymaim malware. The authors explain that the malware is delivered via a malicious-macro-laden Word document and employs a variety of techniques to make analysis difficult. Several scripts were also released to assist in the examination of the malware.
    Threat Spotlight: GozNym

  • Casey Smith demonstrates “the ability to load an arbitrary exe into csi.exe … on a PC running Windows Device Guard”. This takes advantage of misplaced trust, “we need to trust many of the binaries signed by Microsoft”.
    Application Whitelisting Bypass – CSI.EXE C# Scripting

  • Philippe Lagadec has written an article explaining how to use his tool, ViperMonkey, to “analyze obfuscated macros and extract hidden strings/IOCs”. Whilst the author advises that the tool is very incomplete, it looks like it works similarly to Didier Stevens tools.
    Using VBA Emulation to Analyze Obfuscated Macros

  • Ryan McCombs at CrowdStrike walks through “the methods leveraged by CrowdStrike to recover a COZY BEAR WMI backdoor”.
    Bear Hunting: Tracking Down COZY BEAR Backdoors

  • Anton Ivanov, Fedor Sinitsyn and the Kaspersky Lab’s Global Research & Analysis Team at Securelist have a write-up of the Xpan ransomware, created from scratch by a team in Brasil. They also compared this malware with a previous version called Xorist. Interestingly the attacks are performed manually, with the preferred intrusion mechanism being RDP brute forcing. Kaspersky have also reversed the encryption and are able to assist on request.
    TeamXRat: Brazilian cybercrime meets ransomware

  • Micah Yates and Tom Lancaster at Palo Alto Networks examine two similar malware families that “abuse legitimate web services … to retrieve a command and control address” “to abuse legitimate websites, their connections to each other, and their connections to known espionage campaigns”. The malware has been named CONFUCIUS_A and CONFUCIUS_B, and utilises “Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains”
    Confucius Says…Malware Families Get Further By Abusing Legitimate Websites

  • Luis Rocha at Count Upon Security has a short write-up of the RIG Exploit Kit.
    RIG Exploit Kit Analysis – Part 1

  • Also on the RIG EK, Rami Kogan at the TrustWave SpiderLabs blog discusses some of the changes that they have identified recently.
    RIG’s Facelift


And that’s all for Week 39! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s