Week 7 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still opened! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • Samuel Alonso at Cyber IR runs through a number of plugins in the Vshot script, that was run against a system infected with Stuxnet.
    Memory Forensics with Vshot and Remnux (process objects, network artifacts and attacker activity,3)

  • Didier Stevens shows how to “have ClamAV decrypt and scan a password protected ZIP file.”
    Quickpost: ClamAV and ZIP File Decryption

  • There were quite a few articles shared by Digital Forensics Corp this week
    • They shared an article by David Harley on “Next-gen security software: Myths and marketing”. “In this article, he questioned the virus scan algorithm between new and old antivirus.”
      Security Software: Myths and Marketing
    • They shared an article by Samir B. on using Windows Security Event Logs to detect Mimikatz.
      Mimikatz detection
    • They shared an article released by Microsoft that walks through “the credential theft attack techniques by using readily available research tools on the Internet. At each point of the attack we will show how Microsoft’s Advanced Threat Analytics (ATA) helps IT organizations gain visibility into these post-infiltration activities happening in their environments”.
      Advanced Threat Analytics
    • They shared an article by James Scott at the Institute for Critical Infrastructure Technology claiming that “signature based malware detection is dead” and “critical infrastructure cybersecurity must rely on predictive, preventative, and protective solutions that detect and mitigate threats preexecution”.
      Is Signature Based Malware Detection Dead?
    • They shared an article by Gibin John which highlights a “few API calls which are commonly used by malware’s to accomplish certain task.”
      Malware’s APIs
    • They shared a link to Microsofts new Police Analyzer tool, which “is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies.”
      New Microsoft tool: Policy Analyzer
    • They shared a cheat sheet from @ovid that may be useful for reverse engineers.
      Amazing note for reverse engineers
    • They shared a post by Riccardo Tani on “DFIR and Log Analysis with EmEditor”
      DFIR and Log Analysis

  • Oleg Afonin at Elcomsoft shows how to use their Elcomsoft Internet Password Recovery tool to export a password list from a computer’s cached passwords. This password list can then be combined with a number of mutations to aid in password cracking.
    How to Break 70% of Passwords in Minutes

  • Chris Cohen has written an article for Forensic Focus on imaging a Linux Virtual Private Server (VPS). This includes the various steps required and potential pitfalls
    Asking A VPS To Image Itself

  • David Cowen at the HECF Blog has posted a guide for building DFIR Lab Standard Operating Procedures (SOPs). Dave gives a run through of a sample SOP for examining Prefetch on a system, and then shows how you can chain various SOP’s together. The Do’s and Don’t section is also particularly helpful for those looking to write out a series of examination SOPs.
    SOPs in DFIR

  • Jessica Hyde at Magnet Forensics “gives an overview of Portable Case [feature of IEF and AXIOM) and its benefits”. Portable cases allow examiners to export the results for review without requiring a license. The comments/bookmarks etc can then be merged back into the case at a later stage.
    Deep Dive on Portable Case Part One

  • Mark McKinnon has created a module for Autopsy that allows you to run plaso against your image, or import a plaso storage file.
    Plaso Autopsy Python Plugin(s) Module

  • Matt Bromiley takes a look at the MongoAudit tool, which “is an automated command-line testing tool for MongoDB”. Matt explains that this tool can hit the low hanging fruit and also provide a high-level scorecard of your MongoDB instance.
    Tool Review: mongoaudit

  • The Bluetooth team at Champlain College have begun their investigation into Bluetooth security using the BlueHydra and Btlejuice. They began their ‘recon phase’, where they compiled their list of devices and the relevant information that they were able to discover such as “such as how they were discovered, their MAC addresses, and the version of Bluetooth they’re running.”
    Bluetooth Security Forensics 2.0



  • Josh Liburdi and Chris McCubbin at Sqrrl will be hosting a webinar on how to leverage DNS to surface attacker activity. The webinar will take place Wednesday, March 1st at 2:00 pm ET / 11:00 am PT (7:00 pm UTC). You can register here.


  • On this week’s Digital Forensics Survival Podcast, Michael talks about using FreeMind to visualise your findings. The show notes have an example diagram on how Michael sets out his mindmap. I had to do this for a job just recently but chose to use Visio because it gave me a bit more freedom in moving the sections around (and adding in Clip Art, of course). Regardless of the tool, visualising a case can make understanding it and explaining it a lot easier.
    DFSP # 052 – Free Your Mind

  • Lee Reiber has posted another Mobile Forensics Minute talking about the “data/com.android.providers.media/databases/” database, which contains metadata for images on an SD card, even if the images/SD Card have been removed.
    Mobile Forensic Minute 109

  • Fabian Wosar has posted a live stream of reversing the HERMES ransomware. It’s 4 hours long, so buckle in if this is something you’re interested in.
    Reversing HERMES ransomware

  • Karsten Hahn at MalwareAnalysisForHedgehogs unpacks Spora and has “a look at the part of Spora’s encryption prodecure that encrypts the .KEY file.”
    Malware Analysis – Exploring Spora’s Encryption Procedure

  • OALabs have posted a video walking through “unpacking a Visual Basic 6 ( VB6 ) packer using API hooks with IDA Pro and the remote debugger”.
    Unpacking VB6 Packers Like A BO$$

  • Paula Januszkiewicz at CQURE has posted her slides from RSA 2017 on her talk on the artefacts left on disk.
    RSA Conference 2017: What System Stores on the Disk Without Telling You

  • Mark Russinovich released his presentation from RSA 2017 on threat hunting with Sysmon
    Check Out @markrussinovich’s Tweet

  • John Strand at Black Hills Info Sec has posted a video analysing memory on a compromised systems. The video covers “the tools to dump memory from a system and some of the basic tools to look at the memory of a system which may be compromised”.
    WEBCAST: Windows Memory Forensics

  • Nicole Lamoureux has posted links to the presentations from BSidesSF 2017.
    Resource: BSidesSF 2017 Talks


  • The SANS Reading Room has posted  Kevin Kelly’s whitepaper on the TeslaCrypt malware. “This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network”
    Indicators of Compromise TeslaCrypt Malware

  • The guys at Bad Cyber have provided a technical analysis of an attack that is being seen across several Polish banks. A malicious JS file was used to download malware ” to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration.”
    Technical analysis of recent attacks against Polish banks

  • The guys at the BAE Systems Threat Research Blog have also looked into the attacks on Polish financial institutions, and also analyse the Lazarus malware
    Lazarus & Watering-hole Attacks

  • Winston M at Cysinfo analyses a maldoc that drop’s Loki Bot using the UAC bypass technique that utilises eventvwr.exe.
    Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!

  • The ‘Finding Vulnerabilities’ blog analyses the Rovnix dropper, first performing some information gathering steps, such as static analysis of the file, online research, execution in VM (and subsequent examination of FakeNet data), and briefly loading the sample in IDA Pro. After determining that the sample was packed, they then show how to unpack the binary.

  • Floser Bacurio and Joie Salvio at Fortinet demonstrate how the REMCOS RAT “is being used in an attack, and what its latest version (v1.7.3) is capable of doing”.
    REMCOS: A New RAT In The Wild

  • Tim Berghoff at the G Data Security Blog advises that G Data’s researchers have observed an increased number of infections by the ZeuS banking malware. He also provides a brief explanation about how banking trojans work.
    Zeus Panda is back

  • Yu Nakamura at the JPCERT/CC Blog provides some information on the ChChes malware, including how it communicates. “ChChes is a type of malware that communicates with specific sites using HTTP to receive commands and modules. There are only few functions that ChChes can execute by itself. This means it expands its functions by receiving modules from C&C servers and loading them on the memory.”
    ChChes – Malware that Communicates with CC Servers Using Cookie Headers

  • There were a couple of posts on the Lastline Labs Blog
    • Marco Cova has a look at the various evasion techniques used by malicious JScript files. These include stalling code, COM object emulation detection, timebombs, and environment checking
      Evasive JScript
    • Clemens Kolbitsch, Alexander Sevtsov, and Arunpreet Singh continue the series on VBA downloaders, this time looking at the “limited coverage of security solutions on the different parts of the attack chain”. The authors explain that malicious actors take advantage of social engineering, password protected files (that are harder to scan), unusual program types (such as Publisher files), as well as misleading file types such as DOCM and MHT, to infect unsuspecting users.
      Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3]

  • MalwareTech shows how to unpacked the Dridex loader
    Let’s Unpack: Dridex Loader

  • Macro Ramilli dissects a copy of Crypt0L0cker
    Crypt0l0cker Revival !

  • There were a couple of posts on the McAfee Labs blog
    • Sudhanshu Dubey continues to analyse the KillDisk ransomware. Two variants have been uncovered, one which encrypts the data, and the other which overwrites it. Sudhanshu also shows how to unlock the screen when the ransom information is shown.
      Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking
    • Yerko Grbic documents a malicious Excel doc downloader that uses MacScript (instead of PowerShell) to execute. The doc checks to see if WScript.Shell is present, and if it isn’t, executes the macshell module.
      Macro Malware Targets Macs

  • There were a number of posts on the Palo Alto Networks Blog this week
    • Robert Falcone takes a look at the macOS variant of XAgent including the commands that it is sent by the C2, it’s keylogging functionality, and infrastructure.
      XAgentOSX: Sofacy’s XAgent macOS Tool
    • Bryan Lee and Robert Falcone take a look at “a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016”, which they have named Magic Hound. The attackers used weaponized documents “which were designed to call Windows PowerShell to retrieve additional tools”. The attackers also used the open source Python RAT called Pupy. “The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public. None of the tools we uncovered were found to be exploit-driven, and relied exclusively on social engineering tactics to compromise targets”
      Magic Hound Campaign Attacks Saudi Targets
    • Jen Miller-Osborn and Josh Grunzweig provide some additional information about ChChes, mentioned previously by JPCERT/CC.
      menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations

  • Ido Naor at Securelist takes a look at a recent attack against Israeli soldiers around the Gaza Strip, where a malicious APK was installed by the victims.
    Breaking The Weakest Link Of The Strongest Chain

  • The SecureWorks Counter Threat Unit Research Team also provide some information on the Magic Hound Campaign, including a brief look at the PupyRAT as well as various IOCs.
    Iranian PupyRAT Bites Middle Eastern Organizations

  • David Longenecker at Security For Real People shows how to use Didier Stevens’ PDF parsing utilities to examine a malicious PDF file sent in a phishing email. David also provides a number of red flags which identify that the file is malicious, even though VirusTotal doesn’t identify it as such.
    Quick and dirty malicious PDF analysis

  • There were a couple of posts on TrendMicro this week
    • Giannina Escueta has a writeup on a new trojan designed to distribute Mirai to Windows machines. “The Windows Trojan targets more ports than the original Linux Mirai, hunting for every possible avenue of infection. It checks if the following ports are open: 22 (SSH), 23 (Telnet), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP)”.
      Mirai Widens Distribution with New Trojan that Scans More Ports
    • Marvelous Pelin and Gilbert Sison document a new variant of Cerber that goes out of its way “to avoid encrypting security software”. The variant “queries for the contents of three WMI classes… for firewalls, antivirus, and antispyware product … [and] extracts the directories where these are installed and adds them to the list of whitelisted folders, which are spared from any encryption”. “Aside from this security software detection, the behavior of these variants is similar to other CERBER variants”.
      CERBER Changes Course, Triple Checks for Security Software

  • Eduardo Altares, Patrick Nguyen, and Xinlei Cai at Symantec explain that “Symantec Security Response has recently discovered the Sage 2.0 ransomware (Ransom.Cry) being delivered by the Trojan.Pandex spambot”. The malware purports to be a PDF document and sports some similar routines to Cerber, although the authors did not identify a definitive link between the two.
    Sage 2.0 ransomware delivered by Pandex spambot, mimics Cerber routines

  • There were a couple of posts on the SANS ISC Handler Diaries




  • The guys at GoSecure have released a tool called Malboxes, which “creates Windows Virtual Machines (VMs) without any user interaction”. “Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis”.
    Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines

  • Basis Technology have released version 2.0 of their Cyber Triage tool. The update includes “a new interface that exposes more of the collected data, a timeline of incidents to give context indicators, [and] Cyber Triage Lite, a free version that does not include malware scanning or analytics”
    Basis Technology releases a free Cyber Triage version at RSA

  • Andrew Hoog released an iOS Triage tool on Github. The tool is a “Node.js cli for iOS incident response. [The] Program will extract, process and report (including diffs) on iOS device and app telemetry.”

  • The guys at DEFT Linux have released DEFT Zero, which is a “light version of Deft specifically designed to the forensic acquisition of the digital evidence.”
    DEFT Zero (2017.1) ready for download

And that’s all for Week 7! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s