Malzilla JavaScript Analysis

Posted on June 15, 2023June 15, 2023 by randrada

JavaScript Malware Analysis using - Malzilla

Malzilla is a GUI-based tool for analyzing malicious JavaScript and Web pages. It is specifically built to deobfuscate JavaScript by using SpiderMonkey JavaScript engine for executing JavaScript code.

JavaScript Analysis From Malware Analysis Perspective:

This involves examining the code to uncover potential malicious behavior, understand its functionality, and identify any obfuscation techniques employed. By dissecting the JavaScript, analysts aim to detect payload delivery mechanisms, identify suspicious patterns, and determine the impact it may have on systems and data.

JavaScript analysis plays a crucial role in cybersecurity, enabling researchers to identify and mitigate potential threats. Malicious JavaScript continues to be a favored vector for attacks, ranging from spear-phishing campaigns to drive-by downloads.

The use of tools like Malzilla significantly enhances the analysis process, making it faster and more efficient. By leveraging such tools, security professionals can effectively dissect malicious code and respond swiftly to protect their systems and data.

Automate Artifact Collection

SSDEEP Fuzzy Hashing

Posted on June 14, 2023June 14, 2023 by randrada

Malware Static Analysis with SSDEEP Fuzzy Hashing Tool

ssdeep – is a tool used for Fuzzy Hashing, which is a type of hashing that employs Context-Triggered Piecewise Hashing (CTPH). Essentially, this tool is utilized to compare files that are similar but not identical.

Using ssdeep, it is possible to classify various malware samples, and if any similarities are detected, the tool can identify the malware family to which the sample belongs.

Static Analysis Tool Lists

PSDecode

Posted on June 13, 2023June 14, 2023 by randrada

Endpoint Incident Response using - PSDecode

PSDecode is a powershell script module for decoding powershell obfuscated scripts. This tool removes layered obfuscated techniques like strings concatenating and string replacement.

From Malware Analysis perspective adversaries frequently employ encoding and obfuscation techniques to camouflage their downloader scripts, aiming to evade detection and hinder analysis by security professionals. By encoding and obfuscating their scripts, adversaries can make it difficult for security solutions to identify and analyze the malicious intent embedded within the code.

Adversaries encode and obfuscate their downloader scripts to enhance their chances of successful infiltration, impede analysis, and protect their techniques. As defenders, it is crucial to know advanced techniques and tools capable of overcoming these obfuscation methods to effectively detect, analyze, and mitigate emerging threats.

Automate Artifact Collection

To use PSDecode, create a directory named “PSDecode” under “WindowsPowerShell/v1.0”

See Image for reference.

OpenCTF – CrackTheCase DFIR

Posted on June 1, 2023June 1, 2023 by randrada

Eyehatemalwares OpenCTF - CrackTheCase DFIR Challenge

Scenario: On April 11th, CSIRT received an alert from AASTORGA(10.10.20.8) endpoint.

Your mission: Conduct an in-depth investigation to uncover its cause.

Decryption Key: Az83folNsUHoTo6B5oRvFg

TSK – fls

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - fls

In The Sleuth Kit (TSK), “fls” is a command line tool used to recover or display information about the files and directories in a given image or file system. “fls” works by reading the file system metadata, such as the file allocation table (FAT) or inode tables, to locate the files and directories of interest. The tool then generates a list of file and directory names, along with other relevant information such as timestamps, inode numbers, and file sizes.

The “fls” tool is commonly used in digital forensics and incident response to quickly locate specific files or directories within an image or file system, or to generate a directory tree for analysis. The output of “fls” can be used in conjunction with other tools, such as “icat”, to recover or display the contents of specific files.

The Sleuth Kit Tools

TSK – fsstat

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - fsstat

In The Sleuth Kit (TSK), “fsstat” is a command line tool that provides information about the file system structure and metadata of a given image or file system. The “fsstat” command works by analyzing the file system metadata, such as the file system’s superblock and inode tables, to extract information about the file system layout, block size, total size, and other relevant details.

This information is then displayed to the user, providing a high-level overview of the file system and its characteristics. “fsstat” is commonly used in digital forensics and incident response to quickly gain an understanding of the file system and to identify any unusual or suspicious characteristics that may indicate a security incident.

The Sleuth Kit Tools

TSK – icat

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - icat

In The Sleuth Kit (TSK), “icat” is a command line tool used to recover or display the contents of a specific file or data object in a given image or file system. The “icat” tool works by reading the file system metadata to locate the file or data object of interest and then reading the raw data associated with that object.

The contents of the file can then be displayed to the user or saved to disk. “icat” is commonly used in digital forensics and incident response to recover deleted or damaged files, or to retrieve specific data of interest for analysis.

The Sleuth Kit Tools

TSK – ils

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - ils

In The Sleuth Kit (TSK), “ils” is a command line tool that provides information about the files and directories in a given image or file system. The “ils” command works by reading the file system metadata and generating a list of inode numbers, file names, and other information about each file. This information is then displayed to the user, making it easier to identify and analyze specific files of interest.

The “ils” tool is commonly used in digital forensics and incident response to quickly scan a large image or file system for specific files or patterns of interest.

The Sleuth Kit Tools

File Carving Photorec

Posted on November 26, 2022February 27, 2023 by randrada

File Carving using CGSecurity - Photorec

Photorec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.

Pagefile

Posted on November 26, 2022March 1, 2023 by randrada

Live Forensics: Pagefile

Lab Requirements

- VMWare – Win7x64 Systems
- Windows Registry Editor
- Strings by Sysinternals
- AccessData FTK Imager
- Photorec
- BulkExtractor

In this demo, we will explore different ways how to perform live forensics and acquire artifacts that can aid the investigator even though acquiring the memory image of the system is not feasible.

We will be tackling about a Windows source artifact called Pagefile.