It was time for a forensics challenge today. The description suggested to me we’d be digging out the floppy disc for Volatility, a great tool for digging information out of memory dumps: Suspicious traffic was detected from a recruiter’s virtual PC. A memory dump of the offending VM was captured […]
When a Threat Actor is trying to get a payload onto a box they’ll often use curl and wget as they’re often present on the endpoint. If they aren’t – or there’s considerations of being a little more stealthy – there’s another way to live off of the land. It’s […]
There’s plenty of ways to do sandboxing for malware analysis. Say you want to use your own custom set-up, and specifically just want to rewrite the IP headers so that you can capture the outbound traffic to analyse or do ‘things’ to it. Any version of Linux can do this […]
A lot has been written about GootLoader and the eventual malware that it drops (GootKit and/or REvil) by researchers far more knowledgable than myself – so I won’t tread too much on old ground. I happened to come across an incident involving GootLoader recently and was impressed at the level […]