https://forensicitguy.github.io/Tony LambertTony's blog about malware analysis and other security topics 2024-03-04T04:43:14+00:00 Tony Lambert https://forensicitguy.github.io/ Jekyll © 2024 Tony Lambert /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Dissecting a Java Pikabot Dropper2024-03-03T00:00:00+00:00 2024-03-03T00:00:00+00:00 https://forensicitguy.github.io/dissecting-java-pikabot-dropper/ Tony Lambert In mid-February, TA577 experimented with a Java Archive (JAR) dropper to deliver Pikabot to their victims. In this post I’ll explore some static analysis of that dropper to show how we can get information from it. If you want to follow along, I’m working with this sample in MalwareBazaar: https://bazaar.abuse.ch/sample/0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f/. Triage... Timelining a Malicious VHD for More Intelligence2023-08-04T00:00:00+00:00 2023-08-04T00:00:00+00:00 https://forensicitguy.github.io/timelining-malware-vhd-intelligence/ Tony Lambert In a previous blog post I mentioned how adversaries using VHD files to distribute malware can leave around a lot more data than they intend, including identifiable data for tracking. In this post I want to break out the best friend everyone made during SANS FOR508, Plaso, so I can process the filesystem data for a malicious VHD and illustrate how we can establish a timeline of operations for th... Malware via VHD Files, an Excellent Choice2023-07-23T00:00:00+00:00 2023-07-25T21:24:42+00:00 https://forensicitguy.github.io/vhd-malware-an-excellent-choice/ Tony Lambert Adversaries use lots of different file formats to distribute malware and one of my favorites has to be Virtual Hard Disk (VHD) files. You may have seen VHD files used with virtualization solutions like Virtualbox, Hyper-V, VMWare, etc., but you can also use VHD file containers as portable storage files in a similar manner to ISOs. There are just a few catches though, you have to be much more ca... Faster Malware Triage with YARA2023-07-14T00:00:00+00:00 2023-07-14T23:02:12+00:00 https://forensicitguy.github.io/faster-malware-triage-yara/ Tony Lambert As folks get into malware analysis they naturally develop their own personal style of triage process based on data that is usually important to them. For example, I go through a process to determine what kind of file I have in front of me and what identifying hashes come from that file that I can use in services like VirusTotal and MalwareBazaar to find details about the sample or similar ones.... NetSupport Manager RAT from a Malicious Installer2023-02-25T00:00:00+00:00 2023-02-25T00:00:00+00:00 https://forensicitguy.github.io/netsupport-manager-malicious-installer/ Tony Lambert Adversaries love to use pre-made tools for remote access and one perennial favorite is the legitimate NetSupport Manager. This post is a short and sweet look at a malicious installer that distributes NetSupport Manager to unwitting victims, allowing remote control to adversaries. If you want to follow along at home, I’m working with this file from MalwareBazaar: https://bazaar.abuse.ch/sample/8...