Recently I went looking for some reference content on ZIP files and how timestamps behave in a ZIP along with what I could determine about files within a ZIP. Sadly I came up empty, either due to there being very little available online, or just my impatience. So I thought I'd spend some time writing up some research I did for the next person that is looking for reference content. Essentially, I wanted to know how do timestamps behave when it comes to ZIP files, do any timestamps stay the same and what timestamps are lost when you archive a…

The latest version of Emotet downloader has a few new updates. In this post we'll have a look at these updates. These are the new updates: Obfuscation pattern is different to that in the past (3942 lines of VBS code)Powershell.exe is copied over to Temp and executed from there (evasion technique)Only one payload URI - this is a major changeLet's take a look at the malware and analyse it. Infection vector is the usual phishing email with a Word document attachment. Once you open the document, it asks you to enable the macros. Once enabled, the code…

As an Incident Responder it's pretty common to analyse malicious emails, however finding the right tools, to safely pull apart an email, aren't always easy to find. I often find analysts struggle to pull apart an email once you explain the risks of using Microsoft Outlook as an analysis tool. This post will look at using open source tools within the SANS SIFT Workstation virtual machine to safely pull apart a native outlook email message. To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a…

There's an interesting new malware that is currently being distributed actively around the globe through phishing campaigns. This malware is a Trojan RAT, that poses as a version of the popular open-source archive utility PeaZip. The authors of this malware have copied the file info and make it look like a legit version of PeaZip. Careful analysis of this malware shows us that this infact is a Trojan RAT, that is falsely adverstised as PeaZip. In this article, we analyse this malware and discuss the findings. There are strong indicators that suggest that this is a re-packaged version of DarkComet…

Introduction Keymarble is a trojan malware that has recently been seen in the wild. US CERT released initial information about this malware late last week which can be accessed here - https://www.us-cert.gov/ncas/analysis-reports/AR18-221A In this article, we analyse the malware and try to understand the execution flow. We also look at some useful network IOC that can be extracted from the malware. Some of these have been documented in the release that has been linked above. We'll look at some other IOC that have not yet been released publicly. This is a quick analysis that…

The following process walks through how to mount an Apple Disk Image, or more commonly known as a .dmg file. This process walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis. Step 1 - Checking The File Type To begin with, I usually check what type of .dmg file it is with the "file" command. This is done to understand if it is a compressed or uncompressed .dmg file. $ file application.dmg The output you could typically expect could be: application.dmg: data which…