Malware News
15.1K subscribers
1.63K photos
7 videos
130 files
7.97K links
The latest NEWS about malwares, DFIR, hacking, security issues, thoughts and ...

Partner channel: @cveNotify

For ads: https://telega.io/c/malwr
Download Telegram
ThiefQuest Ransomware detects VM (possibly)
Set up a Mac VM on VMWare, tried running the ThiefQuest Ransomware. On the Activity Monitor, I Force Quit vmware-tools-daemon, hoping it won't detect it as a VM. But I guess I'm wrong. It's either the samples I've gotten are wrong, or the malware detects a VM.

https://preview.redd.it/qjsk2yyu0h951.png?width=1910&format=png&auto=webp&s=e5d5186bee11b35fdc5eaa1d7c06d577c4a3da32
πŸ—£LMJR500Army

It can still detect that it's in a VM even without the vmware-tools-daemon running. Common methods in this VMware kb article.

There are plenty of other anti-forensic methods for detecting a VM as well. Sometimes you need to be as tricky as the creators to get the malware to actually run when you are trying to examine it.
πŸ‘€TheDarthSnarf


πŸŽ–@malwr
Digital forensics specialist's bookshelf: Top 11 books on digital forensics, incident response, and malware analysis
https://www.group-ib.com/blog/bookshelf

https://preview.redd.it/2bjsvygjyg951.png?width=1023&format=png&auto=webp&s=02c1aac3787d8620c8d8d0709c0c641bc035f27f
πŸ—£Igor_Mikhaylov

Is rootkits and bootkits an updated sequel to practical malware analysis or a specialized deep dive?
πŸ‘€QuietForensics

I would add Applied Incident Response
https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268
πŸ‘€sidi7

I don’t think #2 is with 508 anymore
πŸ‘€bigt252002


πŸŽ–@malwr
Handheld Computer/Controller
πŸ—£0ne-autumn-leaf

THE HACKPAD
πŸ‘€Savvasun

Terminator 2. ATM scene. My favorite.
πŸ‘€eltoro3333

Sick
πŸ‘€cosmicleanie


πŸŽ–@malwr
New network security scanner tool released by Google!
πŸ—£frrossty

So, will all my vulnerabilities and weak creds be available on the Google, nicely indexed, after using it?
πŸ‘€ptzxc68

I'm surprised a new tool was written in Java. I definitely would have expected Go instead of Java for a new security tool from Google.
πŸ‘€abluedinosaur

this only checks for four known admin panels and weak creds.

great idea, but it needs ways more plugins to be useful
πŸ‘€Snoo-92683


πŸŽ–@malwr
Best solution for unpacking most of the packed samples in a large dataset of malware statically
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a machine learning model and this is my dataset)

i guess one way of unpacking the packed samples is first detecting the packer with the help of Peid or die with scripting and then call the appropriate unpacker like UPX, Aspack, ... unpackers

but the problem is the list of packers is too large and there are so many different unpackers and such


so what is the best solution to this? if you had a large dataset of malware how would you go about of unpacking the most possible (obviously we can't unpack all of them, but the more the better)

any open source project for this problem or any other solution?

and I also obviously don't care about samples that are packed with a custom packer/crypter since i doubt there is any easy static solution to that.
πŸ—£BitDrill

I’d suggest checking out https://www.unpac.me/
πŸ‘€jershmagersh


πŸŽ–@malwr
How to actually do memory forensics in the real world?
I get it, you use probably use volatility like most do. But do you have any success with volatility on systems with like 128GB of RAM?

Yes, volatility works great on this 4GB images or training images. But in reality I keep getting issues with Vol, in where it crashes or basically takes forever (6h for an imageinfo without result).

This program is also single-core written and only takes 1 from the 16 available cores (AMD Ryzen 3950x) and hardly stresses the storage (NVME RAID).

So my question basically is, what do you guys use to perform forensics on large (64GB+) memory images.
πŸ—£tankton

as far as i have noticed few people use volatility live for it's lack of speed...

i have seen and used redline, kape, or commercial products like xways
πŸ‘€sai_ismyname

Check out Memtriage by u/gleeda \- https://github.com/gleeda/memtriage


Its great for these types of scenarios as its intended to be run live rather than on images. It gives you most of the plugins you'd likely want to run with volitity as well.
πŸ‘€toliver38

Does it have to be Live ? I mean you can find traces in other places (Prefetch, Event logs, Reg,...).

You can also use KAPE ( https://github.com/EricZimmerman/KapeFiles ) to do live response and collect artifacts or use a collection of scripts like Winterfell ( https://github.com/yasser-alghamdi/winterfell )

GRR and Velociraptor are pretty good alternatives too ( https://github.com/google/grr & https://github.com/Velocidex/velociraptor )

The truth is i only use VOL for training never used it in production (i am lazy :D )
πŸ‘€hilo25


πŸŽ–@malwr