I published the following diary on isc.sans.edu: “Private IP Addresses in Malware Samples?“: I’m looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918). I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP
*** The challenge has been solved and the ticket is gone! *** The Belgian security conference BruCON 0x0B is already scheduled in a few weeks! The event becomes more and more popular and we were sold-out very quickly. If you don’t have a ticket, it’s too late! Well, not really.
I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. The malware is a JScript (SHA256:1007e49218a4c2b6f502e5255535a9efedda9c03a1016bc3ea93e3a7a9cf739c)… [Read more]
I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“: I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At
I published the following diary on isc.sans.edu: “Simple Mimikatz & RDPWrapper Dropper“: Let’s review a malware sample that I spotted a few days ago. I found it interesting because it’s not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started
I published the following diary on isc.sans.edu: “May People Be Considered as IOC?“: That’s a tricky question! May we manage a list of people like regular IOC’s? An IOC (Indicator of Compromise) is a piece of information, usually technical, that helps to detect malicious (or at least suspicious) activities. Classic types
This week, the second edition of “Pass-The-Salt” was organized in Lille, France. The conference was based on the same format at last year and organized at the same location (see my previous diary). I like this kind of event where you can really meet people (the number of attendees was
I published the following diary on isc.sans.edu: “Interesting JavaScript Obfuscation Example“: Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the
I published the following diary on isc.sans.edu: “Behavioural Malware Analysis with Microsoft ASA“: When you need to quickly analyze a piece of malware (or just a suspicious program), your goal is to determine as quickly as possible what’s the impact. In many cases, we don’t have time to dive very
I published the following diary on isc.sans.edu: “The Risk of Authenticated Vulnerability Scans“: NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack
