Malware
LetsDefend Challenge Malware Analysis: Malicious Doc What type of exploit is running as a result of the relevant file running on the victim machine? What is the relevant Exploit CVE code obtained as a result of the analysis? What is the na…
LetsDefend Challenge Malware Analysis: Malicious VBA The document initiates the download of a payload after the execution, can you tell what website is hosting it? What is the filename of the payload (include the extension)? What method is…
LetsDefend Challenge Malware Analysis: Remote Working What is the date the file was created? With what name is the file detected by Bitdefender antivirus? How many files are dropped on the disk? What is the sha-256 hash of the file with em…
LetsDefend Challenge Malware Analysis: Presentation As a Malware What was the general name / category of the malicious file in the analyzed ppt file? Which of the url addresses it communicates with has been detected as harmful by sandboxes…
LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware creditcard -> 27e56f0f4bbb933a9ef25e0e0c2a4aaae578bdc2623e6bcdf664834e4ce60c9d Check If Someone Requested the C2 Add Artifacts End Details…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware F46B0C39FCFDF4C0426C9276A2BB48C6 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 21 Event Time: Oct. 20, …
BTLO Challenge Suspicious USB Stick(Retired Challenge) Scenario Challenge Submission 1. What file is the autorun.inf running? (3 points) 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points) 3. Does the file…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware f83fb9ce6a83da58b20685c1d7e1e546 Log Search 92.63.8.47 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 36…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…
今週のMalware Redline AnyRunの実行例 主な動き 余談 今週のMalware 毎週AnyRunが同サービスにuploadされたMalwareの統計をとっており、今週は次のようになっていた。 Fresh TOP10 #malware uploads on ANYRUN⬆️ #Emotet 2388 (614)⬆️ #Redline 428 (370)⬆️…
Details playbook Search Log 18 19 22 351 376 Analyze APK com.uijluzvup.hsoextg 2a629fe1790c01fe5a0a83b5c3a12c8a d64760981f9af1f0213ab211e0f12108 Containment Add Artifacts End Details EventID: 55 Event Time: Feb. 7, 2021, 6:21 p.m. Rule: SO…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…
Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Check If Someone Requested the C2 Add Artifacts End Details EventID: 67 Event Time: March 1, 2021, 3:15 p.m. Rule: SOC131 - Reverse TCP Ba…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security MikeComputer JohnComputer Sofia Analyze Malware msi.dat 81.68.99.93 Check If Someone Requested the C2 Add Artifacts End Details EventID:…
Details Playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security 161.35.41.241 Analyze Malware Connection to 161.35.41.241 315 316 317 318 余談 Check If Someone Requested the C2 Containment Add Artifac…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement Analyze Malware ORDER SHEET & SPEC.xlsm 177.53.143.89 multiwaretecnologia.com[.]br Check If Someone Requested the C2 LogManagement Add …
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Log Search 368 Mar, 07, 2021, 01:50 PM Proxy 172.16.17.37 48463 49.51.12.195 443 iluuryeqa[.]info 49.51.12.195 369 Mar, 07, 2021, 01:54 PM Proxy 172.16.17…
Details playbook Search Log Analyze APK search APK End Other writeup Details EventID: 80 Event Time: March 15, 2021, 9:55 p.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.14 Source Hostname JessieP…
Details Create Case Collection Data 140.82.121.4 Search Log Analyze URL Address Add Artifacts End Details EventID: 79 Event Time: March 15, 2021, 9:30 p.m. Rule: SOC119 - Proxy - Malicious Executable File Detected Level: Security Analyst S…
Details Create Case Collection Data Search Log Analyze URL Address Access https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit www.win-rar[.]com 51.195.68.163 Add Artifacts End Details EventID: 83 Event Time: March 21, 2021, 1:…