Painless Cuckoo Sandbox Installation

TLDR: As part of our SANS SEC599 development efforts, we updated (fixed + added some new features) an existing Cuckoo Auto Install script by Buguroo Security to automate Cuckoo sandbox installation (& VM import). Download it from our Github here. Intro As a blue team member, you often have a need to analyze a piece … Continue reading Painless Cuckoo Sandbox Installation

Creating custom YARA rules

In a previous post, we created YARA rules to detect compromised CCleaner executables (YARA rules to detect compromised CCleaner executables). We will use this example as an opportunity to illustrate how the creation of these custom YARA rules was performed. In its blog post, Talos shared 3 hashes as Indicators Of Compromise (IOCs): 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 … Continue reading Creating custom YARA rules

Going beyond Wireshark: experiments in visualising network traffic

Introduction At NVISO Labs, we are constantly trying to find better ways of understanding the data our analysts are looking at. This ranges from our SOC analysts looking at millions of collected data points per day all the way to the malware analyst tearing apart a malware sample and trying to make sense of its … Continue reading Going beyond Wireshark: experiments in visualising network traffic

Decoding malware via simple statistical analysis

Intro Analyzing malware often requires code reverse engineering which can scare people away from malware analysis. Executables are often encoded to avoid detection. For example, many malicious Word documents have an embedded executable payload that is base64 encoded (or some other encoding). To understand the encoding, and be able to decode the payload for further … Continue reading Decoding malware via simple statistical analysis

Recovering custom hashes for the Petya/Notpetya malware

During our malware analysis, we often come across samples that contain (custom) hashes in stead of cleartext. Hashing is done in an effort to bypass detection and hinder malware analysts. There are tools to recover cleartext from known hashing methods (like John the Ripper and hashcat). But for custom hashing methods, you'll have to write … Continue reading Recovering custom hashes for the Petya/Notpetya malware