CERBER Ransomware Hidden C2 Servers Traffic and Malware Analysis

Cerber ransomware has been one of the most prolific crimeware botnets to have arisen, it is currently generating an estimated $2.5 million dollars a year and rising. Once infected, your content is encrypted and held for ransom as the name implies. You will see an image popup with instructions on how to reclaim your data … Read more

What is the Difference between Adware and Malware FIREBALL / Elex – WHAT YOU NEED TO KNOW!

A question I am frequently asked about is what is the difference between adware (legal software that will however overload you with ads and make money) vs. malware (crimeware to be specific). Typically there is a fine line between the two, a good example of a successful adware company is that of OpinionSpy/Marketscore which bundles … Read more

SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule

  SSDP Distributed Reflection Denial of Service attacks are on the rise and may be the biggest threat right now. SSDP attacks do not have the biggest amplification number but they may have the most vulnerable systems to abuse in a reflection attack. Open source reports indicate that there are over 5 million vulnerable systems … Read more

Malware PCAP Traffic Analysis – Can you name the different types of malware?

Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play. Download PCAP : netstream VM executables used will be included in the next post. 2016-08-25 20:40:37.831293 IP > Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 E..3?…..~^…f%….@.P.._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 Content-Type: application/x-www-form-urlencoded … Read more

Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader

Two key indicators: FakeAV POST – POST /hrrgkkwhjdwwwww/order.php?pid=390 (attempting to setup a payment for the FakeAV with the pid linking to the current session) Trojan Downloader function – GET /week.exe HTTP/1.1     2015-08-27 11:39:35.045855 ARP, Request who-has tell, length 28 …….. .’*….8 ……..8. 2015-08-27 11:39:35.046218 ARP, Reply is-at 0a:00:27:00:00:00, length 46 …….. .’…..8. … Read more

Androm Trojan Downloader Loads Zusy Emotet Banking Trojan Malware PCAP file download traffic sample az.exe 11.exe

50 engines detected this file SHA-256 5831264367b6ee1636606b2d9f46111cb7ab4b3b007e49e2f921df5f7d484f06 File name output.112714662.txt File size 128 KB Last analysis 2018-01-24 18:48:00 UTC Community score -1 VBA32 Backdoor.Androm VIPRE Trojan.Win32.Generic!BT ViRobot Trojan.Win32.Agent.131072.EN Webroot W32.Trojan.Emotet 37 engines detected this file SHA-256 b134507e22448a801b8a6d1fa6bc32a7d4b389afb15ec721b83e24bdde2e61e1 File name az.exe File size 409.5 KB Last analysis 2018-01-22 06:22:47 UTC Endgame malicious (high confidence) eScan Gen:Variant.Zusy.272363 … Read more