Converting a memory image from raw to padded
Convert a Linux memory image from a raw (where the System RAM ranges have been concatenated together) to a padded image, provided the early boot messages were present in the kernel ring buffer at the time of imaging. Includes Python code to convert an image automatically. Update 2016-06-29: The code on Github has been updated… leer más
CryptoWall 3.0 + Fareit / Pony Combo
In this article I’m taking a look at the recent malware double-whammy of CryptoWall 3.0 and Fareit (or Pony, depending on classification). This is a rather potent combination which will encrypt all your data on your PC, as well as steal information such as passwords and BitCoin wallets. Note: At this point I… leer más
Hunting malware through memory analysis
A word of warning… Lots of screenshots in this post. Update 10/05/2015: I’ve updated the article with more information about some of the commands used in order to help out people who aren’t familiar with Volatility. When hunting a piece of malware it can be very interesting to have a poke… leer más
CryptoWall: Magic behind the dropper
In this article we take a look at de-obfuscating the latest CryptoWall 3.0 dropper (Which is actually very, very simple). [https://tribalchicken.net/content/images/2015/03/ce0.png] As noted in a previous article [https://tribalchicken.com.au/security/cryptowall-3-0-still-alive/], the latest variant of CryptoWall 3.0 is getting around via a .js… leer más
Malware Analysis #3: Hesperbot, Part 2
This is a follow up to the last post: Malware Analysis #3: Hesperbot, Part 1 [https://tribalchicken.com.au/?p=605] With some assistance from CERT Australia, it’s possible to identify this particular malware sample as Hesperbot, or at least a very close relative. This also matches their data about this particular campaign. I’… leer más