Extracting FileVault 2 Keys with Volatility
This is a volatility plugin which can recover FileVault 2 Volume Master Keys from memory, based on a certain pattern. It has been briefly tested on OS X 10.9 – 10.11. Plugin on GitHub here [https://github.com/tribalchicken/volatility-filevault2]. This is aVolatility Framework [http://volatilityfoundation.org] plugin which is capable of recovering the… leer más
A look inside a malicious macro
An interesting sample landed in my samples database the other day. It’s an email with a word document attached. The email, as usual, claims that this company has found discrepancies on some transactions, and needs you to read the document to verify these transactions. [https://tribalchicken.net/content/images/2015/02/Screen-Shot-2015-02-11-at-9.30.19-pm.… leer más
Malware Analysis #3: Hesperbot, Part 2
This is a follow up to the last post: Malware Analysis #3: Hesperbot, Part 1 [https://tribalchicken.com.au/?p=605] With some assistance from CERT Australia, it’s possible to identify this particular malware sample as Hesperbot, or at least a very close relative. This also matches their data about this particular campaign. I’… leer más
Malware Analysis #3: Hesperbot, Part 1
I was kindly forwarded a sample of a phishing email crafted to appear as an Australia Post missed delivery noticed. Someone is certainly trying to deliver something (which isn’t a parcel), so my goal is to figure out what that is exactly. Note: I have included some general Phishing information. If you wish to… leer más
Monday Malware Analysis #2: Upatre
In this week’s Monday Malware Analysis, we look at another piece of malware (Another Trojan) that was delivered to me via Phishing email. This one was once again delivered as a zip attachment under the guise of a payment receipt – Meaning I had to open up the attachment to open the receipt and figure… leer más