Word document analysis with oledump.py

It seems that macro based document are, again, used to spread malware. Even the Malware Protection Centre from Microsoft mentioned it recently. Seems like an old trick, but apparently works like a charm. Most probably users trust too much Office documents as they keep exchanging them…

Mutexes and malware analysis

There is many way to investigate malware and to “find evil” in an unknown executable. There will be situation where looking at a list of running processes won’t give you information to raise a red flag. You can always go deeper and perform more manual…

Attribution of Cyber Attack

I’m not an expert in attribution neither in cyber war but in the light of the recent Sony hack and its “attribution” to North Korea, I did a little of research. The below article is a summary of what I found and a few thoughts…

sysmon form sysinternals

Microsoft has released an updated version of the sysinternals tools recently. This update include a tool named: sysmon. You can find all details from the TechNet website by following this link: http://technet.microsoft.com/en-us/sysinternals/dn798348.aspx In short the tool will provides detailed information about process creations, network connections, and changes…

DFIR Challenge – ISSA 2013 – My Answers

Jack Crook has posted a new DFIR challenge a few days ago. Let’s have a look at the challenge and also to my answers. Obviously if you want to enjoy the challenge then don’t read this article, go on the challenge page, download what’s necessary…

Exploit Pack Overview using Maltego

I was reading a post from the contagio blog, which I highly recommend, Mila is providing a lot of samples and other very useful information. One of the latest post is related to exploit packs. Mila is actually compiling an exhaustive list of exploit packs…

Indicator Of Compromise (IOC) – Part I

The current threat landscape is made of highly complex viruses and/or stealth intrusions, very difficult to prevent, identify, detect, etc. Also the IT environment is vast, heterogeneous, not always managed, making it even more difficult to ensure that a breach is contained quickly and in effective manner. So what do we need? An easy and standard way to describe a breach or the describe a malware and its behaviors. Also we need the ability to share this description You guess it, Indicators of Compromise are the solution!

Virustotal.com Safari Extension

I have developed a Safari 6 extension in order to search virustotal.com (e.g. MD5 hash or keywords). All the details and download links can be found here: http://www.simonganiere.ch/tools/ For any comments or bug report contact me on Twitter – @sganiere Thanks!

Malware anti-VM technics

Malware analysis usually involved the use of virtual environment (VM) such as VMware, VirtualBox and plenty of other virtualisation solutions. Mentioning the main virtualisation product is great but such products are also used in sandbox and other testing environment such as Virustotal, Anubis, etc. There…

Honeypot Results

You can found the latest honeypot results at the following URL: http://honeypot.simonganiere.ch (or use the above link in the menu). This page is updated on a daily basis with the latest stats from the honeypot. You will found the stats for the last 30 days for…