-
Run Keys
The registry hive NTUSER.DAT is created for each users in a Computer system. It contains the Run key registry used by malware to maintain persistence. In this example, there are 19 users in the system , but I have only extracted the NTUSER.DAT for the user Zarma.s using Autopsy(seen below) and I analysed it in […]
-
TRACING REGISTRY KEYS
Microsoft uses Tracing keys to trace issues and monitor applications and their execution. The key is located in the following path C:\Windows\system32\Config\SOFTWARE: Microsoft\Tracing . The key as seen in the registry below In the case of the application svchost.exe, I will focus on the RASAPI32 and RASMANCS registry keys located in SOFTWARE: Microsoft\Tracing\svchost_RASAPI32 SOFTWARE: Microsoft\Tracing\svchost_RASMANCS […]
-
Tracking the COVID19 cybercrime theme with the Diamond Model
COVID19 Cybercrime Theme Intrusion using the DIAMOND MODEL
-
Too many Websites hacked, ransom demanded
Today is a very sunny day, but cloudy online. After the hack of the webpage of the Ukranian ministry of Energy as shown in figure 1 below. http://www.mev.gov.ua was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server […]
-
Searching inside a PDF document
I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether the document is malicious or not I used the pdfid.py tool as in the screenshot below . It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 […]
-
Bitcoin Phishing Ring CoinHoarder
Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a […]
-
5000 websites hacked to serve cryptomining malware
Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection is […]
-
Underground Malware Economy
you can view the presentation here showing you how Cybercrooks are making money from malware.
-
Cryptominer RubyMiner Targets web servers
According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the […]
-
A look at Redline from Mandiant
Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site . At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create […]