Year: 2023

Every second, they are thousands of logs being generated from different sources (Proxy, Firewall, End Point, servers, Router, Switch, Email server, Active Directory, IDS/IPS …) and store in a log management tool or SIEM. As an analyst, without a proper way of filtering the events it is almost not possible to detect a threat.

The easiest and most efficient way to analyze the events in windows environment is to look for the proper event id that matches to the alert. The event ID will help you to find faster and accurately the proper event you are looking for and make you investigation much easier.

Below, we share with you the Windows events ID that have the highest percentage of occurrence in the network.

WINDOWS event ID 4624 An account was successfully logged on:
The event is generated when a user’s account logged onto the local computer (can be generated after one or more log on failed attempt followed by one successful attempt). It is used to detect different attacks unauthorized log on in the network.

WINDOWS event ID 4625 An account failed to log on:

The event is generated when a user account’s failed to log on (can be generated after one or more log on failed attempt). It is used to detect different attacks unauthorized log on failed in the network.

WINDOWS event ID 1102 The audit log was cleared:

The audit log can be cleared by the admin or by a threat actor to remove the trace, this technic is often used by threat actor as anti-forensic technic to make to investigation more complex.

WINDOWS event ID 4688 A new process has been created:

The event is generated when a process is created, Windows OS has many processes so seeing a process being created does not mean that you are under attack but most of the threat actor used the Windows processes or mimic the Windows processes to perform an attack. Monitoring a new process being created is crucial.

WINDOWS event ID 4698 A scheduled task was created:

Similarly, to the event ID 4688, the event ID 4698 could be used by the admin to perform a specific task regularly or used by a threat actor for persistency or privilege escalation. Monitoring a scheduled task being created is crucial.

WINDOWS event ID 4657 A registry value was modified:

Always when a new file, process, scheduled task or any other activity is performed in the network, it is recorded in the registry. A threat actor after running a malicious process, file or scheduled task, can use the registry to add a key that will allow him or her to maintain the persistency. Monitoring any key added in the registry is crucial.

WINDOWS event ID 4704 and event ID 4705 A (A user right was assigned and A user right was removed)

This activity is often performed by the admin when the new user is created, but a threat actor can leverage it to perform an attack such as impersonation or privilege escalation.

WINDOWS event ID 4719 A system audit policy was changed:

This may happen when a threat actor does want to hide the activities that he had perform to compromise the system. It worth monitoring to detect when an unauthorized user disables to system audit policy.

WINDOWS event ID 4720 A user account was created, WINDOWS event ID 4740 A user account was locked, WINDOWS event ID 4741 A computer account was created:

The following events IDs mentioned above are quite important, any activity on an account such as account creation, changed, locked, deleted should be monitored. The threat actor can create a new account as a backdoor and delete after performing the attack.

Windows event ID 4723 An attempt was made to change an account's password and Windows event ID 4724 An attempt was made to reset an accounts password:

An unauthorized password change should not be accepted in the environment. This issue can lead to further damage such as privilege escalation, data loss and others.

Windows event ID 4768 A Kerberos authentication ticket (TGT) was requested, Windows event ID 4769 A Kerberos service ticket was requested, Windows event ID 4771 Kerberos pre-authentication failed:

A Kerberos protocol is used to access to the network. The protocol can be abuse by threat actor to connect to the network and perform malicious activities. For example, in Windows environment, Kerberos is used to authenticate and authorized the users to connect in Active Directory.

The threat actor after the initial compromise phase, can abuse Kerberos to perform attack such as kerberoasting or pass the ticket to escalate from one privilege to another. The events ID related to Kerberos should be monitored.

Windows event ID 4787 A non-member was added to a basic application group, Windows event ID 4788 A non-member was removed from a basic application group:

A non-member added or removed to another group could be a sign of administrative activity or attack, a threat actor can add a new user in a group to maintain a foothold. A that actor can remove a member added previously to remove the foothold. Any new member added or removed should be monitored. If the activity is not allowed, further investigation should be provided.

Windows event ID 4946 A change has been made to Windows Firewall exception list. A rule was added:

Any new rule created should be verified if allowed or not. A threat actor can create a rule to redirect a connection to a malicious server or to connect to a specific target such as AD, Database and others.

For example, if a threat actor compromises a web server, he or she can make a change to the firewall to connect to the database server.

Windows event ID 5140 A network share object was accessed and Windows event ID 5142 A network share object was added:

It is common to see a threat actor accessing a network share and execute a malicious command to get high privilege or exfiltrate data. Monitoring the network share is worthy.

Windows event ID 4663 An attempt was made to access an object:

A threat actor can enumerate an object with “write” right to access to the object. This is done to get higher privilege.

Windows event ID 4608 Windows is starting up:

At the time of starting, a threat actor can corrupt the system by uploading a malicious payload. A system booting or starting should be a good point to monitor.

Windows Security Log Encyclopedia (ultimatewindowssecurity.com)

Sysmon - Sysinternals | Microsoft Learn

windows 10 - How to find specifics of what Defender detected in real time protection? - Super User

Main News

Facebook user impersonated by scammers to target small businesses in German speaking countries

Bangaly Koita 1 year ago

Facebook became the Eldorado of the scammers; every day thousands of people are reporting the account lost issue. This is due to the fact that most of people are not aware of this attack. The small businesses are one of one most important target for the scammers. It is not the first time, we have reported scammers impersonating Facebook’s user to redirect a user to authenticate to a wrong Facebook page and it won’t be the last.

Let’s break the scenario down.

The scammer sends thousands of messages to many users and small businesses containing a link.

The scammer is waiting for the user to click on the link and enter the password.

Once this is done, the user loses his or her account.

The message looks usually like this:

The malicious link at the end of the message on which the user should click.

As you see, the malicious link is visible after the Facebook link, this is done by the scammer to trick the user to click and enter the credentials to the wrong Facebook website.

The following link is very hard to detect with many open-source engines.

We used the tool “Browserling” that showed us the redirect link which is not available at the moment.

We can check it also from the Open-source tool “Cyber-chef”. First, take the URL after the Facebook.com and paste it into the tool.

Now that the redirect link is available, we can check the link from Virus-total

From Virus total, click on “Details” to get more information about the domain.

We found out that the domain is newly created:

History

First Submission

2023-10-23 21:27:58 UTC

Last Submission

2023-10-23 21:27:58 UTC

Last Analysis

2023-10-23 21:27:58 UTC

At this point, we are pretty sure that the link is not from Facebook and is a malink or maldomain.

Recommendation:

Use 2FA

Check when you received a suspicious link or domain like we described here before clicking on it.

In case you entered your password, as soon as possible, connect to your account and change your password as fast as possible and check if there is any new device created and removed.

IOCs:

faeboser-storyresver19849[.]io[.]vn

103.18.7.159

Main News

Fake free iPhone 15 Pro world wide scam targeting users around the world

Bangaly Koita 1 year ago

Our Threat Intelligence team has detected a massive scamming campaign targeting users around the world.

The threat actors has created many similar websites to target many users, the message has been already sent to thousand of users.

AS you see below, the scammers are using a deceptive method to achieve their goal.

First of all, let’s have a look at the message body:

Subject: Your opportunity to get an iPhone 15 Pro for FREE.

In the picture above, the user received the message saying that he or she has been selected to receive a new iPhone 15 PRO. This kind of scam is very deceptive. Most of the users will click on the link.

There is a link behind the red button “Click to get started” on which the user should click to receive the reward.

Link: hxxps://storage.googleapis[.]com/hatrioua/hreflink.html#?Z289MSZzMT0xNzA0MzE2JnMyPTEwNDUxOTQ3NCZzMz1HTEI=

Once you click on the link, you are redirected to another link.

Browserling - Live interactive cross-browser testing

Elusivesnads[.]com

As you see on the picture above, there is a survey available before you get the reward. After passing the survey, you are redirected to another website to ship the reward.

All the goods on the website are free, you need to pay only for the shipment which almost costs 10 Euro.

This technic usually works because most of users will be attracted by the offer. The amount of money for the shipment comparing to the real price of the good is nothing. Once the shipment is paid, the good will never arrive.

The threat actors created many domains to target more users and make more difficult to stop the attack.

Some domains related to the same issues:

Launchers[.]world

Wedgesplash[.]bio

Bindingsol[.]com

Znaperload[.]com

Spinninghats[.]world

Scanstrings[.]org

Aquariumpine[.]com

Yataganmon[.]com

Slightroads[.]com

Kompratutino[.]live

Newcrames[.]com

The domains are newly created and registered between different service providers such as Google, Amazon, CLOUDFLARENET, DFW-DATACENTER and others.

Thousand of people are being scammed every day. The best way to reduce the risk of being scammed is to check the website always when you receive such message before you connect on it.

Tools to verify website reputation:

https://www.virustotal.com/

https://app.any.run/

https://urlscan.io/

https://sitereview.bluecoat.com/

https://safeweb.norton.com/

Google Search Google

Main News

Scammers are targeting the French fines authorities website

Bangaly Koita 1 year ago

The website https://www.amendes.gouv.fr is the only governmental website for online payment of fines issued by the French authorities.

The website contains confidential, PII, financial information and others. In case of any data stolen or breached; it could cause several damages.

I found out many suspicious domains mimicking the website. The suspicious domains are located in different location through the world.

Let’s share with you the investigation.

Some suspicious domains:

amende-gouv-login[.]fr

amende-pv-service[.]com

antai-gouv-amendes[.]net

antais-gouv[.]com

xn--rglementamendes-bnb[.]fr Puny réglementamendes[.]fr

servicesamendes[.]info

ksocampaign[.]com

the domains mentioned above are some of the domains mimicking the online fines payment.

Among those domains, the domain ksocampaign[.]com paid my attention.

While investigating, I found the following email address “yakuzahn2.gmail.com” in the DNS OSA records which could be the administrator email address.

ksocampaign.com - Current DNS records and Full DNS Report (securitytrails.com)

I took the email address and checked through Google search and the information below was found.

Like you see, the email address is associated to a website used to unlock the websites that were hacked by the Iranian Locker group.

dhs.edu.bt - urlscan.io

At this point, we came to the following conclusion:

The domain ksocampaign[.]com might belong to the Iranian threat actor or the person behind the email address “yakuzahn2.gmail.com”.

The intention of the threat actor behind the phishing campaign or the threat actor mimicking the online payment website is to get the users credentials and credit cards information from the users.

Main News

Best tools to protect the whistleblowers and journalists online

Bangaly Koita 1 year ago

Imagine that you want to report a big financial corruption in your country or organization, the best way to safely report such information is to use a trustworthy and anonymous tool. There are many tools nowadays for such activities but the best and most secured are the following we are going to share with you in this article.

A few years back, it was quite easy to report such activity by making just a call, but nowadays, such way of doing is not secured anymore as the service providers record all the calls and also listen to them. Below we will share with you, the best tools used by the whistleblower and journalists to stay online safe and share the information without any risk.

Share and accept documents securely (securedrop.org)

SecureDrop is an open source used by whistleblower to anonymously send and receive documents to journalists.

Whonix - Superior Internet Privacy

Whonix is used for privacy and anonymity over the Internet.

The tool works with TOR to fully anonymize your connection.

Tor Project | Download

Tor is a browser used for maintaining the privacy over the internet. It can be used to access the DarkWeb. The TOR browser is based on onion routing to bring more privacy over the network.

Tails - How Tails works

Tails is a portable OS that protect against surveillance and censorship by anonymity and privacy.

OnionShare

OnionShare is an open-source tool used to securely share files, chat, host websites using TOR browser.

EQS Integrity Line - the secure whistleblowing hotline | integrityline.com

EQS Integrity Line is a whistleblower tool used by the EU to securely and anonymously allow the employees to raise wrongdoing such as discrimination, human abuse.

GlobaLeaks - Free and Open-Source Whistleblowing Software

GlobalLeaks is a customizable open source that enable anyone to set up and maintain a secure whistleblowing platform.

ObscuraCam: The Privacy Camera - Guardian Project

ObscuraCam Helps you to share photos and videos while protecting the privacy of people.

The tool can be used to blur faces and remove camera and location metadata with the privacy camera app.

Haven: Keep Watch (BETA) – Apps on Google Play

Haven is a device sensor that provide monitoring and protection of physical spaces.

The tool can be used to detect motion, sound, vibration and light surrounding your environment.

Dangerzone: Convert potentially dangerous documents into safe PDFs

Dangerzone is used to securely open a PDF files, office documents, images by converting into a safe PDF file.

In conclusion, you as a whistleblower or journalist, should always think about protecting the information that you hold in the most secure way. Before using any tool, verify how the data are protected and the privacy is maintained.

Main News

How to analyze IOCs before and after a cyber-attack

Bangaly Koita 1 year ago

On June 27, JumpCloud discovered an APT attack. The company’s IR shared some IOCs to allow the customers or others third parties to protect their infrastructure.

As a Security Analyst, you should pay attention to the IOCS provided https://jumpcloud.com/support/july-2023-iocs .

The purpose of this article is to help the Analyst to detect and investigate different IOCs such as domains and IP addresses before or after an attack occurred.

Having a look at the domains from the list of IOCs, the first impression that would come in your mind is to check if the domains are FP or not.

Example of some Domains from the IOCs:

nomadpkgs[.]com

centos-repos[.]org

datadog-cloud[.]com

toyourownbeat[.]com

datadog-graph[.]com

centos-pkg[.]org

primerosauxiliosperu[.]com

zscaler-api[.]org

nomadpkg[.]com

As you see, some of the domains name are quite similar to the names of well-known service providers , companies for example we can observe some domains names with the name of some service providers such as Zscaler, Centos . As an Analyst, you should always be able to check such suspicious IOCs before making any conclusion.

Let’s take the example of a few domains:

zscaler-api[.]org

https://www.virustotal.com/gui/domain/zscaler-api.org/details

Whois Lookup

Administrative city: REDACTED FOR PRIVACY

Administrative country: REDACTED FOR PRIVACY

Administrative state: REDACTED FOR PRIVACY

Create date: 2023-06-23 00:00:00

Domain name: zscaler-api.org

Domain registrar id: 1068

Domain registrar url: http://www.namecheap.com

Expiry date: 2024-06-23 00:00:00

Name server 1: dns1.registrar-servers.com

Name server 2: dns2.registrar-servers.com

As you see, the result from Virustotal shows that the domain is a newly created, this is the first hint for us. As we know, most of domains used by threat actors are newly created. As Zscaler is a well-known brand, we can check the main domain of Zscaler to make a comparison between the both domains.

zscaler.com (Zscaler legitimate domain)

https://www.virustotal.com/gui/domain/zscaler.com/details

After checking the main domain of Zscaler (zscaler.com), we can observe that the zscaler.com is located at (Subject: C=US 2.5.4.15=Private Organization 2.5.4.5=4431830 L=San Jose O=Zscaler, Inc. ST=California 1.3.6.1.4.1.311.60.2.1.2=Delaware 1.3.6.1.4.1.311.60.2.1.3=US CN=www.zscaler.com )

Whois Lookup gave the following details:

Admin Country: US

Admin Organization: Zscaler, Inc.

Admin State/Province: CA

Creation Date: 2008-07-14T22:12:34+0000

Creation Date: 2008-07-14T22:12:34Z

DNSSEC: unsigned

Domain Name: ZSCALER.COM

Domain Name: zscaler.com

With this information, we can assume that the domain zscaler-api[.]org is not from Zscaler.

NB: It is always a good practice to check the browser search such as Google or Bring search to get some information about the domains.

The second example are the two domains nomadpkg[.]com and nomadpkgs[.]com

In this example, we will type the domain nomadpkg[.]com on Google search if we can find any related information, by doing that, we found a similar domain nomadpackaging.com a packaging website.

https://whois.domaintools.com/nomadpackaging.com

Dates 6,355 days old

Created on 2006-02-22

Expires on 2024-02-22

Updated on 2023-02-08

After checking the two domains, we found out that they are newly created

https://whois.domaintools.com/nomadpkg.com, https://whois.domaintools.com/nomadpkgs.com and no specifics information were found about them over the internet.

At this point, based on the naming convention, we may assume that the domains are probably mimicking the nomadpackaging.com. But for us, it is a hint for us to block such domain.

You can use the same technics we showed to analyze others domain such as centos-pkg[.]org and centos-repos[.]org or domains mentioned in the list.

NB: One thing to mention, during our investigation, we found a link https://www.usom.gov.tr/url-list.txtAlt where most of the domains available in https://jumpcloud.com/support/july-2023-iocs were reported as malicious one. You can use this link to upload the domain in your SIEM tool in order to monitor any interaction with any of them.

Now, lets analyzed some IP addresses detected during the investigation:

https://jumpcloud.com/support/july-2023-iocs

66.187.75.186

104.223.86.8

100.21.104.112

23.95.182.5

78.141.223.50

116.202.251.38

89.44.9.202

192.185.5.189

Most of the IP addresses mentioned above, look normal, seeing such traffic in your network, it is very difficult to guess that, it could be used by a threat actor. But you can use some technics to find more information about a specific IP address.

Let’s start:

In this case, a tool like https://www.abuseipdb.com did not help that much as the IP addresses look normal and most of them were not reported of any abuse, then we check the tool like https://securitytrails.com/ to list the domain behind the IP address.

By checking the domains on the IP address, we found the domain toyourownbeat[.]com (one of the domains mentioned above) address hosted on the IP address

https://securitytrails.com/list/ip/192.185.5.189

We found on the subdomains of toyourownbeat[.]com:

webmail.toyourownbeat[.]com

mail.toyourownbeat[.]com

Which could be a sign of phishing message sends to different users that interact with the website.

https://securitytrails.com/list/apex_domain/toyourownbeat.com .

I know this is a time consuming, but it is better to consume a time to analyze one indicator than to be hacked because of not analyzing it. Always stay focus and be patient.

Main News

How to statically analyze a malware

Bangaly Koita 1 year ago

The static malware analysis is analyzing malicious a file without executing it.

A Static analysis can help you to detect or find indicator that can prove that the file is malicious.

Once you perform a static analysis, the following details can be revealed:

Hashes of the file
Identified if the file is packed
Imports and exports
Libraries used
Strings embedded in the file
Digital certificates
Detecting the files format type
Finding details such as (domain, IP address and others)

NB: For security reason, we are not providing you the malicious file.

Imagine that you received a suspicious file to analyze at work, your job will be to set up your Sandbox t to perform your investigation.

We already have set up our sandbox, we have installed two machines (Windows guest and Remnux).

Remnux is a prebuild Linux machine for malware analysis, you can download the OS: Get the Virtual Appliance - REMnux Documentation

Windows guest was downloaded from Download a Windows virtual machine - Windows app development | Microsoft Developer. There is a new version of Windows to download Windows 11.

VirtualBox can be downloaded from Downloads – Oracle VM VirtualBox

After installing the machines and the VM, you can install Flare VM (a set of tools for malware analysis for Windows) from GitHub - mandiant/flare-vm.

Flare VM does not come with all the applications for the analysis, so you must install some tools such as PEid, BinText, PeStudio, Dependency walker and others based on your needs.

When we finished to install all the applications, the environment looks like this:

The both guests’ machines are running in “Host Only Network” which means that they don’t have any internet connection.

NB: One important thing, take the snapshot of the machine before you start the investigation so you can go back to a secure state after the investigation.

Let’s start the investigation.

1. Strings command

In Remnux host. The String command helps you to find the strings embedded in the file.

First, type the help option to find more details about the command.

Run the command with the file:

2. Pestr

In Remnux host, go and open the terminal. Type the command with the file name below.

You can put the output in a file to have a better view of the output

The output

At this point, we can observe some indicators such as imports, libraries call and dll extension files, persistency method used in the registry, domain name and others. This is a good point as most of the malware usually used those attributes.

3. PEiD

In Windows host. The tool is used to detect common packers, crypto and compilers for PE files.

Take the file that you analyzing and drag in the tool, in our case the file is not packed, we can see that the file is written in C++.

4. PEStudio

In Windows host. The tool is very useful for the static analysis, it can detect the following information:

File signature
Imports
Export
URL and IP addresses
Show Virus total score
Virus total scoring
Strings embedded in the files

Run the tool, drag the application in the tool and go through each option from the left side and analyze the output on the right side.

Virus Total scoring

Imports

Strings

5. BINTEXT

In Windows host. Run the tool and it will display the strings embedded in the file.

6. Peframe

The tool is used to analyze a portable executable files, it can detect if the file is parked, anti-debug digital signature, xor, mutex, anti-virtual machine, suspicious sections and functions, macro and others.

In Remnux host. Type the command following file the file name you are analyzing.

We got some details about the files visible in the screen such as the (hash of the file, PE32 which means that the file is Windows executable file, the file size and others).

NB: You can list all the tools used in Remnux for malware analysis by type the command in the capture below.

7. Dependency Walker

In Windows host.

After dragging the file in the tool, you can see the DLL files with the handles (imports and exports) related to each.

You can type the name of the DLL file on the internet to know what it does.

Now your static analysis finished, you can collect the information and provide a report.

Static analysis of malware is very important, it helps analyze the malware without running it and collect basics information about the malware. The information collected can help us detect if the file is a malware.

Main News

How did i fix my WordPress website after being hacked?

Bangaly Koita 1 year ago

On the 29.06.2023, my website osintafrica – intelligency blog was hacked.

The threat actor created two accounts with the Author privilege and posted two posts on the website.

In the next lines, i will describe how I managed and fixed the issue.

When i connected to my website, i found a strange post. It was very surprising for me, because i was not the author of the posts, so i decided to analysis the issue.

Figure 1 Post published by the threat actor

As you see on the image above the user “miqzmcif” was the Author of the post.

I connected to my WordPress backend, i checked the user menu to find all the users account created on the website, i found out two new users accounts created (miqzmcif@ds.sdf and 0erwybgp2j9n9btwm8foxn@gmail.com) following with my user admin .

Figure 2 Two new users created by the threat actor

With the email addresses of the two users created, i checked the name and email addresses created via Google search, unfortunately no information was found.

Next steps, i did, was to verify if there is any plugin with a vulnerability that can be exploited to get the access to my website and create a user account or publish a post. I checked all the plugins one by one via Google search to find any issue related to them, while checking the plugins, I found the only plugin with a vulnerability among all the plugins (WP Post Author version 3.2.3) that has a critical vulnerability discovered a few days ago WP Post Author <= 3.2.3 - Privilege Escalation (wordfence.com)

The WP Post Author plugin is used to create and edit the author on WordPress website, at this point, it was quite obvious for me that the plugin was the issue.

Before I deactivated and removed the plugin with the two users created, a WPScan was run on the website to check if there is any vulnerability. At the time it was the scan was run, no issue was detected that could be used by a threat actor to perpetrate the attack.

After that, i decided to harden my website, I enable the auto update option on all the plugins, installed a web access Firewall and IDS to protect the website.

NB: It worth mentioning that, before I was hacked, I would not imagine that my blog could be hacked.

So as a great example, i encourage all of you to follow the best practice like we described in our situation to protect you WordPress website or any others website.

Main News

STATIC MALWARE ANALYSIS TOOLS

Bangaly Koita 1 year ago

Static Malware analysis tools are used to analyze the file or malware without running it.

The mains objectives of the STATIC MALWARE ANALYSIS are the following:

Scanning the file to detect the file hash
Identify if the file is packed, identify the file format
Analyzing the file’s header
Identifying malicious strings embedded in the file
Finding imports and exports used in the file

Below, you will find one of the most used tools find STATIC MALWARE ANALYSIS.

Readpe

readpe download | SourceForge.net

Readpe (also known as pev) is a set of toolkits used to work with PE (Portable Executable) binaries. The main goal of the toolkit is to provide feature-rich tools for properly analyze binaries with a strong focus on suspicious ones.

Strings

Strings is a command-line tool used for extracting strings from binary data (the tool is available for Windows and Linux).

The newer version of the command is Strings2 strings2: an improved string extraction tool from from binary (split-code.com)

FLARE-FLOSS

GitHub - mandiant/flare-floss: FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically de-obfuscate strings from malware binaries. You can use it just like strings.exe to enhance the basic static analysis of unknown binaries.

BinText

McAfee-Tools/bintext303.zip at master · mfput/McAfee-Tools · GitHub

The tool is used to extract text from files to find plain ASCII text, Unicode text and strings.

DIE or (Detect It Easy)

NTInfo | .:NTInfo:. (horsicq.github.io)

The tool is used for determining the types of files. DIE exists in three versions. Basic version ("die"), Lite version ("diel") and console version ("diec").

Peframe

GitHub - guelfoweb/peframe: PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

Peframe is an open-source tool used to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti-debug, anti-virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.

PEiD

PEiD - aldeid

An open-source detection tool that detects packers, cryptors, and compilers stored inside the PE files.

PeStudio

Winitor

The tool is very useful for the static analysis, the tool is used to find the following information:

File signature
Imports Exports
URL and IP addresses
Show Virus total score
Virus total scoring
Strings embedded in the files

Dependency walker

Dependency Walker (depends.exe) Home Page

The tool is use to identify the modules, imports, exports and dependencies of the file.

They are many others tools that you can use to perform Static Malware Analysis.

Static Malware Analysis can help to analyze the malware in a less secure environment without impacting it. However, it is always better to analyze the malware in a most secure environment like a sandbox or VM setup specially for that purpose. Static Malware Analysis is very important because it will give you more information about the malware so it is always a good practice to start the analysis of a malware statically before you go further.

Main News

How to transfer data using WINSCP between Windows host machine and guest machine on Virtual box.

Bangaly Koita 1 year ago

WINSCP is a free tool used to transfer file using different protocols such as SFTP client, FTP client, WebDAV client, S3 client and SCP for Windows.

The tool can be downloaded from the website: WinSCP :: Official Site Download

The tool is very easy to use and offer graphical user interface to transfer files between two Windows host (host machine and guest machine).

Basic configuration before transferring the data

Install Open SSH client and Server on both machines:
Activate the Open SSH client and server services on both machines
Activate the ping request connection on the both machines

Type in Windows explorer: Control Panel\System and Security\Windows Defender Firewall\Allowed apps

Choose the option “File and Printer Sharing” – choose the option “private” – and click “ok”

4. Configure the Guest machine on “Host only Adapter” to be on the same network as the Host machine

5. Check if there is a connection between the both machines

Open cmd command line – ipconfig on the Host machine on Guest machine

6. Go on the other machine, type - ping “IP address from the machine above”

NB: At this point, all the configurations are done, you can now transfer the data.

File transfer

Open WINSCP on the Host machine (you can transfer the file from any machine)
Choose the protocol you want to use (in our case we use SFTP)
Choose the port number 22 or SSH port
Type the hostname and the username of the host to which you want to transfer the data

Example: Open – cmd – type- whoami (the hostname will be visible from the left side and the username on the right side)

Put the password you use to login within your system and you get connected to the host.
- Now the file transfer is possible
NB: You can copy the file and create a folder where you want to add the file and paste there.
As you can see, the files transfer now is possible in a secure way using SFTP protocol.