Category: Lab Notes

Recently I completed a project using Tampermonkey user scripts, and I needed to host them somewhere that our team’s browsers could access.  S3 is an obvious choice to host static files but I wanted to limit access to certain IP addresses.  We maintain several existing EC2 Security Groups and I …

Continue Reading

Note to reader: If you are following along, you will need a VPN connection that supports a large list of geographic endpoints. I have found South American and Eastern Bloc countries are good choices for endpoints.

Many downloaders have a double-edged goal in mind – make it easy for the …

Continue Reading

We recently became aware of what appears to be the return of Emotet. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavors points to …

Continue Reading

VPNs are useful for many reasons. But if you have many devices it can be annoying to install, configure, authenticate, reconfigure, and keep a bunch of different VPN client apps updated. And if you have a device or two that you never want to be attributed to your real IP …

Continue Reading

There are many circumstances where we must dig into the network traffic generated by malware samples. And in lots of cases, we don’t have the benefit of the traffic being unencrypted. Perhaps you do not want, or cannot, run a MITM (man in the middle) proxy to handle this decryption …

Continue Reading

Down the Rabbit Hole

I regularly check each of our sandbox environments for reports with suspicous yara rule hits and yet no IoCs or network traffic. If any of these reports are maldocs, then I attempt to deobfuscate them and discover whether a sandbox check resulted in the failure to detonate. During one of …

Continue Reading

Ansible Reuse Made Easy

While none of the the configuration management tools I’ve used are perfect, Ansible is by far my top pick.  There is a bit of a learning curve though.  I think most people’s experience with Ansible goes something like this:

  1. Review the technically correct and verbose docs.
  2. Decide to google for
Continue Reading

Connecting the Dots

While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked …

Continue Reading