The malware analyst’s guide to PE timestamps

This blog post is all about time. More exactly, timestamps found in Portable Executable (PE) files that describe a (possible) compilation date. These PE timestamps may even reveal details about a threat actor. For instance, it is possible to deduce a threat actor’s working hours and use this information – hopefully together with other artifacts …

The malware analyst’s guide to PE timestamps Read More »

The easy way to two-factor authentication for WordPress with Two-Factor and Google Authenticator

WordPress is the most popular content management system (CMS). Therefore, it is also a very popular target for hackers. The default WordPress login requires a username and password combination. If hackers obtain your login credentials,there is no second line of defense and your WordPress site is theirs. Two-factor authentication (or sometimes multi-factor authentication) adds this …

The easy way to two-factor authentication for WordPress with Two-Factor and Google Authenticator Read More »

Where to start tracking adversary infrastructure?

Last update: 2020-01-19 Adversaries require infrastructure to support their operations and to ultimately achieve their goals like intelligence collection. Therefore, infrastructure is one of the four core features of the famous Diamond Model of Intrusion Analysis. The proactive detection of adversary infrastructure can help cyber threat intelligence (CTI) teams detect this infrastructure even before the …

Where to start tracking adversary infrastructure? Read More »

Install Bindiff on Fedora

BinDiff is a tool to diff to binary executables and find differences and similarity, respectively. Originally, Zynamics developed BinDiff but a couple of years ago it was bought by Google. Even though there are alternatives like Diaphora, I still prefer BinDiff. It is the tools I utilize when analyzing a new version of a malware …

Install Bindiff on Fedora Read More »

The malware analyst’s guide to zlib compression

Malware often utilizes data compression like zlib or aPLib. There are several reasons for this behavior: first, it saves space and makes binaries smaller and network transfers faster. Second, it adds another layer of obfuscation as the malware analyst needs to detect the compression algorithm first. One of the widely adopted data compression libraries in …

The malware analyst’s guide to zlib compression Read More »

Never upload ransomware samples to the Internet

Ransomware is our contemporary plague. It is a thriving business that attracts more and more cybercriminals every month. New ransomware gangs sprout like mushrooms. These self-proclaimed “security teams” test the security of many small to large enterprises. But their unsolicited penetration tests are not that cheap. What they leave behind is pure mayhem and a …

Never upload ransomware samples to the Internet Read More »