Questions tagged [malware-analysis]

15 questions
3
votes
2 answers

Has malware detected mitmproxy and similar tools used to intercept and analyze malicious traffic?

When trying to analyze malware, have there been cases where malware detected the use of mitmproxy and ceased operation? If that has happened, would it be a good idea to be constantly using a proxy as a measure for deterring any malware?
Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
2
votes
0 answers

Opened compromised Excel file - am I safe?

Long story short, got duped into opening an XLSM in Excel, with macros being enabled. Realised instantly. Digged into the Excel structure, found the following (extremely obfuscated)…
user275197
  • 21
  • 1
1
vote
1 answer

Can I trust companies that test antimalware software?

Do they lie? I mean companies something like AV-TEST, AV-Comparatives, Virus Bulleting, ERG Effitas, etc.
1
vote
0 answers

What is the difference between malware signatures and malware artifacts?

I am trying to analyse some malware samples but I am trying to understand the differen between malware signatures and malware artifacts. As far as I understand (and from what I've understood from this other post: What is the difference between…
1
vote
0 answers

Pixel File Size in STAMINA

Last year Intel released a white paper on a joint research effort with Microsoft concerning the possibility to perform malware analysis by converting a file to an image and then applying a deep neural network model on it. In the said white paper the…
Elhitch
  • 403
  • 3
  • 11
0
votes
1 answer

Can ransomware impact SSD drives?

I was watching this DefCon talking about Solid State Drives (SSDs) destroying forensic and data recovery jobs. It was interesting to note, that the speaker did acknowledge that it is unknown how long deleted files will remain recoverable for. I have…
user5623335
  • 381
  • 1
  • 4
  • 12
0
votes
1 answer

How malware file signature is generated?

How is the malware file signature generated? Does it use a sequence of bytes in the beginning, size, PE (export, import, section), etc? And can the MD5 or SHA256 be considered a file signature for a malware file? Note: I know that there's YARA that…
heaprc
  • 103
  • 4
0
votes
0 answers

Reliable information on AV engine false positive rate

I just came across this blog post (archived here). I am curious to know where I can find more data on false positive rates of anti-virus software. Of course, any such data would be subjective, since the samples are chosen by the people who publish…
user21820
  • 623
  • 1
  • 6
  • 13
0
votes
0 answers

Malware sinkhole evasion techniques

I have read into malware sink holing, as a way to disrupt botnets. There are also approaches to make this more difficult, for example using a Domain Name Generator algorithm which is what the Conficker worm used, fast-flux, double fast-flux, and P2P…
questioner
  • 171
  • 2
  • 11
0
votes
0 answers

Malware binaries for the SpySheriff scareware

When I first became interested in malware reverse engineering years ago, the first malicious program I encountered was a scareware called SpySheriff. It had a wide internet presence, as it spread through the typo-squatting domain goggle.com. I have…
questioner
  • 171
  • 2
  • 11
0
votes
1 answer

How to store malware for analysis?

I am planning on analysing some malware samples dynamically using a sandbox tool and a target Windows VM. The host (physical machine) runs Ubuntu and in it are the sandbox and target VM. So far I only analysed benign samples, i.e. normal software. I…
Marcus
  • 1,145
  • 1
  • 8
  • 12
0
votes
1 answer

Malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

I found a malicious Excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the…
QOHEN
  • 1
0
votes
0 answers

OCSP hosts. How to tell Malicious OCSP hosts apart

Learning abit about allowed OCSP hosts on Windows 10: I've picked up OCSP requests carried out by CryptSvc pointing towards an OCSP server in Japan. Referring to Microsoft's Win10 Non-enterprise endpoint lists, I've already witnessed and confirmed…
N S
  • 41
  • 3
0
votes
0 answers

What does it mean to find a Imphash match?

I have Import Hash (Imphash) matches for some executables and dlls in my environment like teams update.exe, outlook.exe and other microsoft provided dlls apart from non-microsoft dlls too. When I take the hash of the identified dlls and executables…
termcap
  • 31
  • 4
0
votes
0 answers

Security of Third Party Plugins in Thunderbird

In Thunderbird (a popular open source email client), there is an extension store similar to Mozilla Firefox which adds further functionality to the client. Mozilla has an article detailing the security and safety of Firefox extensions (see Tips for…