Posts

Threat Hunting | Malspam Analysis | Malware Traffic Analysis - MalwareTrafficAnalysis.net Basic

Image
+++++++Please note that we have not attempted to copy anyone nor have we published any copyrighted material however We have tried to compile all the best resources freely available to include it in our investigation+++++++++ Before we proceed with the threat hunting we will see a couple of techniques which will help us in making our job easier while working with Wireshark. ------------------------------------------------------------------------------------------------------------------------------------- How to add server/host names to columns for the Wireshark? ------------------------------------------------------------------------------------------------------------------------------------- Open Wireshark with any captured packets file(.pcap). Before starting hunt for critical data always make sure the time format is selected as per the incidence reported. This will help you in track the time status of the infection for the pre and post stages. Here w

IoT Firmware Binary Emulation!!!

Image
Once we have extracted the firmware we have left with the binaries so to understand their functionalities and interact with them we require debuggers which will help in analyzing them for in-depth technicalities including buffer overflows etc. Required tools: Qemu Qemu - QEMU is a generic and open source machine emulator and virtualizer. When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performance. When used as a visualizer, QEMU achieves near native performance by executing the guest code directly on the host CPU. QEMU supports virtualization when executing under the Xen hyper-visor or using the KVM kernel module in Linux. When using KVM, QEMU can virtualize x86, server and embedded PowerPC, 64-bit POWER, S390, 32-bit and 64-bit ARM, and MIPS guests. QEMU is a member of Software Freedom Conservancy. Step 1 - For emulation we

IoT Firmware Analysis!!!

Image
A simple tutorial you can follow if you are new to the IoT world and firmware analysis. There are various videos as well you can refer to, just what to accept from all of them is the logic behind what is needed and what to look for. Step 1 - We begin by downloading the firmware from below link which belongs to a simple D-Link router, this can also be downloaded from vendors official website: https://github.com/praetorian-inc/DVRF/blob/master/Firmware/DVRF_v03.bin  Step 2 - We can use any tool which is capable of  ".bin" extraction.We will be using the "Binwalk" tool with  below command for analyzing the file system type. For a complete list of file systems, please refer to this link:  http://elinux.org/File_Systems . binwalk file.bin Step 3 - What we identify from simple binwalk is the file system and the address from where the file systems start which in our case is "1648424"The next step now would be to extract the file system us