Security Magic

Just before New Years I created a small challenge for my co-workers. I won't share the exact challenge here, but the details were as follows: 1. A JPG of a snowy scene where the person pictured is saying "Rar!", a clue to look for the header of a RAR file. 2. Text in the picture saying to remove the [SNOW] 3. EXIF data on the JPG which has the letters S N O W scattered throughout to create a minor obfuscation. So, extract the appended RAR file from the JPG, use something like the Linux command "tr -d [SNOW]" to remove the characters from the exif data, which reveals the password to extract the RAR file. Here's where I kind of made it a bit harder, the PNG file inside the RAR is XOR encoded with the key "FireWorks". In an attempt to make this somewhat obvious, or to provide some sort of clue, I appended a bunch of NULL bytes to the end of the PNG prior to encoding the whole file. As you can see from the image above, this is what the end o...

In the spirit of trying to update more this year, I'm going back through some old samples that I've written decoders for. The following sample can be found  https://app.any.run/tasks/b4f51d23-6346-478b-9b1a-4fd6970274a2/ In particular, reference the following screenshot. In this example, the malware is using a custom alphabet that starts with aKCC.... and ends with $A5x. The rest of the script runs through the character placement in the alphabet (73;17;66...) finds the character that matches the location that corresponds to that number and places the character there. With this knowledge we could manually go through and decode this. However, the would take a bit of time, so I wrote a quick python script, which is provided on my website www.lukeacha.com, check out the tool here: http://www.lukeacha.com/downloads/emotet-decoder3.zip I wrote a CTF challenge based on this sample, so downloaded file actually has the solve for the CTF I wrote last year, However, if you want...

This week I have been asked twice about setting up a lab for those who are new to security, or colleagues who are less familiar with detection/response. So I figured that I would setup a quick, and somewhat "dirty" virtual machine for demonstrating at least some basics to seeing how Network Security Monitoring (NSM) looks to an analyst who sees these types of events.  As a quick note, I don't do a deep dive in this segment on how to strip out executable from PCAP or perform analysis of the executable, this is more of a demonstration of how you could setup a VM to replay malware PCAPs and see what alerts fire. The following assumes a little bit of knowledge with virtual machines and setting up an OS. OK, to begin, I downloaded the most recent version of Security Onion . Taking that ISO, and using VMWare, I setup a new Linux Virtual Machine (Ubuntu based 64bit). Once the OS is loaded to the desktop, simply select to Install Security Onion. I went with a lot of def...