Malware Analysis & Reverse Engineering (Case Study)



Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll.  Continue reading

Wireshark Packet Capture Analysis


This purpose of this document is to examine the results of several Wireshark captures. Areas to be explored are the exploit type, impact of the exploit, vulnerability type, and any other relevant information. In order for network administrators, penetration testers, or any other type of security experts to combat cyber crimes, it’s critical that they know how to use the same tools that the criminals do. Wireshark is instrumental in helping security professionals dissect intersected communications to formulate new security policies and put new safeguards in place. This experiment will be conducted on a 2009 Mac Pro running OS X Yosemite 10.10.4. Kali Linux will be used to exploit Metasploitable 2 both of which are running inside of Parallels 10 virtual machines.

Continue reading