Authenticode Signature # The point of code signing certificates is to verify the file came from a trusted source, the file was not tampered with prior to receiving it, and the file’s origin can be validated. Code signing creates a hash of the code and encrypts it with a private key adding its signature. During execution, this signature is validated and if the hash matches, it gives assurance that the code has not been modified.

Bumblebee Sample # Bumblebee (Shindig) has been used by TA579 / BazaISO / Exotic Lily / Stolen Images to collect system information and exfil to a C2. Additional second-stage payloads include Cobalt Strike beacons. https://bazaar.abuse.ch/sample/70eb84a6bce741ff988116434e4f531a724257185ab92df8fcfa90b3def6568f/ Download zip > .iso file (password protected)> dll/lnk inside Once the ISO is mounted, the .dll and .lnk are visible. LNK Analysis # Using LECmd.exe to analyze the LNK file. If on Linux, Lnkinfo gives a similar output.

Identify the cloud perimeter of a target. Thanks to colleagues who are smarter than me. Identify Service # Use OSINT to determine the provider and region your target is located in. Shodan for example has a cloud.region filter that lists what region the IP is located in. Some examples: GCP: us-central1 Azure: northeurope AWS: us-east-1 Download corresponding IP ranges based on your target’s provider. https://ip-ranges.amazonaws.com/ip-ranges.json https://www.gstatic.com/ipranges/cloud.json https://www.microsoft.com/en-us/download/details.aspx?id=56519 Filter list # GCP: jq '.

https://analyze.intezer.com/analyses/1832abdc-0212-4f2b-97af-ec69af2e5a92/genetic-analysis https://www.virustotal.com/gui/file/81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab SHA256:81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab Malicious Word document referencing Minsk Protocol. # Uses macros to download a second-stage payload from a server. Process Tree # Uses WINWORD to open the file. "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\<USER>\AppData\Local\Temp\<ANALYZED-FILE-NAME>.doc" /q Runs PowerShell base64 encoded command (listed below in a VBA macro) Child process from WINWORD launches splwow64 C:\Windows\splwow64.exe 12288 Details from the file # Using oleid, VBA macros are found. Next is to use olevba to get more information about the VBA and view the macro code

This guide will serve as a lab for both static and dynamic malware analysis. The dynamic analysis portion will be in its own network that cannot reach out to the host network and vice versa. I have to give credit to c3rb3ru5 because her guide is what taught me about being able to create networks within virtual machines and setting up mitmproxy to capture traffic. It was inspired by her KVM Malware Lab Guide but I had to make some changes due to issues on my end.