Analyzing PDF and Office Documents Delivered Via Malspam

I published an article on IBM Security Intelligence on Analyzing PDF and Office Documents Delivered Via Malspam .

The article covers analysing the static properties of malspam and further in depth analysis of malspam via for example the tools from Didier Stevens.

How to Choose the Right Malware Classification Scheme to Improve Incident Response

I published an article on IBM Security Intelligence on How to Choose the Right Malware Classification Scheme to Improve Incident Response.

The article covers malware classification in an ideal world, some of the existing classification schemes and how machine-parsable malware classification can help make incident response processes more fluent.

Doing OSINT and Twitter Analytics with Tinfoleak

Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch.

Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output.

I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) forRead more.

Reducing Dwell Time With Automated Incident Response

I published an article on IBM Security Intelligence on Reducing Dwell Time With Automated Incident Response. The article covers collecting event information, sharing intelligence data and then moving towards automated incident response together with automated digital forensic acquisition (with MIG & GRR).

The incident response orchestration process covers TheHive, MISP, LogicHub and VMRay to extend further on automation.

Phishing website using imgur images as background

Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this The link is only viewable if you enable HTML content in the e-mail client.

The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service).

bitly.com, via HTTPS, received 301 Moved Permanently; go2l.ink, via HTTP, received 302 FOUND; A PHP pageRead more.

Understanding calling conventions during malware analysis

When you do analysis of malware in for example x64dbg or IDA Pro it’s important that you understand how functions are called, what arguments are passed to the function and how to recognize the local variables within that function.

Further down in this post are my notes from the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course and the The IDA Pro Book.

First some core concepts.

A function is aRead more.

Risky Business #480 — Uber, Kaspersky woes continue – VMRay

I did my first podcast interview for Risky Business (hosted by Patrick Gray) and described how I use VMRay for automated malware analysis. I enjoyed it a lot! You can listen to at Risky Business #480 — Uber, Kaspersky woes continue, the part on VMRay starts at 41:30.

If you’re interested in integrating VMRay with MISP then have a look at

MISP EcoSystem – Threat Intelligence, VMRay, MISP from Koen Van ImpeRead more.

Stealing a cryptocurrency wallet. Or is it a metasploit reverse shell?

SANS ISC posted a diary on 9 Fast and Easy Ways To Lose Your Crypto Coins and a report on scans for Bitcoin wallet files.

This started me thinking about setting up a simple honeypot, pretending to be a self-decompressing crypto wallet archive and see if criminals would actually open that file, hoping it to be an unprotected crypto wallet.

Announce a “wallet.dat” / “wallet.zip” on public dump sites; Host the file on a publicRead more.

Integrate vulnerability information from VulnDB in MISP

MISP, Malware Information Sharing Platform & Threat Sharing is a feature-rich platform for sharing threat intelligence information. You can extend MISP so that it integrates nicely with your own security solutions via the MISP module extensions. These MISP module extensions, https://github.com/MISP/misp-modules/, allow you to

extend the MISP threat intelligence sharing platform without altering the core; connect and enrich the MISP information from other information providers; get started quickly without a need to study theRead more.

MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.