At work, we have this thing on Fridays called power up time. It is the last 4 hours of the week to work on personal projects, test new ideas to see if they are worth implementing, or self improvement. Most weeks it is when I get to look at the most tickets doing Tactical level intelligence since the rest of the week is filled with project or priority case work.
Recently while working on tactical level information for SOC tickets, I was able to add in a little fun, and actually power up. I wanted to do some reverse engineering of the malware associated with the ticket, to see if there was more IOCs that could be extracted.
Earlier in the day I read an email in the SANS DFIR alumni list, which included someone talking about using Remnux with docker. So later in the the day working the ticket, and because I didn’t have a Remnux box, I decided to check out the docker containers. This was also my first time working with docker as well. Starting at Lenny Zeltzer’sRemnux Docker Site.
I went to my linux vm, a box that gets reset to the fresh installed state via snapshot after each use. After a sudo apt install docker.io and a sudo docker pull remnux/pescanner I had the container.
I ran it and learned a little bit about docker. I also got an understanding of some of the information that VirusTotal displays under the detail tab.
I’ve made it through the June and July 2013 posts on Malware Traffic Analysis. I’m starting to understand his process more, and partially how he came to follow that process.
Mainly from what I could tell, and was confirmed in the blog posts, and via twitter, The site explodes malware on systems and gets pcaps for those systems. Then looks to see what call outs are there. The exercises and blog posts, so far, have only shown 1 ip address. Which makes it easier than a full corporate network to find the traffic.
Something I noticed. While Malware Traffic Analysis says to configure Wireshark one way, the blog posts of late show it’s now configured a little differently.