JavaScript Malware Deobfuscation: The Vjw0rm.js Report

The Vjw0rm script is JavaScript malware with layered obfuscation. It is a Remote Access Trojan (RAT) designed to perform various malicious operations on a Windows system through the Windows Script Host (WSH) environment. When run, it decodes obfuscated instructions and executes additional payloads. It gathers information about the infected system, modifies the registry, and copies itself to persistent locations to ensure it runs on startup. The script then sets up a command-and-control channel that communicates with a remote server, possibly to receive commands or send collected data.

Continue ReadingJavaScript Malware Deobfuscation: The Vjw0rm.js Report

njRAT.exe Report

In this exercise, I analyzed a Remote Access Trojan binary, njRAT.exe, sourced from the Zoo malware repository on GitHub. Analysis revealed that the sample was originally compiled in 2013 as EnKSaR.HaCKeR.exe. The malware is designed to grant an attacker remote control over a victim's computer. My analysis revealed that, upon execution, the sample launched additional payloads, including njRAT.exe, njq8.exe, and windows.exe. The second-stage payload, njq8.exe, generated windows.exe, adding itself to the Windows Firewall exceptions and listening to port 1177 for a remote connection. Simulating an attack from a Remnux machine, I connected to the open port and observed the malware recording system details, such as architecture, date, and active applications.

Continue ReadingnjRAT.exe Report

Network Traffic Analysis with Security Onion

In this exercise, I investigate an incident wherein a user got compromised through a malicious email. My goal is to figure out how the computer got infected and document my findings. This malware exercise was obtained from malware-traffic-analysis.net. It contains packet capture of the incident, the incident artefacts, the incident logs and four associated emails. This blog post is sectioned under the various headings to aid clarity and understanding: Preparation, Initialization, Analysis with Kibana, Analysis with Sguil, Observation of Suspicious Emails, Analysis with Wireshark, Log Inspection, Malware Artefact Inspection and Summary.

Continue ReadingNetwork Traffic Analysis with Security Onion