Proxmox & Cuckoo – a powerful combo for your home malware lab

I had some free time recently and decided to make use of one old desktop computer that was lying around. With a fairly strong HW configuration, it was an ideal target for my home malware sandbox environment that I long wanted, but never had the chance to set up. If you want to analyze malware, a sandbox for dynamic analysis is always useful. It allows you to focus on relevant parts of the behavior so you don’t waste time while debugging. Luckily, there are plenty of online sandboxes nowadays that one can use for free, but having your own can be of advantage sometimes. In this post, I will go through the process of setting up Cuckoo Sandbox running in Proxmox Virtual Environment, all on the same machine, running in your own network.

Continue reading “Proxmox & Cuckoo – a powerful combo for your home malware lab”

Anatomy of a personalized Cerber spam

Last week I was browsing Twitter when I found a tweet from Jaromir Horejsi about a spam mail with a Locky downloader that was personalized with his surname. It was the same day that I received a spam too, also with my surname in it. I’m always happy when this happens as it gives me an opportunity to go down the rabbit hole and check what’s hidden in there.

Continue reading “Anatomy of a personalized Cerber spam”

Inside Locky’s downloader

After my last post I saw a lot of Locky related SPAM, so I decided to take a look at the downloader script that I skipped before. Almost all Locky downloader scripts that I have seen before arrived at the endpoint through a SPAM mail that usually contains a ZIP or RAR archive with a single JavaScript file that has a phishing name like swift_xxx.js or addition_xxx.js. I still find puzzling why people keep clicking on these files but it seems to be a very effective way of spreading this (and not only this) ransomware.

Continue reading “Inside Locky’s downloader”

Locky is back

I received a nice spam mail today. Normally the anti-spam plugin on the mail server does a really nice job to filter these out but this one got through. As I had some spare time, I decided to check what’s going on. First look at the mail revealed that it is a malicious downloader. Naturally, I was curious about the payload, so I decided to investigate further.

Continue reading “Locky is back”