Example Analysis of Spear-phishing email

There is a good example of a detailed investigation of a malware, available on SANS reading room.

It is good for learning, not only about spear phishing threats, but also about investigation techniques.

Case highlights:

  • Spear-phishing email with attachement
  • The malware is multi-partite in nature, which includes, a dropper, a droppee and at least three Trojan-Spies.
  • The malware uses encrypted HTTP traffic to transmit collected intelligence back
    to C&C, which makes it difficult to be discovered.
  • The intruder has performed intensive prior reconnaissance on the targeted victim
  • Emphasis on spying functions, including: generating screen captures, gathering email and messaging passwords and every file names information from the victim’s machine.

Following tools were used:

  • Autoruns
  • Process Explorer
  • Process Monitor
  • ListDLLs
  • TCPView
  • VMmap
  • Winobj
  • BinText
  • Regshot
  • CaptureBAT
  • HandleDiff
  • Wireshark
  • Malcode Analysis Pack
  • REMnux
  • UPX
  • FileInsight
  • OllyDbg
  • IDA Pro Freeware
  • PEiD
  • Stud PE
This entry was posted in Forensics, Security Threats, Security Training, Awareness and Reports. Bookmark the permalink.

Comments are closed.