{"id":351,"date":"2011-11-03T13:41:23","date_gmt":"2011-11-03T11:41:23","guid":{"rendered":"http:\/\/saisa.eu\/blogs\/Guidance\/?p=351"},"modified":"2011-11-03T13:47:03","modified_gmt":"2011-11-03T11:47:03","slug":"example-analysis-of-spear-phishing-email","status":"publish","type":"post","link":"https:\/\/saisa.eu\/blogs\/Guidance\/?p=351","title":{"rendered":"Example Analysis of Spear-phishing email"},"content":{"rendered":"<p>There is a good example of a <a title=\"A Detailed Analysis of an Advanced Persistent\n\nThreat Malware\" href=\"http:\/\/www.sans.org\/reading_room\/whitepapers\/malicious\/detailed-analysis-advanced-persistent-threat-malware_33814\">detailed investigation <\/a> of a malware, available on SANS <a href=\"http:\/\/www.sans.org\/reading_room\/\">reading room<\/a>.<\/p>\n<p>It is good for learning, not only about spear phishing threats, but also about investigation techniques.<\/p>\n<p>Case highlights:<\/p>\n<ul>\n<li>\n<div>Spear-phishing email with attachement<\/div>\n<\/li>\n<li>\n<div>The malware is multi-partite in nature, which includes, a dropper, a droppee and at least three Trojan-Spies.<\/div>\n<\/li>\n<li>\n<div>The malware uses encrypted HTTP traffic to transmit collected intelligence back<br \/>\nto C&amp;C, which makes it difficult to be discovered.<\/div>\n<\/li>\n<li>\n<div>The intruder has performed intensive prior reconnaissance on the targeted victim<\/div>\n<\/li>\n<li>\n<div>Emphasis on spying functions, including: generating screen captures, gathering email and messaging passwords and every file names information from the victim\u2019s machine.<\/div>\n<\/li>\n<\/ul>\n<p>Following tools were used:<\/p>\n<ul>\n<li>\n<div>Autoruns<\/div>\n<\/li>\n<li>\n<div>Process Explorer<\/div>\n<\/li>\n<li>\n<div>Process Monitor<\/div>\n<\/li>\n<li>\n<div>ListDLLs<\/div>\n<\/li>\n<li>\n<div>TCPView<\/div>\n<\/li>\n<li>\n<div>VMmap<\/div>\n<\/li>\n<li>\n<div>Winobj<\/div>\n<\/li>\n<li>\n<div>BinText<\/div>\n<\/li>\n<li>\n<div>Regshot<\/div>\n<\/li>\n<li>\n<div>CaptureBAT<\/div>\n<\/li>\n<li>\n<div>HandleDiff<\/div>\n<\/li>\n<li>\n<div>Wireshark<\/div>\n<\/li>\n<li>\n<div>Malcode Analysis Pack<\/div>\n<\/li>\n<li>\n<div>REMnux<\/div>\n<\/li>\n<li>\n<div>UPX<\/div>\n<\/li>\n<li>\n<div>FileInsight<\/div>\n<\/li>\n<li>\n<div>OllyDbg<\/div>\n<\/li>\n<li>\n<div>IDA Pro Freeware<\/div>\n<\/li>\n<li>\n<div>PEiD<\/div>\n<\/li>\n<li>\n<div>Stud PE<\/div>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>There is a good example of a detailed investigation of a malware, available on SANS reading room. It is good for learning, not only about spear phishing threats, but also about investigation techniques. Case highlights: Spear-phishing email with attachement The &hellip; <a href=\"https:\/\/saisa.eu\/blogs\/Guidance\/?p=351\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[49,47,44],"tags":[],"_links":{"self":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/351"}],"collection":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=351"}],"version-history":[{"count":2,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions"}],"predecessor-version":[{"id":353,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions\/353"}],"wp:attachment":[{"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/saisa.eu\/blogs\/Guidance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}