Evilblog

I am going to do a short write up on page file forensic. As I post blog by keeping newbies in mind I will try to explain some important points in layman form which is important to understand this post for newbies. What is a Page file? In Windows, NT when RAM becomes full, the operating system uses your hard drive as virtual RAM and starts placing your data in page file which is called pagefile.sys in Windows NT. Even though reading and writing data from the page file is slower than actual RAM it is still better than crashing your program. This principle works on Paging which is a memory management technique if you want to learn more on paging than you can read it here . Investigating Page file to retrieve artifacts As we know page file has data to be used by the operating system we can make a copy of it ( or there are others way to do this also) and can fetch some juicy info to retrieve any useful information which can lead an investigator to take his next deci

Its been a while since I posted my last post. So I decided to do a quick writeup on social engineering attack. I will show how easy it is to phish someone using a Good social engineering attack. I will try to make this post noob-friendly to proof that how easy it is for anyone with good social engineering skills but with little to zero technical knowledge can phish a user. Even though I am not an expert at soc engineering I was able to take down some accounts.  Attack scenario This time I decide to attack random people, this was to see how difficult or easy to phish some random people. Preparing the Attack First I need to make a fake Facebook profile and it’s better to not use those type of profile which could be easily reverse search like some celebrity photo etc, so I used “ thispersondoesnotexist.com ” which generate fake person pic using AI techniques every time you refresh the page, so it would be good the choice for making this type of fake

Key point to remember PEB (Process environment block): Process environment block is data structure in Windows NT system. PEB can be used by other applications to get information like heap address, memory offsets or if the program is being debugged. Process hollowing or Hollow process injection is in memory code injection technique where a malware creates a process in suspended form, then rewrite the code with it’s malicious content inside memory then continues the execution. Malware authors use this technique because in this method, there’s nothing written on hard drive and it’s a good way to bypass most antivirus and signature base detection. How does hollow process work? Suppose there are two process x and y, here y is legit process which is also called a remote process and x is the malicious process. X creates a legit process in suspended state and the executable section of y loaded inside the memory. The malware gets the base address of this legit pro

What is cuckoo Sandbox Cuckoo is a dynamic malware analysis sandbox which is open source and completely free. We can submit any malicious binary file and cuckoo will provide a detailed report of the malicious file, including the behaviour of that file during execution.   What is Fileless Malware A fileless malware is a favorite technique for malware authors, what this type of malware does, it doesn’t write anything on the disk to bypass mostly string base detection. The malware executes an obfuscated command usually PowerShell and during run time antivirus could not detect the strings which are being executed and after injecting it in memory the command get deobfuscated. Cuckoo Interface and sample analysis To run cuckoo just type cuckoo from your terminal, this will start cuckoo service. Now to get the web interface type cuckoo run webserver this will start the cuckoo web interface on its defined URL and port address as shown below.