Evilblog

Recently someone sent me a spam email address and ask me for analysis to check if this email is used for any phishing or dropper.   The email I got was  lyuda_sereda@bk.ru , so I started with searching domain in the email on stopforumspam.com I got that this email domain has been used for a lot of malicious activity. On scrolling down I got that this email domain is associated with these malicious IP addresses used for phishing campaign  Investigating on virus total I got those files with these hashes to communicate with this domain. Searching whois record of this domain shows this is from Russia  Now searching on URLvoid I got that this site is listed on the blacklist domain and we can also see the server location is the Russian federation. let’s search the domain IP on cymon.io We can see this domain was also associated with a malicious PE file. So the conclusion is this email domain is mostly used for phishing campaigns and for delivering malicio

In this post i will try to analyse wannacry Ransomware , i will try to do behavior analysis and will see what malicious network indicators we are getting , what command is it executing. Getting the binary  Downloading the Ransomware binary file from thezoo   , this repository contain binaries of lots of malwares , you can do your experiment with them in a safe environment. Now preparing wireshark for network detection to see what DNS request it will generate on launching. Also using process hacker for deep analysis of process generating by the malware.   Now on launching  we can see my system has been infected with the ransomware . My files are encrypted ,desktop wallpaper changed to a wannacry message. And a message popup on my screen giving me details about what just happened to my system. Going back to process hacker we can see the file with a hash.exe has started , on analysing it we can see it is executing from the desktop. Now we will