{"id":49,"date":"2022-05-13T06:35:41","date_gmt":"2022-05-13T06:35:41","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/garciae4\/?p=49"},"modified":"2022-05-13T06:35:41","modified_gmt":"2022-05-13T06:35:41","slug":"new-setup-who-dis","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/garciae4\/2022\/05\/13\/new-setup-who-dis\/","title":{"rendered":"New Setup Who Dis?"},"content":{"rendered":"\n<p>Everything is finally running. Switching to a modern OS really helped out. Setting everything up was way easier since I knew what I was doing and what I was looking for. My sample of Ficker stealer was also able to run in the new VM without issues, I reverted to a previous snapshot afterwards. Having a new VM setup and running in an isolated network got me wondering if any differences would show up in any static analysis. I didn&#8217;t find anything too different, but I guess in the end I guess I expected that result. The biggest difference was I could now properly run dynamic analysis on the malware. I ran a bit of dynamic analysis mainly focused on finding where the malware was storing files before sending them out. I found that the malware didn&#8217;t actually write anything to memory, no files are written to a file or folder before being sent out. This means that all the stolen info is likely being sent out after it is captured, so I&#8217;ll have to change my approach on how to view these likely using a packet sniffer if the fake network activity doesn&#8217;t trip anything in the malware. I was also disappointed that I couldn&#8217;t find a GUI for the malware as PEiD said the malware was GUI based. I&#8217;ll be doing some more online research into the malware itself to see why that is, maybe I&#8217;ll find out some cool facts on it while I&#8217;m at it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Everything is finally running. Switching to a modern OS really helped out. Setting everything up was way easier since I knew what I was doing and what I was looking for. My sample of Ficker stealer was also able to run in the new VM without issues, I reverted to a previous snapshot afterwards. Having [&hellip;]<\/p>\n","protected":false},"author":12235,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-49","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/posts\/49","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/users\/12235"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":1,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"predecessor-version":[{"id":50,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/posts\/49\/revisions\/50"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/garciae4\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}