Cuckoo VM for Malware Analysis

If you do not want to put some time in installing your own Cuckoo Sandbox for different reasons, then you could just download the Virtual Machine (VM) that I have prepared. What I’ve done is get Cuckoo to run in a VM, so you might be asking what does that mean? Well, it means that first Cuckoo is running in a VM and second that Cuckoo will be running its analysis within another VM. Yes, a VM in another VM or what is technically called “Nested Virtualization“. I used VMWare for my VM, but since I’ve exported it to OVA, then you should be good to just import and run.
Continue reading

Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is the following:
1. Turned off Windows Defender on my Windows System (used for testing)
2. Created a malicious reverse shell (reverse meterpreter) and copied it over to my Windows system. It was named rev.exe.

Contents of the directory I copied the rev.exe to:

3. Created a reverse shell listener (multi-handler) on my attacking system (Kali) and was waiting for the victim machine to connect back to it.

4. Used the commands we know to hide the reverse shell named “rev.exe” in LPT1.txt and then checked the contents of the temp directory (location of files) using FTK Imager
Continue reading