Tuesday 14 April 2015

Investigating threats with ThreatCrowd - Tutorial

This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.

Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.

These serve as a good place to start looking for interesting themes.

Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at https://www.threatcrowd.org/malware.php?md5=dabca84ea12d60418a652300727f1f00

This refers us to the malwr.com sandbox report https://malwr.com/analysis/MDA3OWVmODg0YzUyNDczZThjOGYzYjhlMWMzMDI0ODc/ . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like malwr.com.

Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.

The page for the domain looks like this:

At this point we could pivot through on domains, ip addresses, malware detections and whois data.

Further Tools
Sites such as Passive Total (https://www.passivetotal.org) and VirusTotal (https://www.virustotal.com/en/documentation/private-api/) can be used to add identify further information.
Tools such as Maltego (https://www.paterva.com/web6/) can be used to build graphs of this activity - ThreatCrowd will only allow you to view it.

No comments:

Post a Comment