This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.

Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.

These serve as a good place to start looking for interesting themes.

Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at https://www.threatcrowd.org/malware.php?md5=cb2faf99e94e7b4fd5267274e22de397

This refers us to the malwr.com sandbox report https://malwr.com/analysis/MDA3OWVmODg0YzUyNDczZThjOGYzYjhlMWMzMDI0ODc/ . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like malwr.com.

Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.

The page for the domain looks like this:

At this point we could pivot through on domains, ip addresses, malware detections and whois data.

Further Tools
Sites such as Passive Total (https://www.passivetotal.org) and VirusTotal (https://www.virustotal.com/en/documentation/private-api/) can be used to add identify further information.
Tools such as Maltego (https://www.paterva.com/web6/) can be used to build graphs of this activity - ThreatCrowd will only allow you to view it.

No comments:

Post a Comment