Friday, December 3, 2021

Quick Malware Analysis: TA551/Shathak and Qakbot/Qbot pcap from 2021-01-26

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/01/26/index.html
https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+Qakbot+Qbot/27030/

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Below are some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots



















Wednesday, December 1, 2021

Security Onion 2.3.90 AIRGAP Hotfix Now Available!

We recently released Security Onion 2.3.90 and a WAZUH hotfix:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix

This hotfix is primarily intended for Internet-connected (NOT airgap) distributed deployments built using either of the previous 2.3.90 versions. Deployments built before 2.3.90 are NOT affected.

If you haven't updated recently, then you should review the 2.3.90 blog posts linked above so that you are aware of all recent changes.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Quick Malware Analysis: Gigi, Bazarloader, and IcedId pcap from 2021-11-24

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/11/24/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Below are some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots












Tuesday, November 30, 2021

Quick Malware Analysis: Emotet Epoch 5 pcap from 2021-11-26

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/11/29/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Below are some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots













Monday, November 29, 2021

Quick Malware Analysis: Hancitor and Cobalt Strike pcap from 2021-04-07

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/04/07/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Below are some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots