Tools: CyberChef
CyberChef recipe: pastebin
ISC diary entry: Video: CyberChef BASE85 Decoding
malware
Adding BASE85 To base64dump.py
Cobalt Strike & DNS – Part 1
Tools: cs-dns-stager.py, base64dump.py and 1768.py
Capture file: https://www.malware-traffic-analysis.net/2021/05/21/index2.html
ISC diary entry: Video: Cobalt Strike & DNS – Part 1
Making Sense Of Encrypted Cobalt Strike Traffic
Tools: 1768.py.
Brad’s post with pcap file: 2021-05-13 (THURSDAY) – HANCITOR WITH FICKER STEALER AND COBALT STRIKE
Decoding Cobalt Strike Traffic
Tools: parse-cs-http-traffic.py, 1768.py, pecheck.py and pybeacon.
ISC diary entry: Decoding Cobalt Strike Traffic
Finding Metasploit & Cobalt Strike URLs
oledump and YARA DDE Rules
Tools: oledump.py, YARA.
NVISO blog post: Detecting DDE in MS Office documents
ISC diary entry: DDE and oledump
tshark & Malware Analysis
Decoding a Payload Using a Dynamic XOR Key
Tool: XORSelection.1sc
Sample: 8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0
Blog post: Update: XORSelection.1sc Version 6.0
If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.
