Joe Security

Meet us at the #SwissCyberSecurityDays on Feb 12-13 in Fribourg and learn more about "Deep Malware Analysis". We are looking forward to meeting you there. #SCSD2020 @SCSDays https://buff.ly/2BS8LWx pic.twitter.com/vhaDQRGPRv

#Emotet changed TTP, now dropping JSE script from DOC instead of Powershell to download payload: https://buff.ly/37R1RyI  #Sigma rule for detection: https://buff.ly/2tfEMqI pic.twitter.com/7sHZzRDbIe

#Signed #Ryuk #Ransomware - #DigiCert UAB GT-servis - 2020-01-27 Analysis: https://buff.ly/2vuxWyj  VT: https://buff.ly/37yg4QZ pic.twitter.com/cZvKXCYwH0

#MsTscAx (Microsoft Terminal Services Client Control) - OnConnecting is a new VBA macro startup method actively being used by latest #crimeware downloaders. Executes only on W10. https://buff.ly/3aOar3d  #malware #DFIRpic.twitter.com/LrSsbLH6ZX

Config for this #AgentTeslapic.twitter.com/IT1iKqmZei

#AgentTesla distributors started using date-aware (e.g. < 20. Jan 2020) droppers: https://buff.ly/2GksoZu  1st stage -> decrypts dll -> dll decrypts png from 1st stage resources -> decrypted png is -> agent tesla exepic.twitter.com/mOhAhQ1ti5

#TrickBot continues to use innovative #sandbox #evasions. This time dummy code loops and total process char count. Evasion check script: https://buff.ly/36fNnHd  Full analysis report: https://buff.ly/2G9YPcZ  #dfir #infosec #malwarepic.twitter.com/e7iX7mH1Dw

We spotted some signed #malware using #CVE-2020-0601! Not yet sure if it is just research or pentesting. #Pony https://buff.ly/2NEEi4p  #Qbot https://buff.ly/2szJT4v  #AgentTesla https://buff.ly/3aiHsEy pic.twitter.com/GWp2IprNze

#NanoCore https://www.joesandbox.com/analysis/199087/0/html?idtype=analysisid#malware-configuration-pagination …pic.twitter.com/wUKGOvXbbd

#TrickBot https://www.joesandbox.com/analysis/199752/1/html#malware-configuration-pagination …pic.twitter.com/VZvSvvR5fq

#AgentTesla https://www.joesandbox.com/analysis/200460/0/html#malware-configuration-pagination …pic.twitter.com/rDH5Lb9z1Z

You want to get malware configs from recent #malware? Joe Sandbox v28 features extractors for #Azorult #NanoCore #Lokibot #Agenttesla #Emotet #Trickbot and many more! https://buff.ly/2tWs8gg pic.twitter.com/J7sQjE56UC

Deep .NET tracing files for #404Keylogger / #Phoenixkeylogger #EliteKeylogger (ref https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger …) http://www.joesecurity.org/resource/nettrace-c62f33cdf6b6cb782aa61087c29dc37f.zip … http://www.joesecurity.org/resource/dotnet-c62f33cdf6b6cb782aa61087c29dc37f.zip …pic.twitter.com/K0Qp5EGxJd

We have analyzed #AgentTesla 03baf522fb9c86bd5512a0ee72457f86 with our brand new Deep .NET tracing technology . Check it out: Blog Post: https://buff.ly/2QWdlKn  .NET tracing files: https://buff.ly/35vDZ1X  Decompiled .NET projects: https://buff.ly/2tIT3fu pic.twitter.com/8HTipYiwU5

Thank to all our customers and supporters for the great 2019! The Joe Security team wishes you success, satisfaction and many pleasant moments in 2020!pic.twitter.com/y1AG8n2w8Y

Evasive VBA macro droppers are on the raise! In our latest blog post we outline how the #evasion works and how Joe Sandbox bypasses it: Blog: https://buff.ly/2EBdvRj  Analysis Report: https://buff.ly/2sBfgeS  #malware #dfir #infosec #sandboxpic.twitter.com/btQQb1UfyK

We have successfully added new mappings from Joe Sandbox's #Android behavior signatures to MITRE's ATT&CK! Check-out the nice @MITREattack matrix for #Anubis / #BankBot analysis! https://buff.ly/2P6qkJx pic.twitter.com/1dLgl0B3Dw

Nice trick to remove system restore points found in #Clop #ransomware. Discovered by Hybrid Decompliation (disassembly on memory dumps). Ref @VK_Intel. Sample signed by Infoware Cloud Limited! https://buff.ly/37EB7BU  https://buff.ly/2QTEQpw pic.twitter.com/eEY9X0x6dP