Hello, welcome to the Thursday, April 9th, 2020 edition of the Sandtonet Storms,

Stomast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Brad today looked at another copy of the C-loader malware.

What was sort of a little bit interesting here that the actual email that tricked the user

into opening the file was written in German and, well, came from an Australian from address.

Now, the attachment was a SIP file that then unciped into a VBS file.

So very typical pattern here that we have seen many, many times before.

And then what's also more and more common that the follow-on traffic,

where the loader actually downloads,

the malware is all HTTP.

Brad is discussing how to deal with that.

In this particular case, he essentially just set up a man in the middle to retrieve keys

to then decrypt the traffic.

And as usual, Brad is making a sanitized copy of the P-Cap and the decryption keys available.

So you can actually go through the procedure to decrypt the traffic. This is very similar to collecting the

pre-master secrets from the browser. You may have done that. That's not that hard, for example,

in Chrome. But here, the endpoint, of course,

was the proxy, so the premaster secrets had to be retrieved from the proxy in order to then

decrypt the packet capture. It's a real nice exercise here to sharpen your pack analysis skills to follow Brad's work here.

And like I said, all the P-Caps are available, all the key files are available, and he walks you step by step through the process of actually analyzing the traffic.

Great refresher, of course, if you ever took the SEC 503 intrusion

...