Hello and welcome to the Wednesday, June 28, 2003 edition of the Sanchez Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Stockholm, Germany.

Xavier today wrote a diary, lifting a little bit of the curtain about how matter analysis is done sort of at scale. And the key here is really triage,

basically finding the samples that are worthwhile to analyze further. So the two methods that

Xavi is introducing here is one, a quick sort of tool chain to extract malicious files or files, period, from emails,

then running them through, for example, some Yara rules and such to find interesting things.

Secondly, a tool that I actually wasn't familiar with, and Xavier said he learned about this

from Jim Glossing, another handler of us.

And that tool is called QuickScope.

QuickScope, typically runs in a Docker container.

And one of the big advantages is that, first of all, it's customizable, but it also can deal with a wide range of different files, executables for different operating systems, even like APK files

and such, unpack them and then run some basic static analysis against them in order, again,

to do some simple signature matching and essentially figure out what's worthwhile analyzing further. My sort of quick take on some of the triage is also that one thing that I like to do is

if it's just a random sample that I received in an email and it does already trigger signatures

in common anti-malware tools, then typically it's less interesting to do sort of a

complete analysis on it. Of course, this may also depend a little bit on the context if the sample

was involved in an actual compromise or if this is just something that you received in an email

but are pretty certain that it hasn't actually been

executed yet.

And then we got yet another variety of the Rohhammer attack.

This one comes from researchers at ETH Surich.

And the problem here is, well, actually, let's first talk a bit about Rohammer. Rohammer means that

...