Mindblown: a blog about DFIR.
-
Difference between SMB and CIFS
SMB (Server Message Block) and CIFS (Common Internet File System) are network file-sharing protocols allowing users to access and share files and directories over a network. While they have similarities, there are significant differences between them: Overall, the critical differences between SMB and CIFS are their platform compatibility, naming, versions, port numbers, feature sets, and…
-
How DHCP works
Dynamic Host Configuration Protocol (DHCP) is a network protocol devices use to automatically obtain an IP address and other network configuration parameters from a DHCP server. For malware analysts, understanding how DHCP works is crucial for analyzing and tracking network malware behavior. Here’s an explanation of how DHCP works from a malware analyst’s perspective: From…
-
How DNS works on browser surfing to Google.com
Let’s discuss how the Domain Name System (DNS) works when you use a browser to navigate the Google.com website. In summary, DNS plays a critical role in translating human-friendly domain names such as google.com into an IP address that browsers can use to establish a connection and fetch content from the web server providing the…
-
How Proxy works
A proxy server acts as an middle man between a client and a server, facilitating communication between them. Client requests a resource from a server, instead of directly contacting the server, the client sends the request to the proxy server, which forwards the request on behalf of the client to the server. The server then…
-
How Firewall works
A Firewall is a network security device (physical or virtual) that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of rules[3]. It acts as a barrier between the secured internal and external networks and helps protect against unauthorized access and potential threats. Firewalls…
-
EFLAGS flags
The different categories of registers in the IA-32 architecture along with examples and explanations of what each register does: These registers play a crucial role in assembly language programming. They are used for various purposes like storing data, managing program flow, accessing memory, and controlling the behavior of the processor. Understanding and efficiently utilizing these…
-
How Stack works
For a malware analyst, understanding the concept of the heap is crucial when analyzing malicious software and its memory management. The heap is a region of a computer’s memory used for dynamically allocating memory during the execution of a program. Here are some key points to know about the heap: Understanding the heap and its…
-
How Kerberos works
Kerberos is an authentication protocol that provides secure authentication over an insecure network. It was originally developed by MIT in the 1980s and is named after the mythical three-headed dog, Cerberus[1]. Kerberos authentication involves multiple components working together to verify and authenticate user identities[2][3]: Here’s an overview of how Kerberos authentication works: Throughout the process,…
-
OpcJacker
Based on the search results, here is a brief summary of OpcJacker: OpcJacker is a malware that has been reported to carry out a variety of malicious activities[1]. It is capable of logging keystrokes, capturing screenshots, stealing sensitive information from web browsers, loading additional modules, and manipulating cryptocurrency addresses in the system clipboard[1]. This malware…
-
ScrubCrypt
FortiGuard Labs recently discovered a new crypter variant called “ScrubCrypt” that targets vulnerable Oracle WebLogic servers. It is used by the mining group known as 8220 Gang. ScrubCrypt obfuscates and encrypts applications to evade detection. It includes features like anti-debugging, Reflective Injection, and registry manipulation.ScrubCrypt’s payloads are linked to crypto mining activities. Organizations should be…