QuoSec blog

eruptions from it-sec ops

Sep 10, 2020 - 6 minute read - Reverse Engineering

grap: Automating QakBot strings decryption

Our last grap post demonstrated on how to use grap to create and find patterns within QakBot samples. This post focuses on QakBot’s documented strings decryption feature: Create patterns to find the function where it is implemented Extract relevant variables (decryption key…) Automate decryption: within IDA as a standalone script using pefile and grap bindings References [1] - Reversing Qakbot - https://hatching.io/blog/reversing-qakbot/ [2] - Deep Analysis of QBot Banking Trojan - https://n1ght-w0lf.

Sep 4, 2020 - 12 minute read - Reverse Engineering

Navigating QakBot samples with grap

grap is our tool to match binaries at the assembly code level, matching control flow graphs: https://github.com/QuoSecGmbH/grap/ This post demonstrates how to use grap to quickly find and analyse documented features (based on public reports) in published QakBot samples: All features and IOC described here are already published (see References) Samples are from Malpedia: win.qakbot We explain both the grap standalone tool and the IDA plugin This is a tutorial demonstrating grap’s features with increasing complexity.

Jun 22, 2020 - 1 minute read - Presentations

Lecture: Forensics in the context of Incident Response

Here are supporting slides for an introductory lecture on “Forensics in the context of Incident Response", it is aimed at students who already have basic security knowledge. The (remote) lecture took place at the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) on 2020-06-17. QuoSec_Forensics.pdf

Jun 2, 2020 - 18 minute read - OS timestamps

Testing updates of POSIX timestamps

Our last blog post discussed how POSIX specifies timestamp updates operated by interfaces and utilities, and we detailed the impact of common operations (a file being written to shall get updated MC). This post explores POSIX timestamps specification more deeply and demonstrates how to design and implement compliance tests. Details and implementation target Linux, OpenBSD and FreeBSD. Code and documentation can be found here: https://github.com/QuoSecGmbH/os_timestamps/ 1 - Scope We will solely look into timestamps specified by POSIX: M (last data modification), A (last data access) and C (last file status change).

Dec 3, 2019 - 14 minute read - OS timestamps

MAC(B) Timestamps across POSIX implementations (Linux, OpenBSD, FreeBSD)

This blog post was first published in December 2019 on behalf of QuoScient on medium.com File timestamps are crucial forensics artifacts when investigating a machine during a security incident, they are regularly modified and can provide both primitive information (when the file was last modified) and inferred information (when the file was probably moved there from another file system). The “Windows Time Rules” from SANS [1] is an excellent resource on which MACB timestamp is updated by each common operation (file creation, file copy…) on Windows, and it did not have an equivalent in the Unix world.