New ask Hacker News story: Ask HN: I found malware on GitHub. How do I analyze the malware further?
Ask HN: I found malware on GitHub. How do I analyze the malware further?
11 by koheripbal | 2 comments on Hacker News.
I have discovered some malicious behavior (corrected from title) in [Mark Text](https://ift.tt/2oT2mTN).... I ran Fiddler to profile Mark Text, and the program phones home... and more.... It exports a few basic things [such as your public IP address](https://ift.tt/3fRE9Hv), and then a bunch of encrypted data (cannot decipher). ...then it downloads a packaged Chrome extension app (CR24 format). ...when unzipping that file, you can see [a base64 encoded payload](https://ift.tt/2KTywgK) - which expands [to this](https://ift.tt/3loPUXl), and then an [unencrypted list of websites](https://ift.tt/37jhb8A), which is very clearly malicious. To be clear, I downloaded this [directly from Github](https://ift.tt/2oT2mTN). Unfortunately, my skills are limited and I cannot find references to the initial malicious URL in the code - though I did discover that you can [search Github code like this...](https://ift.tt/39zZSmt) Credit to /u/Phily83 for first [seeing the network activity](https://ibb.co/zbHxbBv).
11 by koheripbal | 2 comments on Hacker News.
I have discovered some malicious behavior (corrected from title) in [Mark Text](https://ift.tt/2oT2mTN).... I ran Fiddler to profile Mark Text, and the program phones home... and more.... It exports a few basic things [such as your public IP address](https://ift.tt/3fRE9Hv), and then a bunch of encrypted data (cannot decipher). ...then it downloads a packaged Chrome extension app (CR24 format). ...when unzipping that file, you can see [a base64 encoded payload](https://ift.tt/2KTywgK) - which expands [to this](https://ift.tt/3loPUXl), and then an [unencrypted list of websites](https://ift.tt/37jhb8A), which is very clearly malicious. To be clear, I downloaded this [directly from Github](https://ift.tt/2oT2mTN). Unfortunately, my skills are limited and I cannot find references to the initial malicious URL in the code - though I did discover that you can [search Github code like this...](https://ift.tt/39zZSmt) Credit to /u/Phily83 for first [seeing the network activity](https://ibb.co/zbHxbBv).
Comments
Post a Comment