Overview
This project documents the analysis of a custom banking trojan discovered in a honeypot environment.
Tools Used
- Ghidra - Binary disassembly and decompilation
- IDA Free - Advanced static analysis
- API Monitor - Dynamic API hooking
- Wireshark - Network traffic analysis
- YARA - Malware signature creation
Key Findings
Functionality
- Command & Control (C2) communication via HTTPS
- Credential stealing from web browsers
- Persistence mechanism via Registry
Indicators of Compromise (IoCs)
- File Hash:
a1b2c3d4... - C2 Domain:
suspicious-domain.com - Network signature: Port 8443 with custom TLS
Artifacts Discovered
The malware stored encrypted credentials at:
%APPDATA%\Local\Temp\cache.bin
Mitigation
- Block C2 domain at firewall
- Create YARA rule for detection
- Update security tools signatures
This lab is part of my continuous learning in malware analysis and incident response.