Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps_results [2018/05/12 23:55] – [File extraction] veera
+++ offline:wrccdc_pcaps_results [2018/05/12 23:58] – [File Extraction] veera
@@ Line 85: / Line 85: @@
 ==== File Extraction ====
+Trisul has the ability using the "Save Binaries" LUA Plugin to extract potentially malicious binaries of any size. This is also a good place to look and see if it is worth drilling down. Here we found 47 such files. Many of them were *.CAB from windows update, but we found 10 EXE files as well.
 [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}]
+The extracted files are stored by the app in ''/tmp/savedfiles''.  We use the actual filename as part of the extracted content, so you can track it easily.  If you want to explore further, you can submit it to VirusTotal or YARA.
+<code>
+DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l
+-rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe
+-rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe
+-rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe
+-rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe
+DOCKER:unpl:root savedfiles$
+</code>