ZBS Labs
zzdh.sh — ProfBrowser [analyst_profile.zbs]
File
Edit
Analyze
Functions
Find
Graph
Window
Help
|
▶ Detonate Malware
Symbol TreeData Types
analyst_profile.c
about.md
research_log.md

zzdh

Malware Analyst
Based in the Philly Metro Area. I am infinitly curious about malware. My methodology, seasoned with curiosity, involves first, understanding how a piece of malware is constructed. This helps set some expectations. If I am analyzing malware to understand payload or gain IOCs(most of the time): Static Analysis > (a)detonate > (b)dump > (c)pesieve > Advance Static analysis would be my basic easy default workflow. If I am analyzing for tradecraft, reporting, curiosity, or the rabbit hole, my methoddology would be peppered with x64dbg, Ghidra, Procmon, System Informer, and many other tools.

// day job and lab

For my day job, I manage IT and related projects for a retail grocery business entity; IT and Cyber Security management for a smaller related ecommerce buisiness entity. By night, I run a home malware analysis lab. My lab consists of a bare-metal malware anaysis workstation, ZBS-Dynamic. This machine has support for interactive snapshotting. From a clean image I can detonate malware, no matter how noisy and destructive and monitor for activity. I can then restore the clean image, and mount the dirty image before the restore (as a drive) to grab any artifacts or malware samples or other file system changes made by the malware to be analyzed on the clean image.

This workstation is isolated by hardware firewall routing and rules (pfsense w/ Suricata). It then goes to an edge router, already isolated and with it's own subnet. The other networks are in their own VLAN, and have rules banning the MAC addresses from the other VLAN, and will just not route that LAN's traffic.

Using AI, I was a able to put together a JupiterLab that does a fast static triage and MITRE categorization of a given malware sample.

Currently, I am in the process of using AI to build a VM orchestration where, given a VM(Virtualbox), a Dashboard(on the host), and an Agent(in the guest), a sample can be uploaded to the VM and all telemetry can be live monitored and categorized on the host.

May the nervous and uncertain feeling you get just before you detonate malware on purpose never go away.

// expertise

Malware AnalysisReverse EngineeringWazuh SIEMGhidrapfSenseCloudflare Zero TrustThreat HuntingIncident ResponseProcmonWireshark EDR (Xcitium)PowerShell(interpreting)Python(interpreting)Business of ITNetwork AdministratorSystems AdministratorTroubleshooterAI Prompt EngineerProfessional Google UserSolution Finder

// contact

sydney[at]zbslabs.technews.zbslabs.io

Research Log

DecompilerIOC View
Analysis: Complete
analyst_profile.exe
PE32+
zzdh.shUTF-8Ln 1, Col 1x86-64