Malware Writeup: Complete AutoIt Malware Analysis

TheSteampunkHedgehog

Level 1
Thread author
Aug 29, 2015
4
This is my first malware analysis and writeup... hope you enjoy!

Thanks to Billy69 for the sample.

Code:
Filename: 0ff1ceval1dKey00.exe
Approx. file size: 1.7 MB
MD5: 597029dcb2738c17be6d79814cdaf229
SHA-1: 4a99520e5e2070d02883cdba89ecf188b3b39add
VirusTotal: https://www.virustotal.com/en/file/b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd/analysis/
HybridAnalysis: https://www.hybrid-analysis.com/sample/b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd?environmentId=1
Analysis was performed in a Windows XP VirtualBox.
Host machine was Xubuntu 14.04 LTS.



Section 1: Dynamic Analysis
Upon execution, the malware drops some files to the user's AppData folder. Here are the interesting parts of the Regshot log:

Code:
Regshot 1.9.0 x86 Unicode
Comments: Filename is 0ff1ceval1dKey00.exe
Datetime: 2015/8/30 07:15:14  ,  2015/8/30 07:17:31
Computer: XPLAB , XPLAB
Username: [REDACTED] , [REDACTED]

----------------------------------
Keys added
----------------------------------
HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\9hGVNkAaKZH

----------------------------------
Values added
----------------------------------
HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Znggurj Lbhat\Qrfxgbc\Fnzcyrf\0ss1priny1qXrl00.rkr:  02 00 00 00 06 00 00 00 D0 19 09 B4 F3 E2 D0 01

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\[REDACTED]\Desktop\Samples\0ff1ceval1dKey00.exe: "0ff1ceval1dKey00"

...

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\9hGVNkAaKZH\ServerStarted: "8/30/2015 17:15:56 PM"

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\9hGVNkAaKZH\InstalledServer: "C:\Documents and Settings\[REDACTED]\Desktop\Samples\0ff1ceval1dKey00.exe"

----------------------------------
Values modified
----------------------------------
HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:  02 00 00 00 2A 00 00 00 50 42 F8 71 F3 E2 D0 01

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:  02 00 00 00 2B 00 00 00 D0 19 09 B4 F3 E2 D0 01

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings:  46 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 F0 46 BC B5 15 E2 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 48 59 18 00 28 A0 17 00 00 00 00 00 10 01 00 00 FF FF FF FF 00 00 00 00 0C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 A8 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 40 9D 05 22 9E 7E CF 11 AE 5A 00 AA 00 A7 11 2B 78 00 70 00 6C 00 61 00 62 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings:  46 00 00 00 11 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 F0 46 BC B5 15 E2 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 48 59 18 00 28 A0 17 00 00 00 00 00 10 01 00 00 FF FF FF FF 00 00 00 00 0C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 A8 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 40 9D 05 22 9E 7E CF 11 AE 5A 00 AA 00 A7 11 2B 78 00 70 00 6C 00 61 00 62 00 00 00 00 00 00 00 00 00 00 00

...

----------------------------------
Files added
----------------------------------
C:\Documents and Settings\[REDACTED]\Application Data\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat
C:\Documents and Settings\[REDACTED]\Application Data\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo
C:\Documents and Settings\[REDACTED]\Application Data\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.svr
C:\Documents and Settings\[REDACTED]\Application Data\ktqqJHH\ojElPeO.exe
C:\Documents and Settings\[REDACTED]\Application Data\vZUQdf\aohkJc.exe
C:\Documents and Settings\[REDACTED]\Local Settings\Temp\eWEpCwslF
C:\Documents and Settings\[REDACTED]\Start Menu\Programs\Startup\Windows.lnk

----------------------------------
Files [attributes?] modified
----------------------------------
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
^ (Note: these two look suspicious but there was some interference from Process Monitor so they may be fine)

----------------------------------
Folders added
----------------------------------
C:\Documents and Settings\[REDACTED]\Application Data\Microsoft\Windows\9hGVNkAaKZH
C:\Documents and Settings\[REDACTED]\Application Data\ktqqJHH
C:\Documents and Settings\[REDACTED]\Application Data\vZUQdf

The malware drops three folders into the AppData directory, each with random names. Two folders (in this case, ktqqJHH and vZUQdf) contain a copy of the main executable. The executable in the vZUQdf folder starts every time Windows starts (highly likely that shortcut added to the Startup folder), however, the executable in ktqqJHH has never been executed by the malware yet.

Note that some values in there may be legitimate and not malicious, as I had Process Monitor running that was doing stuff to the registry, However, it also appears that the malware modifies IE settings (I didn't have it open at the time), perhaps for logging functionality (it was seen below reading IE cookies).

Table 1: List of Components
sY0gb7K.png


Section 2: (Mostly) Static Analysis
First of all, let's see what we can find with Process Hacker.

OgV90e5.png

Figure 1: General Stats in Process Hacker

The first thing I noticed was that the process starts two versions of itself.
hYjKREN.png

Figure 2: Two versions of the same process running. When you kill one, the other one does not seem to start it up again.

Another striking thing we can find from the Windows XP file info viewer is that it actually appears to be a compiled AutoIt script.
oii7ldp.png

Figure 3: The file is a AutoIt script.

Even though it appears to be, and probably is, an AutoIt script, I haven't had any luck decompiling it with Exe2Aut and myAuToExe, so I'm sticking with the usual IDA.

Let's take a look at it with Process Monitor. This is quite interesting actually. The malware records all opened processes, grabs their file path, and writes it to a .dat file mentioned above.

Code:
0ff1ceval1dKey00.exe: QueryNameInformationFile, C:\WINDOWS\system32\calc.exe, BUFFER OVERFLOW

0ff1ceval1dKey00.exe: QueryNameInformationFile, C:\WINDOWS\system32\calc.exe, SUCCESS

0ff1ceval1dKey00.exe: WriteFile, C:\Documents and Settings\Matthew Young\Application Data\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat, SUCCESS, Offset: 23,276, Length: 8
...etc...

It also appears to log keystrokes: when I opened Notepad and typed there was quite a lot of write activity to that .dat file.

Another interesting thing: it reads from itself:
Code:
"5:15:52.6198896 PM","0ff1ceval1dKey00.exe","2272","ReadFile","C:\Documents and Settings\Matthew Young\Desktop\Samples\0ff1ceval1dKey00.exe","SUCCESS","Offset: 0, Length: 65,536"

Another, very suspicious thing it tries to do is read info from the Windows kernel!
Code:
"0ff1ceval1dKey00.exe","2388","ReadFile","C:\WINDOWS\system32\kernel32.dll","SUCCESS","Offset: 160,768, Length: 24,576, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"

Now, in terms of network connections, I have the VirtualBox Network Adapter disabled to prevent any sort of escape by the malware, however, I did observe it using UDP to try and connect to somewhere:
SJDGpMl.png

Figure 4: Network connections

I may allow it to connect to the Internet if I can isolate my main network somehow. (any ideas anyone?)

Let's have a look at the processes' permissions. It has manually enabled permission to enable and disable device drivers:
Jn5JBNZ.png

Figure 5: Manually enabled device driver permissions

I've yet to find why the malware enables this, as I cannot find any device drivers it installed.

Let's now have a look at the handles it has open.
Code:
...

File, C:\Documents and Settings\Matthew Young\Cookies\index.dat, 0x150
File, C:\Documents and Settings\Matthew Young\Local Settings\History\History.IE5\index.dat, 0x15c
File, C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202, 0x1b0
File, \Device\NamedPipe\ROUTER, 0x210
File, \Device\Tcp, 0x248
File, \Device\Tcp, 0x24c
File, \Device\Ip, 0x250
File, \Device\Ip, 0x254
File, \Device\Ip, 0x258
File, \Device\NamedPipe\ROUTER, 0x294
File, \Device\Afd, 0x29c
File, \Device\Udp, 0x2a0
Key, HKLM, 0x30
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\Locale, 0x44
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts, 0x48
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups, 0x4c
Key, HKCU, 0x84
Key, HKLM\SYSTEM\Setup, 0x90
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage, 0x98
Key, HKCU\Software\Classes, 0xac
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN, 0xb4
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, 0xb8
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, 0xbc
Key, HKCU\Software\Microsoft\Internet Explorer\IETld, 0xc4
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING, 0xcc
Key, HKLM\SOFTWARE\Policies, 0xd8
Key, HKCU\Software\Policies, 0xdc
Key, HKCU\Software, 0xe0
Key, HKLM\SOFTWARE, 0xe4
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, 0xe8
Key, HKLM\SOFTWARE\Policies, 0x118
Key, HKCU\Software\Policies, 0x120
Key, HKCU\Software, 0x124
Key, HKLM\SOFTWARE, 0x128
Key, HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9, 0x170
Key, HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5, 0x178
Key, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32, 0x1a8
Key, HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32, 0x1dc
Key, HKU, 0x1f0
Key, HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage, 0x264
Key, HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters, 0x268
Key, HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces, 0x26c
Key, HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters, 0x270
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x2a8
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x2ac
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN, 0x2b8
Key, HKCU, 0x2c4
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION, 0x2d0
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x2e0
Key, HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness, 0x2e4
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x2e8
Key, HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer, 0x31c
KeyedEvent, \KernelObjects\CritSecOutOfMemoryEvent, 0x4
Mutant, \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-790525478-854245398-1343024091-1003MUTEX.DefaultS-1-5-21-790525478-854245398-1343024091-1003, 0x80
Mutant, \BaseNamedObjects\ShimCacheMutex, 0x88
Mutant, \BaseNamedObjects\!IETld!Mutex, 0xc8
Mutant, \BaseNamedObjects\_!MSFTHISTORY!_, 0x130
Mutant, \BaseNamedObjects\c:!documents and settings!matthew young!local settings!temporary internet files!content.ie5!, 0x134
Mutant, \BaseNamedObjects\c:!documents and settings!matthew young!cookies!, 0x14c
Mutant, \BaseNamedObjects\c:!documents and settings!matthew young!local settings!history!history.ie5!, 0x158
Mutant, \BaseNamedObjects\WininetStartupMutex, 0x164
Mutant, \BaseNamedObjects\WininetConnectionMutex, 0x17c
Mutant, \BaseNamedObjects\WininetProxyRegistryMutex, 0x180
Mutant, \BaseNamedObjects\RasPbFile, 0x1b4
Mutant, \BaseNamedObjects\ZonesCounterMutex, 0x2a4
Mutant, \BaseNamedObjects\ZoneAttributeCacheCounterMutex, 0x2b4
Mutant, \BaseNamedObjects\ZonesCacheCounterMutex, 0x2bc
Mutant, \BaseNamedObjects\ZoneAttributeCacheCounterMutex, 0x2c0
Mutant, \BaseNamedObjects\ZonesLockedCacheCounterMutex, 0x2cc
Process, 0ff1ceval1dKey00.exe (2352), 0x100
Section, Commit (320 kB), 0x54
Section, \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-790525478-854245398-1343024091-1003, 0x5c
Section, \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-790525478-854245398-1343024091-1003SFM.DefaultS-1-5-21-790525478-854245398-1343024091-1003, 0x8c
Section, \BaseNamedObjects\ShimSharedMemory, 0x94
Section, \BaseNamedObjects\C:_Documents and Settings_Matthew Young_Local Settings_Temporary Internet Files_Content.IE5_index.dat_65536, 0x148
Section, \BaseNamedObjects\C:_Documents and Settings_Matthew Young_Cookies_index.dat_32768, 0x154
Section, \BaseNamedObjects\C:_Documents and Settings_Matthew Young_Local Settings_History_History.IE5_index.dat_32768, 0x160
Section, Commit (80 kB), 0x1f8
Section, \BaseNamedObjects\SENS Information Cache, 0x274
Section, \BaseNamedObjects\UrlZonesSM_Matthew Young, 0x2b0

...

Section, Commit (76 kB), 0x81d0
Section, Commit (76 kB), 0x81d4
Section, Commit (76 kB), 0x81d8
Section, Commit (76 kB), 0x81dc
Section, Commit (76 kB), 0x81e0

...

Section, Commit (76 kB), 0x823c
Semaphore, \BaseNamedObjects\C:?DOCUMENTS AND SETTINGS?MATTHEW YOUNG?DESKTOP?SAMPLES?0FF1CEVAL1DKEY00.EXE, 0x50
Semaphore, \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}, 0xa0
Semaphore, \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}, 0x144
Semaphore, \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}, 0x2fc
Semaphore, \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}, 0x320
Thread, 0ff1ceval1dKey00.exe (2352): 2356, 0x70
Thread, 0ff1ceval1dKey00.exe (2352): 2384, 0xd0
Thread, 0ff1ceval1dKey00.exe (2352): 2384, 0xd4
Thread, 0ff1ceval1dKey00.exe (2352): 2356, 0x168

It seems to be reading the Internet Explorer history and cookies. This is to steal session cookies and perform session hijacking. It's also using TCP and WinINet and other various Windows network libraries, probably to steam data to the attackers. It does not seem to use HTTP, although as I mentioned above it's hard to know since the network adapter is disabled for security.
The file reads from it's own executable (see last section of the log above), perhaps to load resources (like how Stuxnet extracts a template DLL from it's content, which may explain why this malware is 1.7 MB - quite large for malware).


Section 3: IDA Analysis
Let's now begin our analysis in IDA.

Note that as this file is a compiled AutoIt script, there may be some be some boilerplate code (actually, that explains why the file is so large!) within the C code for the AutoIt runtime. This code will be ignored, we will only focus on strings and system calls.

We'll first take a look at the strings utility and see what we can find. For this part we will use a mixture of the IDA strings utility and the Linux strings utility:

Code:
matt@LinuxDevLaptop:~/Analysis Files/Office Keygen Stuff$ strings 0ff1ceval1dKey00.exe

Something to do with dates:
Code:
.rdata:00482A34 0000000F C bad allocation    
.rdata:00482A44 0000000F C CorExitProcess    
.rdata:00482CA4 00000009 C HH:mm:ss          
.rdata:00482CB0 00000014 C dddd, MMMM dd, yyyy
.rdata:00482CC4 00000009 C MM/dd/yy          
.rdata:00482CD8 00000009 C December          
.rdata:00482CE4 00000009 C November          
.rdata:00482CF0 00000008 C October            
.rdata:00482CF8 0000000A C September          
.rdata:00482D04 00000007 C August            
.rdata:00482D0C 00000005 C July              
.rdata:00482D14 00000005 C June              
.rdata:00482D1C 00000006 C April              
.rdata:00482D24 00000006 C March              
.rdata:00482D2C 00000009 C February          
.rdata:00482D38 00000008 C January            
.rdata:00482D70 00000009 C Saturday          
.rdata:00482D7C 00000007 C Friday            
.rdata:00482D84 00000009 C Thursday          
.rdata:00482D90 0000000A C Wednesday          
.rdata:00482D9C 00000008 C Tuesday            
.rdata:00482DA4 00000007 C Monday            
.rdata:00482DAC 00000007 C Sunday

Creating Fiber Local Storage
Code:
.rdata:00482DEC 00000008 C FlsFree    
.rdata:00482DF4 0000000C C FlsSetValue
.rdata:00482E00 0000000C C FlsGetValue
.rdata:00482E0C 00000009 C FlsAlloc

This is used for generating the random file names:
Code:
.rdata:00482E37 0000005F C  !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Various maths functions (probably boilerplate, who's heard of malware doing maths?):
Code:
.rdata:00483A44 00000006 C floor
.rdata:00483A4C 00000005 C ceil 
.rdata:00483A60 00000005 C sqrt

System calls:
Code:
.rdata:00484E8C 0000000C C uxtheme.dll        
.rdata:00484E98 0000000E C IsThemeActive      
.rdata:00485334 0000000D C kernel32.dll      
.rdata:00485344 0000000F C IsWow64Process    
.rdata:00485354 00000014 C GetNativeSystemInfo

A hint that the malware (or the AutoIt runtime) may be compatible on Linux:
Code:
.rdata:0048749E 0000002B C POSIX collating elements are not supported

More system calls for the registry, filesystem and ICMP

Code:
[/SIZE]
.rdata:0048B3B8 00000009 C ICMP.DLL                            
.rdata:0048B3C4 0000000F C IcmpCreateFile                      
.rdata:0048B3D4 00000010 C IcmpCloseHandle                    
.rdata:0048B3E4 0000000D C IcmpSendEcho                        
.rdata:0048B770 00000013 C GetModuleHandleExW                  
.rdata:0048C3F0 00000019 C GetSystemWow64DirectoryW            
.rdata:0048C5D8 0000000D C advapi32.dll                        
.rdata:0048C5E8 00000010 C RegDeleteKeyExW

A library signature for the QT Maths library (probably boilerplate as the malicious file is written in AutoIt)

Code:
.data:00492928 00000038 C $Id: qmath.h,v 1.1 2004/01/15 19:50:35 jonbennett Exp $

Let's now take a look at the code (I've used the Hex-Rays decompiler plugin for IDA to decompile the Assembly to C). If you would like the (mostly unreadable) full source code dump with Assembly and C, don't hesitate to contact me and I'll whip it up for you!

There is 3 MB of source code, so in this hyper-quick analysis I probably will have missed a lot of things.

Frequently throughout we see the method Shell_NotifyIconW, which is just a method that sends a message to the notification, allowing the attacker to modify icons etc. It is unclear why this is present, however, I remember hearing something on the Hybrid-Analysis report that it may be used for process injection.

Code:
 if ( *(_BYTE *)(a3 + 404) == 1 )
        {
          v4 = *(HICON *)(a3 + 412);
          *(_BYTE *)(a3 + 404) = 0;
          Data.hIcon = v4;
          Shell_NotifyIconW(1u, &Data);

         ...

          Data.hIcon = v5;
          Shell_NotifyIconW(1u, &Data);
          
 ...

          {
            Data.hIcon = *(HICON *)(a3 + 412);
            *(_BYTE *)(a3 + 405) = 0;
        
   ...

            Shell_NotifyIconW(1u, &Data);

This report is not 100% completed yet! I am still looking through the decompiled C code and IDA imports. Subscribe to this thread for updates!



 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top