String hashing is a method employed by malware authors to disguise strings that are critical to its (stealthy) execution such as library, function and/or process names. Being able to determine what these hashes represent can aide malware researchers in developing more robust anti-anti-analysis techniques, technologies, and detections. To be clear, hashes are one-way; meaning that … Continue reading String Hashing: Reverse Engineering an Anti-Analysis Control
After I published the first iteration of PSDecode, my next goal with the tool was to figure out how to override methods within system classes typically used by malware authors, such as System.Net.WebClient.DownloadFile(). This proved to be a bit more difficult than anticipated (read: likely impossible), so I had to explore alternative approaches. New-Object Primer The approach … Continue reading PSDecode Update: New-Object override + Actions output
It's been way too long since my last post. DEFCON happened, then I got a new job, thanksgiving getaway to San Francisco, got sick (dirty airport people), excuse++. Things are starting to settle down a bit, so hopefully I'll have more time to post. Anywho... I've been seeing a ton of Emotet recently. It's borderline … Continue reading From Emotet, PSDecode is born!
Everything you've ever wanted to know about Loki-Bot. Includes a Cheat Sheet, IDS signatures, python script, and a link to my 177 page research paper on the subject
AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT's website has a wiki article that "addresses" the fact that the legitimate AutoIt binary is often detected as malicious by AntiVirus. In this post, I will not be going into end-to-end analysis of any one sample. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script.
Over the past year-or-so, there seems to have been an uptick of miscreants password protecting the malicious office documents that they send to their target victims. They do this in an effort to bypass detection and thwart analysis. This blog details a few different tools and methodologies that can be used to analyze such files.
In this post, I provide step-by-step instruction on how to unpack an executable that has been packed with a VB5 Packer. I will also cover the bypassing of multiple anti-analaysis controls that were implemented by the packer. The result is a fully functional unpacked executable.
Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.