String hashing is a method employed by malware authors to disguise strings that are critical to its (stealthy) execution such as library, function and/or process names. Being able to determine what these hashes represent can aide malware researchers in developing more robust anti-anti-analysis techniques, technologies, and detections. To be clear, hashes are one-way; meaning that … Continue reading String Hashing: Reverse Engineering an Anti-Analysis Control
After I published the first iteration of PSDecode, my next goal with the tool was to figure out how to override methods within system classes typically used by malware authors, such as System.Net.WebClient.DownloadFile(). This proved to be a bit more difficult than anticipated (read: likely impossible), so I had to explore alternative approaches. New-Object Primer The approach … Continue reading PSDecode Update: New-Object override + Actions output
Everything you've ever wanted to know about Loki-Bot. Includes a Cheat Sheet, IDS signatures, python script, and a link to my 177 page research paper on the subject
AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT's website has a wiki article that "addresses" the fact that the legitimate AutoIt binary is often detected as malicious by AntiVirus. In this post, I will not be going into end-to-end analysis of any one sample. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script.