Short Summary:

This article discusses the use of CyberChef to deobfuscate a .vbs loader for Nanocore malware. It outlines the obfuscation techniques used in the malware and provides a step-by-step guide on how to utilize CyberChef’s features to reverse the obfuscation process effectively.

Key Points:

CyberChef is a powerful tool for malware analysis and deobfuscation.…
Read More

This post is a continuation of "Malware Unpacking With Hardware Breakpoints".

Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.

Locating the Shellcode Decryption Function In Ghidra

At the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…

Read More

Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.

This is a great technique for working with Ghidra and establishing a starting point for analysis. It reduces total investigation time and allows one to determine why and how a string is contained within a file.…

Read More

In this blog, we'll use Ghidra to analyse a suspicious imported function identified with PeStudio.

This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to establish context and intent.

Not only does this establish context, but it almost always establishes an area of code that you can begin to work from within Ghidra.…

Read More

In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they are used.

Using this we will locate a string decryption function, and utilise a debugger to intercept input and output to obtain decrypted strings.…

Read More

We're all used to the regular CyberChef operations like "From Base64", From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced?

Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of the more complex operations of which Cyberchef is capable.…

Read More

In this blog we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X.

The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL present in the 302 redirect is re-used across numerous domains and we can leverage this information to identify additional infrastructure.…

Read More

This post will dive into a Latrodectus loader that leverages junk comments and wmi commands to obfuscate functionality and download a remote .msi file.

There are three “stages” to this sample, which can be decoded through a combination of regular expressions and CyberChef.

Obtaining Initial Sample

The initial sample can be found on Malware Bazaar and was initially uploaded by pr0xylife

SHA256: 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9

Initial Sample Review

The initial sample is a relatively large 845KB, which is large for a script based file.…

Read More

We’re all used to the regular CyberChef operations like “From Base64”, From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced?

Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of the more complex operations of which Cyberchef is capable.…

Read More

Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.

This is great technique for working with Ghidra and establishing a starting point for analysis. Reducing total investigation time and determining why and how a string is contained within a file.…

Read More

This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.

Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.

Locating the Shellcode Decryption Function In Ghidra

At the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…

Read More

In previous posts here and here, we explored methods for extracting cobalt strike shellcode from script-based malware.

In this post, we’ll explore a more complex situation where Cobalt Strike shellcode is loaded by a compiled executable .exe file. This will require the use of a debugger (x64dbg) in conjunction with Static Analysis (Ghidra) in order to perform a complete analysis.…

Read More

In a previous post, we demonstrated a method for unpacking an Asyncrat malware sample by utilising Process Hacker and Dnspy.

We leveraged Process Hacker to identify a suspicious process, then utilised Dnspy to attach to the process and enumerate loaded modules. From there we were able to open a suspicious module from memory, which ultimately obtained the unpacked Asyncrat malware sample.…

Read More

Intermediate

Improving Malware Analysis Workflows by Modifying the default Ghidra UI.

Matthew

Oct 25, 2023 — 4 min read

The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.

In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…

Read More

Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.

The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex.

Post obfuscation, we will identify some “malformed” shellcode which we will manually fix, before emulating with the SpeakEasy emulator.…

Read More