Short Summary:
This article discusses the use of CyberChef to deobfuscate a .vbs loader for Nanocore malware. It details the obfuscation techniques used and provides a step-by-step guide on how to reverse the obfuscation using various features of CyberChef.
Key Points:
CyberChef is a powerful tool for malware analysis and deobfuscation.…Short Summary:
This article discusses the use of CyberChef to deobfuscate a .vbs loader for Nanocore malware. It outlines the obfuscation techniques used in the malware and provides a step-by-step guide on how to utilize CyberChef’s features to reverse the obfuscation process effectively.
Key Points:
CyberChef is a powerful tool for malware analysis and deobfuscation.…“`html
Short SummaryThis article discusses the decoding process of a .HTA script linked to the Cobalt Strike toolkit, focusing on the methods of obfuscation used, including Base64URL encoding and excessive spacing. The analysis demonstrates how to decode the script using tools like CyberChef and regular expressions to clean up the code for further examination.…
In this post, we'll demonstrate the Garbageman analysis tool. Garbageman is a .NET analysis tool that can be used to obtain information from packed or obfuscated .NET malware.
Here is a great blog on the internals of Garbageman. The TLDR is that Garbageman intercepts the memory management components of .NET…
This post is a continuation of "Malware Unpacking With Hardware Breakpoints".
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.
Locating the Shellcode Decryption Function In GhidraAt the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is a great technique for working with Ghidra and establishing a starting point for analysis. It reduces total investigation time and allows one to determine why and how a string is contained within a file.…
In this blog, we'll use Ghidra to analyse a suspicious imported function identified with PeStudio.
This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to establish context and intent.
Not only does this establish context, but it almost always establishes an area of code that you can begin to work from within Ghidra.…
In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they are used.
Using this we will locate a string decryption function, and utilise a debugger to intercept input and output to obtain decrypted strings.…
We're all used to the regular CyberChef operations like "From Base64", From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced?
Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of the more complex operations of which Cyberchef is capable.…
In this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware. We will identify these domains through the usage of hardcoded subdomains in the TLS Certificate of the initial shared domain.
After leveraging the hardcoded subdomains, we will leverage registration dates and certificate providers to hone in on our final results.…
In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode.
After obtaining the Shellcode, we used SpeakEasy emulation to determine the functionality of the Shellcode. This is a great method, but it’s not ideal to rely on “automated” style tooling to determine functionality.…
____________________ Summary: This post discusses the process of removing junk comments and self-referencing code in a Latrodectus loader. It explores the stages of the sample and provides insights into the obfuscation techniques used.
Key Points: * The initial sample is a large script file with heavy obfuscation and junk comments.…
In this blog we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X.
The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL present in the 302 redirect is re-used across numerous domains and we can leverage this information to identify additional infrastructure.…
In this post we leverage passive DNS analysis tools to expand on an ACTINIUM intelligence report published by Microsoft.
This analysis will leverage the initial domains provided in the report to identify new domains of interest that match the reported style and structure detailed in the original report.…
I recently became aware of an awesome DNS Analysis tool called Validin which can be used to analyse malicious domains and show related infrastructure using DNS records.
This has been super useful as existing infrastructure analysis tools are primarily focused on analysis and pivoting from IP’s, which functions very differently to pivoting from domains.…
This post will dive into a Latrodectus loader that leverages junk comments and wmi commands to obfuscate functionality and download a remote .msi file.
There are three “stages” to this sample, which can be decoded through a combination of regular expressions and CyberChef.
Obtaining Initial SampleThe initial sample can be found on Malware Bazaar and was initially uploaded by pr0xylife
SHA256: 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
Initial Sample ReviewThe initial sample is a relatively large 845KB, which is large for a script based file.…
We’re all used to the regular CyberChef operations like “From Base64”, From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced?
Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of the more complex operations of which Cyberchef is capable.…
In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode.
After obtaining the Shellcode, we used SpeakEasy emulation to determine the functionality of the Shellcode. This is a great method, but it’s not ideal to rely on “automated” style tooling to determine functionality.…
In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they are used.
Using this we will locate a string decryption function, and utilise a debugger to intercept input and output to obtain decrypted strings.…
In this blog, we’ll use Ghidra to analyse a suspicious imported function identified with PeStudio.
This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to establish context and intent.
Not only does this establish context, but it almost always establishes an area of code that you can begin to work from within Ghidra.…
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is great technique for working with Ghidra and establishing a starting point for analysis. Reducing total investigation time and determining why and how a string is contained within a file.…
This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.
Locating the Shellcode Decryption Function In GhidraAt the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…
In this post, we’ll demonstrate the Garbageman analysis tool. Garbageman is a .NET analysis tool that can be used to obtain information from packed or obfuscated .NET malware.
Here is a great blog on the internals of Garbageman. The TLDR is that Garbageman intercepts the memory management components of .NET…
In previous posts here and here, we explored methods for extracting cobalt strike shellcode from script-based malware.
In this post, we’ll explore a more complex situation where Cobalt Strike shellcode is loaded by a compiled executable .exe file. This will require the use of a debugger (x64dbg) in conjunction with Static Analysis (Ghidra) in order to perform a complete analysis.…
Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.
In this post, I'll demonstrate an easy method that can be used to unpack files that ultimately load a .NET based malware.
This method primarily involves running the file and monitoring for process executions using Process Hacker.…
In a previous post, we demonstrated a method for unpacking an Asyncrat malware sample by utilising Process Hacker and Dnspy.
We leveraged Process Hacker to identify a suspicious process, then utilised Dnspy to attach to the process and enumerate loaded modules. From there we were able to open a suspicious module from memory, which ultimately obtained the unpacked Asyncrat malware sample.…
Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.
In this post, I’ll demonstrate an easy method that can be used to unpack files that ultimately load a .NET based malware.
This method primarily involves running the file and monitoring for process executions using Process Hacker.…
In this post, we’ll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded Powershell Script used to download Remcos malware from a Google Drive.
We’ll manually analyse and deobfuscate both the vbs and powershell, and develop a decoder to obtain IOCs and decoded values.…
Intermediate
Improving Malware Analysis Workflows by Modifying the default Ghidra UI.
MatthewOct 25, 2023 — 4 min read
The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.
In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…
Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.
The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex.
Post obfuscation, we will identify some “malformed” shellcode which we will manually fix, before emulating with the SpeakEasy emulator.…
In this post. we will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…
In this post. I will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…