Category Archives: Anti-virus
Another Look at the Rig Exploit Kit
It has been awhile since I have written up anything on this exploit kit since it had moved to the background more and I have not seen as may samples as I used to. It has gone thru many changes … Continue reading
Those Pesky Powershell Shellcode’s And How To Understand Them
Shellcode comes in various forms for different operating systems. Some can just be dropped into a hex editor and get the needed understanding what it is doing , some may require looking at the generated assembly code generated by a … Continue reading
A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode
Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here. The First one I had started to work on comes from this Twitter thread here from April 26 of 2019. The encoding on the shellcode uses … Continue reading
A look at Stomped VBA code and the P-Code in a Word Document
This sample comes from a Twitter discussion here and a second part of the thread here on April 22 2019. This discussion was started by “My Online Security @dvk01uk “. Although it appears to have a vba file in it … Continue reading
A look at a bmp file with embedded shellcode
The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018 Here, at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading
A deeper look into a wild VBA Macro
This Sample comes from Brad Duncan @malware_traffic from his SANS ICS Diary located Here and the Files on His blog Here. For this session I will be using “2019-01-23-example-of-attached-Word-doc-1-of-7” word document. I ended up looking at this from different directions … Continue reading
A Look under the hood of a batch encrypted file
The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading
Understanding Invoke- “X” Special Character Encoding
I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading
What is in this file ?
The other day I was pinged about a very large .jason file that appeared to contain a large Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading
A look at a Word document macro using Invoke-DOSfuscation
The sample from this one comes from Packet Wire @packet_Wire. Twitter thread here After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading
PC's Xcetra Support 