Category Archives: Programming

A deeper look into a wild VBA Macro

This Sample comes from Brad Duncan @malware_traffic from his SANS ICS Diary located Here and the Files on His blog Here. For this session I will be using “2019-01-23-example-of-attached-Word-doc-1-of-7” word document. I ended up looking at this from different directions … Continue reading

Posted in Malware, Programming, VBScript | Tagged , | Leave a comment

A Look under the hood of a batch encrypted file

The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading

Posted in Malware, Programming, security | Tagged , , | Leave a comment

Understanding Invoke- “X” Special Character Encoding

I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , | Leave a comment

PowerShell encoding used for Emotet Downloader

I first ran across the SecureString usage in this twitter thread where  @Anyrun_app is talking about a version of “Fake Net” to get all of the C2’s here https://twitter.com/anyrun_app/status/966227622899351552 There are a few methods listed in this thread by different … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , ,

Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading

Posted in Malware, Programming, security | Tagged , | 1 Comment

Ghost In The Wires Paperback Ciphers

I received the book in mid December 2013 as a early Christmas present and completed reading it on December 24th 2013 and then began working on the ciphers. I was first trying to copy all of the ciphers  by hand … Continue reading

Posted in Ciphers, Programming | Tagged

Pulling apart Rig Exploit Kit

In the last post, A look at a cross bred Neutrino EK–Rig EK Flash file we see where the two exploit kits were merged into one. This one is pure Rig and looks the same on the surface as other … Continue reading

Posted in Malware, Networking, Programming, security | Tagged , | 1 Comment