Category Archives: security
A deeper look at Office documents flat style
Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading
Ursa Loader and the many rabbit holes
On August 4th 2020 JAMESWT @JAMESWT_MHT posted on Twitter here about malware spam hitting Italy using ursa loader. I mainly look at the obfuscation and this vbscipt looked rather interesting. Little did I know what I was in for. So … Continue reading
More adventures with shell code and the Shikata Ga Nai Encoder
The other day I was given a sample vbscript file by Paul Melson @pmelson so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading
A quick look at the current emotet encoding
I have went thru several samples today of this type of encoding but todays sample will be from ExecuteMalware @executemalware located here and the Twitter reference is here. Here we can see that only 3 of the urls are displayed. … Continue reading
Chasing malware down the rabbit hole to see where it goes.
Lets start this journey with the blog post by Pondurance titled “777 RANSOMWARE COMBINES WITH TRICKBOT” located here. There is not a whole lot here but it describes 2 layers of shellcode and some indicator’s and the first is the … Continue reading
A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode
Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here. The First one I had started to work on comes from this Twitter thread here from April 26 of 2019. The encoding on the shellcode uses … Continue reading
A look at a bmp file with embedded shellcode
The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018 Here, at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading
A Look under the hood of a batch encrypted file
The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading
Understanding Invoke- “X” Special Character Encoding
I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading
What is in this file ?
The other day I was pinged about a very large .jason file that appeared to contain a large Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading
PC's Xcetra Support 