Tag Archives: Decoding
Pealing back the layers of a batch script ransomware
Our sample today comes from Ahmet Payaslioglu AT_Computeus7 in This twitter thread. I was tagged along with a few other people that may be interested in the sample. The main file was run on AnyRun Here. This is where I … Continue reading
Extracting Shellcode from VBA to PowerShell
This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading
More adventures with shell code and the Shikata Ga Nai Encoder
The other day I was given a sample vbscript file by Paul Melson @pmelson so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading
A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode
Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here. The First one I had started to work on comes from this Twitter thread here from April 26 of 2019. The encoding on the shellcode uses … Continue reading
A Look under the hood of a batch encrypted file
The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading
What is in this file ?
The other day I was pinged about a very large .jason file that appeared to contain a large Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading
A closer look at “NetSupport”(Rat) top 2 layers
This post is based on the blog post by FireEye located Here. I was given a private .saz to look at by someone else that gave me the entire infection chain. In this post I will only be doing 2 … Continue reading
Hidden .Net Resources “Are Your Tools Finding Them” ?
This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading
De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation
Here I will be trying to deep dive on how the obfuscation works and what is required to de-obfuscate it. This sample comes from @James_inthe_box posted here https://twitter.com/James_inthe_box/status/928644055054946305 on November 9th 2017. Here is the link to the “pastebin” of … Continue reading
Not A DerbyCon Talk part #1
This will be the first in a series (1 of x ) that I was hoping to stuff into a 30 minuet talk at DerbyCon 2017. In hindsight it would be better suited as an informal training session where questions … Continue reading
PC's Xcetra Support 