Tag Archives: Decoding

Pealing back the layers of a batch script ransomware

Our sample today comes from Ahmet Payaslioglu AT_Computeus7 in This twitter thread. I was tagged along with a few other people that may be interested in the sample. The main file was run on AnyRun Here. This is where I … Continue reading

Posted in Uncategorized | Tagged , , | 1 Comment

Extracting Shellcode from VBA to PowerShell

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment

More adventures with shell code and the Shikata Ga Nai Encoder

The other day I was given a sample vbscript file by Paul Melson  @pmelson  so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , , | Comments Off on More adventures with shell code and the Shikata Ga Nai Encoder

A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode

Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here.  The First one I had started to work on comes from this Twitter thread  here from April 26 of 2019. The encoding on the shellcode uses … Continue reading

Posted in Malware, security | Tagged , , , | 1 Comment

A Look under the hood of a batch encrypted file

The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading

Posted in Malware, Programming, security | Tagged , , | Comments Off on A Look under the hood of a batch encrypted file

What is in this file ?

The other day I was pinged about a very large .jason file that appeared to contain a large  Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading

Posted in Malware, security | Tagged , | Comments Off on What is in this file ?

A closer look at “NetSupport”(Rat) top 2 layers

This post is based on the blog post by FireEye located Here. I was given a private .saz to look at by someone else that gave me the entire infection chain. In this post I will only be doing 2 … Continue reading

Posted in Malware, security | Tagged , | Comments Off on A closer look at “NetSupport”(Rat) top 2 layers

Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading

Posted in Malware, Programming, security | Tagged , | 1 Comment

De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation

Here I will be trying to deep dive on how the obfuscation works and what is required to de-obfuscate it. This sample comes from @James_inthe_box posted here https://twitter.com/James_inthe_box/status/928644055054946305 on November 9th 2017. Here is the link to the “pastebin” of … Continue reading

Posted in Malware, security | Tagged , | Comments Off on De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation

Not A DerbyCon Talk part #1

This will be the first in a series (1 of x ) that I was hoping to stuff into a 30 minuet talk at DerbyCon 2017. In hindsight it would be better suited as an informal training session where questions … Continue reading

Posted in Malware, security | Tagged , | Comments Off on Not A DerbyCon Talk part #1