Tag Archives: Decoding

Extracting Shellcode from VBA to PowerShell

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment

More adventures with shell code and the Shikata Ga Nai Encoder

The other day I was given a sample vbscript file by Paul Melson  @pmelson  so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , , | Leave a comment

A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode

Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here.  The First one I had started to work on comes from this Twitter thread  here from April 26 of 2019. The encoding on the shellcode uses … Continue reading

Posted in Malware, security | Tagged , , , | 1 Comment

A Look under the hood of a batch encrypted file

The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading

Posted in Malware, Programming, security | Tagged , ,

What is in this file ?

The other day I was pinged about a very large .jason file that appeared to contain a large  Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading

Posted in Malware, security | Tagged ,

A closer look at “NetSupport”(Rat) top 2 layers

This post is based on the blog post by FireEye located Here. I was given a private .saz to look at by someone else that gave me the entire infection chain. In this post I will only be doing 2 … Continue reading

Posted in Malware, security | Tagged ,

Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading

Posted in Malware, Programming, security | Tagged , | 1 Comment