Tag Archives: Malware Analysis

Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading

Posted in Malware, Programming, security | Tagged , | 1 Comment

Peeling away the layers of a word document macro

The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman  and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100 This one peaked my interest … Continue reading

Posted in Malware, PowerShell, security, VBScript | Tagged , , | Leave a comment

De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation

Here I will be trying to deep dive on how the obfuscation works and what is required to de-obfuscate it. This sample comes from @James_inthe_box posted here https://twitter.com/James_inthe_box/status/928644055054946305 on November 9th 2017. Here is the link to the “pastebin” of … Continue reading

Posted in Malware, security | Tagged , | Leave a comment

Not A DerbyCon Talk part #1

This will be the first in a series (1 of x ) that I was hoping to stuff into a 30 minuet talk at DerbyCon 2017. In hindsight it would be better suited as an informal training session where questions … Continue reading

Posted in Malware, security | Tagged , | Leave a comment

Extracting and decoding malicious macros

The sample used here is from the video from  Karsten Hahn @struppigel . If you have not seen any of them before I would highly recommend checking them out. The video can be found here https://youtu.be/SCJVW1E8dFA The Sample can Be … Continue reading

Posted in Malware, security | Tagged , , | Leave a comment

A look at the Magnitude Exploit Kit encoding

In this post I will be going thru the multiple ways that they use to encode 3 pages in the pcap. I will use the pacp available from Zerophage @Zerophage1337 located here https://zerophagemalware.com/2017/04/20/magnitude-ek-urls-from-14-20-april/ We will start with the initial get … Continue reading

Posted in Malware, Networking, security | Tagged , | 2 Comments

Angler Exploit Kit Steganography

When I first started working with exploit kits I started with Angler EK. I was learning how the redirect from the compromised site worked and building tools to decode them. Once you get to the exploit kit landing page then … Continue reading

Posted in Computer, Malware, security | Tagged ,