Quantcast
Channel: Malware – Didier Stevens
Browsing latest articles
Browse All 102 View Live

PoC: Cobalt Strike mitm Attack

I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now. I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike...

View Article


Image may be NSFW.
Clik here to view.

Another Exercise In Encoding Reversing

In this blog post, I will show how to decode a payload encoded in a variation of hexadecimal encoding, by performing statistical analysis and guessing some of the “plaintext”. I do have the decoder...

View Article


Examples Of Encoding Reversing

I recently created 2 blog posts with corresponding videos for the reversing of encodings. The first one is on the ISC diary: “Decoding Obfuscated BASE64 Statistically“. The payload is encoded with a...

View Article

Maldoc Analysis Video – Rehearsed & Unrehearsed

When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording. This time, I also recorded the unrehearsed analysis: when I take the first...

View Article

Image may be NSFW.
Clik here to view.

Extracting Certificates For Defender

A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list. The procedure involves right-clicking the EXE in Windows Explorer,...

View Article


Image may be NSFW.
Clik here to view.

Combining dns-pydivert And dnsresolver

I use my tools dns-pydivert and dnsresolver.py for dynamic analysis of software (malware and benign software). On the virtual machine where I’m doing dynamic analysis, I disable IPv6 support. I...

View Article

Image may be NSFW.
Clik here to view.

Combining zipdump, file-magic And myjson-filter

In this blog post, I show how you can combine my tools zipdump.py, file-magic.py and myjson-filter.py to select and analyze files of a particular type. I start with a daily batch of malware files...

View Article

Image may be NSFW.
Clik here to view.

New Tool: onedump.py

This is a new tool (based on my Python template for binary files) to analyze OneNote files. This version is limited to handling embedded files (for the moment). As I might still make significant...

View Article


Image may be NSFW.
Clik here to view.

Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs

jpcert reported a new type of maldoc: “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –“. These maldocs are PDF files that embed a Word document (ActiveMime) in...

View Article


Quickpost: PDF/ActiveMime Maldocs YARA Rule

Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“. It looks for files that start with %PDF- (this header can be...

View Article
Browsing latest articles
Browse All 102 View Live