Clik here to view.
Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation
Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis. When you read this diary entry, you’ll see that I have to create...
View ArticleClik here to view.
More Obfuscated MIME Type Files
I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount. I received a maldoc sample (MD5...
View ArticleClik here to view.
Even More Obfuscated MIME Type Files
I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount. I received another maldoc sample (MD5...
View ArticleClik here to view.
Update: oledump.py Version 0.0.23
I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount. This new version of oledump brings an update to the –cut...
View ArticleClik here to view.
YARA Rule To Detect VBE Scripts
Malicious documents that drop VBE scripts (VBScript Encode scripts) are in the wild. Here is an example: I have a YARA rule to detect VBE scripts: yara-rules-V0.0.6.zip (https) MD5:...
View ArticleClik here to view.
New YARA Rule: PE_File_pyinstaller
This is a YARA rule to detect PE files that were created with PyInstaller (a tool to convert Python programs to binary executables). More info in my ISC Diary entry: Python Malware – Part 1. /* Version...
View ArticleClik here to view.
Analyzing Office Maldocs With Decoder.xls
There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in...
View ArticleClik here to view.
Maldoc With Process Hollowing Shellcode
Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and...
View ArticleClik here to view.
Update: pecheck.py Version 0.6.0 – Overview Of Resources
This new version can produce a compact overview of all the resources in a PE file using option o: -o r. Here is the overview of resources in an exe (malware) created with iexpress: It contains a cab...
View ArticleClik here to view.
Hancitor Maldoc Videos
I produced 4 videos covering the process hollowing maldoc “Maldoc With Process Hollowing Shellcode“.
View ArticleClik here to view.
Quickpost: ClamAV and ZIP File Decryption
While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file. It can be done by creating a .pwdb password...
View ArticleClik here to view.
CVE-2017-0199
I have an analysis of a CVE-2017-0199 maldoc with my tools here, and produced 2 videos: In the second video, I use nixawk‘s Metasploit module for cve-2017-0199 (not yet merged into the Metasploit...
View ArticleClik here to view.
Malicious Documents: The Matryoshka Edition
I must admit that I was (patiently) waiting for the type of malicious document I’m about to describe now. First I’m going to analyze this document with my tools, and after that I’m going to show you...
View ArticleClik here to view.
Quickpost: WannaCry Killswitch Check Is Not Proxy Aware
It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware: Organizations that use proxies will not benefit from the killswitch. Sample:...
View ArticleClik here to view.
Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At...
I’ve seen reports that WannaCry uses a mutex with name Global\MsWinZonesCacheCounterMutexA. The samples I analyzed all use another mutex: Global\MsWinZonesCacheCounterMutexA0. That’s a digit zero at...
View ArticleClik here to view.
WannaCry Simple File Analysis
In this video, I show how to get started with my tools and a WannaCry sample. Tools: pecheck.py, zipdump.py, strings.py Sample: 84c82835a5d21bbcf75a61706d8ab549
View ArticleClik here to view.
I Will Follow (no, not talking about social media)
I can’t help feeling some kind of satisfaction when a friend uses my tools to analyze malware, and hacks his way to a solution when my tool falls short In this nice blogpost, @bluejay00 analyzes RTF...
View ArticleClik here to view.
Select Parent Process from VBA
Years ago I wrote a C program to create a new process with a chosen parent process: selectmyparent. And recently I showed what process monitor and system monitor report when you use this tool. Starting...
View ArticleClik here to view.
Analyzing ClamAV Signatures
While updating my Petya/Notpetya notes, I saw that ClamAV now detects resources 1 and 2 (zlib compressed PE files) as Mimikatz. Curious about how they detect Mimikatz, I wanted to take a look at the...
View ArticleClik here to view.
Analyzing ClamAV Signatures – Correction
My previous blog post “Analyzing ClamAV Signatures” is incorrect. Here is a better explanation. I wrongly assumed that the signature printed in the debug statement would be the actual signature in the...
View Article