Zero2Auto - CruLoader Malware

Preface

As part of the course we were instructed to analyze a custom malware sample developed for us, below is a full analysis of that sample plus a an automated script to extract the final payload of that sample.

Read More

Zero2Auto - Netwalker Walk through

Preface

Recently, I’ve joined @VK and @0verflows advanced malware analysis course called “Zero2Auto”. The first lesson was about algorithms in malware; compression, hashing and encryption. The first lesson was supplied with a PDF which is now released as a post by Vitaly based on another post about the Netwalker sample. I was thinking on how I could practice this lesson, and I concluded that a simple thing I could do is expand upon these two posts as they were not detailed enough for most beginner reverse engineers. My main goal would be to prove the assumed findings in Vitaly’s post by expanding on the mechanisms detailed within it and to detail new findings that might relate to the lessons subject which is how to recognize known encoding algorithms and automate them.

Read More

Malware Challenges AnalyzeMe No1

Background

Hello agent 0x00, welcome to the malware analysis training grounds. You are now being trained to become part of the most sophisticated malware analysis teams in the NSA. To fully prepare you for the battlefield, we have created this small course for you to complete.

Read More

Master of Rats

Preface

One day I was skimming through abuse.ch. This website collects user submitted malicious or suspicious URLs and I've stumbled through something very interesting. I saw that a user that goes by the twitter handle @Gandylyan1 is uploading huge amounts of daily samples of the same malware variant called Mozi (You can read about it here). This botnet is an IoT P2P botnet that seems to spread like crazy. Gandy is uploading samples as I write this article and there are currently 24,709 IPs uploaded to abuse.ch, and it seems gandy is the only one uploading them.

Read More

The Malware Lake Project

Finding a golden nugget in a lake full of trash

For a while I was wondering, where am I going to find interesting malware? I have these huge sources of unorganized data: Malshare, VirusTotal, VirusShare, Malware Bazaar and AnyRun (and so much more!) but they hold so much data that unless you are looking for something very specific it’s highly doubtful that you would find something interesting out of the bat. It felt that all the big boy companies have access to so many resources while I, a single analyst have access to so many databases but no way to organize all the IOCs, Domains, Samples just a huge mess of data. It’s all about perspective and the way I saw the world, looked like this:

Read More

The Art of Malware

Bringing the Dead back to life

I would like to dedicate this post(or perhaps series of posts) to Mark Ludwig, the author of The Giant Black Book of Computer Viruses, who passed away in 2011. You’ve sparked my initial interest in viruses back in 2013 when I was only 15, and although back then I could barely understand your book I would like to make some closure in modern day era. You saw viruses as art and self-expression, back then that message resonated with me in levels I cannot describe and to this day I am affected by it.

Read More

Analyzing Modern Malware Techniques Part 4

I’m afraid of no packer

If you’re going to analyze malware you are going to run into packers, code injections, obfuscated code and what not. If one doesn’t possess the correct knowledge or the correct tools to deal with such problems he will not get far with his analysis. In fact, when I first started practicing malware analysis somewhere back in 2015 I stopped because I couldn’t understand how to unpack packed code and I quit trying, So I tried again around 2017.. and I quit again. This in time(in 2019) I didn’t quit but only because I had the proper tools to deal with the problem. Packed code is usually a dynamic problem and by that I mean that most of the time when you’ll encounter a packed malware it’s not going to be the same packed code but if you’ll have the tools to deal with the problem I guess you could defeat any packer. Still I’m to remain humble and admit that I still don’t have enough experience to deal with all types of packed code but I’m hoping that today, my dear reader, together we can bring more experience into our reverse engineering arsenal to learn together how to defeat packed code. I would like to put my efforts in this post to find anti analysis techniques that bypass my Scylla-Hide plugin and to learn how to de obfuscate binaries to ease analysis. Let’s begin!

Read More

Analyzing Modern Malware Techniques Part 3

A case of Powershell, Excel 4 Macros and VB6(part 2 of 2)

When I was watching The Cycle Of Cyber Threat Intelligence the other day I learned about the concept called “Biases” and how it interferes with researchers and cause them time delays and make big mistakes in general when it comes to research. In this part of the research I was no stranger to my own biases, I like to get my hands dirty, dig deep into binaries and understand EVERYTHING that goes under the hood. It’s simply my nature and my curiosity that can get the better of me. As I was researching this sample, I insisted for the first few days to analyze everything by myself, instead of using great tools that were in my disposal. I ended up spending A LOT of time attempting to unpack the loader instead of using other tools in my arsenal that aided me further analyze the malware itself including the heavily obfuscated loader, thus proving that I do as everyone else have my own biases and sometimes its better off to simply stop, reassess your goals and re attempt to understand the big picture. So here we go - Part 3 hope you enjoy this one :)

Read More

Analyzing Modern Malware Techniques Part 2

A case of Powershell, Excel 4 Macros and VB6(part 1 of 2)

In continuation of my previous article, I wanted to focus on the next techniques I listed in my previous article(Macros and Powershell), these go under the category of LOLbins(How people don’t die laughing from just saying that noun is beyond me). These LOLbins are used to Live off the land which means the malware will utilize windows tools to avoid detection. From being active on twitter and being updated in current threat attack news, macros and powershell seem to be the main attack vector when it comes to your average malware sample. while one like me who enjoys getting his hands dirty with assembly I was not very excited to dig into this but what I found, though not that special, proved to be quite a challenge to analyze for a novice like me(maybe I should be more humble). Anyway let’s begin!

Read More

Analyzing Modern Malware Techniques Part 1

Fileless Malware - A self loading technique

Fileless malware is nothing new, but is very much used today. The idea is to load a payload into memory and to leave as much as little evidence as possible on the hard drive of the computer. This can be achieve by various techniques such as:

Read More