Some days ago I started a series of posts about tools and methods for unpacking malware, here you can find the first part. Each malware/packer is very different, and sometimes there are no generic ways to unpack them. But sometimes we can find characteristics shared by a number of them. For example, packers usually rely on weak encryption algorithms and, sometimes, it is possible to attack them.
This is the first part of a series of articles (at least I will write a second part and i hope to continue) where I will write about different ways that I use to unpack malware, and where I will share some tools and scripts that I use frequently for this purpose. I hope these articles and tools will be useful for you 🙂
In this post I would like to share some scripts for WinDbg that they were useful for me while I was reversing malware with antidebug tricks. In the future I would like to write additional scripts related to this issue, and I will update this post to have all together. I hope these scripts will be useful for you too 🙂
In this post I analyze a sample of Poseidon (sample: 1b7f205b663af9a6eb44f18555bdaad86e0fa58f3a9e4aced3e2ae1e3ed472b5, you can read about it here). The original sample is a downloader. It is working, and there are online and working CnCs in the list of CnCs that the sample carries. However the malware could be failing to download the second stage executable (the keylogger) because of a bug in the downloader.
These days TalosIntelligence commented about a new variant of Konni RAT. It is not a complicated malware, but it implements some interesting tricks and functionality typical of RATs. I wanted to take a look at something different (there is more life after the ransomware 🙂 ) and in this post you can find a brief analysis of this RAT. I hope you enjoy it.
These days we have heard a lot about the new Petya (or NotPetya, EternalPetya, etc…) ransomware (or wiper). It propagates itself using the same exploit as WannaCry, eternalBlue. But the malware is using additional method to propagate itsefl. It enumerates local credentials and tries to login into remote machines with psexec for executing itself there. In this article I talk a bit about the Windows api that psexec is using for copying and executing files in a remote machine, and i share a PoC in python.
In this short post i want to share a first quick reversing of petya+eternalblue dll, md5: 3936bda83b590512fa2cfef8acf6c294. It is a first look at it, i hope the information here it is correct.