Reverse engineering obfuscated code

I’ve put this post together to try and demonstrate how to reverse engineer heavily obfuscated malicious code. Attackers will obfuscate their code as they obviously don’t want security analysts to see what they are trying to achieve. This is done by declaring random variables and function names, adding functions that don’t do anything, adding functions that perform tasks that in the end do nothing all in an attempt to make their code unreadable. In this example I will attempt to try and explain how I have pulled apart a piece of malicious obfuscated code. I’m no expert in coding and have only recently started attempting to analyse malicious scripts.

Read More

Sqlrat analysis

SQLrat is a clever piece of malware which is dropped onto the compromised machine using a malicious Word Document. The document contains macros written in Visual Basic which drop a number of files to disk which run malicious code and will also create scheduled tasks so the malware can persist on disk. One file is obfuscated and uses SQL commands in order to connect to the attackers C2 infrastructure.

Read More

Investigating cisco routers

This blog post is aimed at incident response teams who need to investigate and gather evidence from a cisco router in a forensically sound manner. This may be where an internet facing router has been identified and is using default logon creds, perhaps Cisco Smart install was left enabled or you may just want to take a look at who has been poking around on the box. This post outlines how to gather simple things such as logs from the device and also check to see if the IOS has been tampered with and potentially implanted with something malicious.

Read More

Emotet c2 obfuscation

I’ve taken a look at a couple of Emotet emails today and noticed they have tried to hide their list of C2’s that are embedded within the document.

Read More

Rtf analysis & lokibot

Here is some analysis I completed on an email I came across that contained a malicious RTF file that dropped Lokibot malware.

Read More

Remcos analysis

I thought this would be a good starting point to share some simple behavioural malware analysis. The sample in this post came from a phishing email that contained a malicious Microsoft Excel file.

Read More

Welcome to my blog

I’ve put together this blog for anybody who has an interest in Malware and all the geeky stuff that goes along with it. In my current role I do a lot of Malware analysis and thought it would be cool to share some of what I do with the security community.

Read More