I’ve put this post together to try and demonstrate how to reverse engineer heavily obfuscated malicious code. Attackers will obfuscate their code as they obviously don’t want security analysts to see what they are trying to achieve. This is done by declaring random variables and function names, adding functions that don’t do anything, adding functions that perform tasks that in the end do nothing all in an attempt to make their code unreadable. In this example I will attempt to try and explain how I have pulled apart a piece of malicious obfuscated code. I’m no expert in coding and have only recently started attempting to analyse malicious scripts.
SQLrat is a clever piece of malware which is dropped onto the compromised machine using a malicious Word Document. The document contains macros written in Visual Basic which drop a number of files to disk which run malicious code and will also create scheduled tasks so the malware can persist on disk. One file is obfuscated and uses SQL commands in order to connect to the attackers C2 infrastructure.
Here’s a quick post on how to use Cyber Chef to pull out the obfuscated URL’s in the latest Emotet word doc i’ve seen.
This blog post is aimed at incident response teams who need to investigate and gather evidence from a cisco router in a forensically sound manner. This may be where an internet facing router has been identified and is using default logon creds, perhaps Cisco Smart install was left enabled or you may just want to take a look at who has been poking around on the box. This post outlines how to gather simple things such as logs from the device and also check to see if the IOS has been tampered with and potentially implanted with something malicious.
I’ve taken a look at a couple of Emotet emails today and noticed they have tried to hide their list of C2’s that are embedded within the document.
Here is some analysis I completed on an email I came across that contained a malicious RTF file that dropped Lokibot malware.
I thought this would be a good starting point to share some simple behavioural malware analysis. The sample in this post came from a phishing email that contained a malicious Microsoft Excel file.
I’ve put together this blog for anybody who has an interest in Malware and all the geeky stuff that goes along with it. In my current role I do a lot of Malware analysis and thought it would be cool to share some of what I do with the security community.