What is this all about

-
I have a few goals for this blog:
  • Hone my skills by analyzing malware on a regular, more frequent basis.
  • Learn new analysis tools and techniques
  • Contribute to malware OSINT via social media and other sharing methods
  • Eventually, progress to full blown reverse engineering of malware
I'm hoping to keep things useful and simple. My biggest influence is https://www.malware-traffic-analysis.net/. Brad provides useful malicious IOCs and traffic analysis on a near-daily basis. Big fan.

Some techniques you will see here may be considered amateur. I'm open to feedback.

Here we go.

Love,
casual_malware

Comments

Post a Comment

Popular posts from this blog

BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)

-
Image
Files: File name: LFPEHS.exe MD5: 450c0d7521b121a919e62401d50a2182 SHA256: 1d9526fe126321b49469341dbac0c9bbb247f896f4f836d93b4f361183e93a5e Filesize: 207872 bytes File name: MMCRLC.vbs MD5: 266f15a950f233e279095158cb2cfe8f SHA256: d391a3570354b37aafe3340aa92da365d533b4edd1adb80fffab14d0cee29a67 Filesize: 858 bytes File name: S007591119000628_XLSX.exe MD5: 792f42f7a4ba4d37015d658e1573cff2 SHA256: c4acc931c61a4b4da44510e645913f78588e2b655bf45790219407cb0b1c3132 Filesize: 1852424 bytes File name: S007591119000628_XLSX.ISO MD5: 2482a65df50ca7ef9d7445dcd5985ada SHA256: bc603a3b6ebf6e1312ad79e8e409c93ac53bfdedb65d961db6bf57cf947a19dd Filesize: 2424832 bytes File name: XAAHKP.exe MD5: 39ee891b8bdbd9ba987b5c4faafb84bd SHA256: 286803e00ea5f401dc94c9b25130716598210f33e4bf4465fb9fa0490231b176 Filesize: 207360 bytes Download  (password: malware) Quick note: These files all originated from the exe inside S007591119000628_XLSX.ISO. No internet connection needed. URLs:
Read more

fiddling with obfuscated javascript

-
Image
Most malware authors automate the obfuscation of their javascript downloaders, making analysis difficult. Luckily, you rarely need to completely deobfuscate the javascript to progress with your analysis. If you can identify the primary function used to handle obfuscated strings you can then use a few quick tricks to obtain interesting data from the javascript file without having to run it. Identifying the deobfuscation function at a glance: Most of the deobf functions I see contain a lot of string and character manipulation functions & methods. Some to look for include: parseInt() toString() substr() String.fromCharCode() charCodeAt() UCHAR() More info on common javascript obfuscation methods and the functions utilized can be found here:  https://github.com/bl4de/research/blob/master/javascript-malware-obfuscation/Simple_JavaScript_malware_code_obfuscation_examples.md#basic-obfuscation-methods---expressions-comma-operator-parseint-and-tostring-method Here is an exampl
Read more