Outsmarting Advanced Packers: VMProtect – The Service That is Not of so Much Service

Hello paranoids Recently,  I came across an executable and a dropped dll protected by VMProtect: DIE VMProtect  This turned out to be virtualized VMProtect which is never good news. I will exemplify the trick using the dll present on VT. The Idea  When loading the sample on IDA, you will get a couple of warnings … Continue reading Outsmarting Advanced Packers: VMProtect – The Service That is Not of so Much Service

Debugging Services Using WinDbg

Hello paranoids  Recently i have been spending some time going over some samples suspected to be related to Emissary Panda group. The initial lead was this Linkedin post. Then, later, one one of my colleagues @0xcpu mentioned this Tweet.   TLDR; executable drops dll, loads it and calls export that creates Windows service to run itself. … Continue reading Debugging Services Using WinDbg

Containing the Beast: Managing Inter Thread and Process Complexity

Hello paranoids  Lately I have been investigating Zeus Panda (MD5 82c6a5e05ceec286c79ae978bc746244 or check my repo) which, as one of its features, injects itself into two instances of svchost created by the malware itself. The injected code is then executed using CreateRemoteThread. This is not uncommon and it adds pain to the analysis since once the … Continue reading Containing the Beast: Managing Inter Thread and Process Complexity

Kernel Whisperer: “Databasing” the Kernel

Hello paranoids  You know those new year's resolutions that people make? Going to the gym more often, eating healthy, travel more? Scratch that...  I have decided to kickstart my 2018 by working on a research project. The first phase is a tool that i have named Kernel Whisperer (GitHub). The tool you see is not … Continue reading Kernel Whisperer: “Databasing” the Kernel

(Not) All She Wrote (Part 3): Rigged RTF Documents

Hello paranoids  It seems we have reached the final post. Previously, i have addressed PDFs containing exploits and Office documents containing macros and exploits. This post will be lighter than the others since i won't be doing full analysis of documents. I have shown you before how you can analyse embedded shellcode once you have it so i … Continue reading (Not) All She Wrote (Part 3): Rigged RTF Documents

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Hello paranoids   Following the previous post, i am now going to overview the analysis process for exploits within Office documents. You see, while with PDFs, you have a format and a reader (e.g. Adobe reader), with Office you have lots of acceptable formats and a reader. For instance, Word 2013 is capable of handling … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

Hello paranoids  Continuing our crusade through the world of malicious documents and following the previous  post, i will now describe the approach for Office Documents. One of the great things about these is that now we have a means to debug malicious code which makes the job easier. Once more, i will start by overviewing the … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

You allowed this remember?: Bypassing Office Macro Warnings by Leveraging Office’s Poor Memory

Hello paranoids   A couple of days ago i have come across a peculiar behaviour involving Office macros.  You are probably familiar with the "Enable Content" warning whenever you open a document containing a macro. In order to avoid asking the end-user for permission every time he opens the same document, the warning is disabled (i.e. … Continue reading You allowed this remember?: Bypassing Office Macro Warnings by Leveraging Office’s Poor Memory

(Not) All She Wrote (Part 1): Rigged PDFs

Hello paranoids  You know that moment when you get an email with an attached document and a promise of good fortune once you open it? Great, the following set of posts is for you. Lately i have been trying to learn how to speed up analysis of malicious documents (e.g. PDFs, Office, RTFs). Due to … Continue reading (Not) All She Wrote (Part 1): Rigged PDFs