(Not) All She Wrote (Part 3): Rigged RTF Documents

Hello paranoids  It seems we have reached the final post. Previously, i have addressed PDFs containing exploits and Office documents containing macros and exploits. This post will be lighter than the others since i won't be doing full analysis of documents. I have shown you before how you can analyse embedded shellcode once you have it so i … Continue reading (Not) All She Wrote (Part 3): Rigged RTF Documents

Advertisements

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Hello paranoids   Following the previous post, i am now going to overview the analysis process for exploits within Office documents. You see, while with PDFs, you have a format and a reader (e.g. Adobe reader), with Office you have lots of acceptable formats and a reader. For instance, Word 2013 is capable of handling … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

Hello paranoids  Continuing our crusade through the world of malicious documents and following the previous  post, i will now describe the approach for Office Documents. One of the great things about these is that now we have a means to debug malicious code which makes the job easier. Once more, i will start by overviewing the … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

(Not) All She Wrote (Part 1): Rigged PDFs

Hello paranoids  You know that moment when you get an email with an attached document and a promise of good fortune once you open it? Great, the following set of posts is for you. Lately i have been trying to learn how to speed up analysis of malicious documents (e.g. PDFs, Office, RTFs). Due to … Continue reading (Not) All She Wrote (Part 1): Rigged PDFs

63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Hello paranoids  As promised i am back to reverse stuff. This time, and following the previous sequence of posts, i have decided to pick an Android malware for analysis. Without further ado, let us begin. Malware Characteristics MD5: 882aef202a56008ad20a61c8960eb830 Family name: Ginmaster (GingerMaster) Obfuscation/Packing: Yes/No  GingerMaster was the first Android malware using GingerBreak exploit, an exploit that affects GingerBread … Continue reading 63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacked Sample)

Hello paranoids Recovered from my previous post? No? Great! My overall objectives for the previous post were to: Show you how to unpack a malware Unpacking constructions (e.g. anti-debugging, shellcode, dynamic resolution of dependencies) On this post, i intend to: Go over some network/host tracks left by the malware Malware supported commands and features The … Continue reading 63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacked Sample)

63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacking)

Hello paranoids  As i referred on my previous post, i have started a Reverse Engineering/Malware Analysis journey. One of the topics i find most interesting about malware is packing. A packer is an algorithm that manipulates a simple binary and adds one or more of the following features (this is not an exhaustive list): cryptors and/or compressors: e.g. … Continue reading 63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacking)