Containing the Beast: Managing Inter Thread and Process Complexity

Hello paranoids  Lately I have been investigating Zeus Panda (MD5 82c6a5e05ceec286c79ae978bc746244 or check my repo) which, as one of its features, injects itself into two instances of svchost created by the malware itself. The injected code is then executed using CreateRemoteThread. This is not uncommon and it adds pain to the analysis since once the … Continue reading Containing the Beast: Managing Inter Thread and Process Complexity

Advertisements

(Not) All She Wrote (Part 3): Rigged RTF Documents

Hello paranoids  It seems we have reached the final post. Previously, i have addressed PDFs containing exploits and Office documents containing macros and exploits. This post will be lighter than the others since i won't be doing full analysis of documents. I have shown you before how you can analyse embedded shellcode once you have it so i … Continue reading (Not) All She Wrote (Part 3): Rigged RTF Documents

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Hello paranoids   Following the previous post, i am now going to overview the analysis process for exploits within Office documents. You see, while with PDFs, you have a format and a reader (e.g. Adobe reader), with Office you have lots of acceptable formats and a reader. For instance, Word 2013 is capable of handling … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

Hello paranoids  Continuing our crusade through the world of malicious documents and following the previous  post, i will now describe the approach for Office Documents. One of the great things about these is that now we have a means to debug malicious code which makes the job easier. Once more, i will start by overviewing the … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

(Not) All She Wrote (Part 1): Rigged PDFs

Hello paranoids  You know that moment when you get an email with an attached document and a promise of good fortune once you open it? Great, the following set of posts is for you. Lately i have been trying to learn how to speed up analysis of malicious documents (e.g. PDFs, Office, RTFs). Due to … Continue reading (Not) All She Wrote (Part 1): Rigged PDFs

63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Hello paranoids  As promised i am back to reverse stuff. This time, and following the previous sequence of posts, i have decided to pick an Android malware for analysis. Without further ado, let us begin. Malware Characteristics MD5: 882aef202a56008ad20a61c8960eb830 Family name: Ginmaster (GingerMaster) Obfuscation/Packing: Yes/No  GingerMaster was the first Android malware using GingerBreak exploit, an exploit that affects GingerBread … Continue reading 63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacked Sample)

Hello paranoids Recovered from my previous post? No? Great! My overall objectives for the previous post were to: Show you how to unpack a malware Unpacking constructions (e.g. anti-debugging, shellcode, dynamic resolution of dependencies) On this post, i intend to: Go over some network/host tracks left by the malware Malware supported commands and features The … Continue reading 63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacked Sample)

63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacking)

Hello paranoids  As i referred on my previous post, i have started a Reverse Engineering/Malware Analysis journey. One of the topics i find most interesting about malware is packing. A packer is an algorithm that manipulates a simple binary and adds one or more of the following features (this is not an exhaustive list): cryptors and/or compressors: e.g. … Continue reading 63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555 (Unpacking)