A Blog about Malware Analysis and Reverse Engineering

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This lab is intended to show how you can often times perform quick analysis to extract important IOCs. While there may be several ways to answer…

Recently, we have seen a resurgence of Excel-based malicious office documents. However, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you’ll get hands-on with two documents that use Excel 4.0 macros to…

In this video, we’ll look into installing OLEDUMP in Microsoft Windows. Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more…

In this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to download the next stage. However, it employs rather straight-forward string obfuscation using the bitwise XOR operation. An important skill for any reverse engineer/malware analyst is to be able to create…

Analyzing network traffic is an important step in developing a proactive threat hunting program. This course will teach you how to perform network traffic analysis using Arkime to find threats in your network. https://www.pluralsight.com/courses/network-analysis-arkime Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime,…

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video…

I’ve posted a short video that takes a look at three prevalent calling conventions: C Declaration, standard call and fast call. I will show you how to compile sample programs from source, load them in Ghidra and analyze the disassembly/decompiler output to observe the differences in the calling conventions. The source code for the sample…

I gave a free 4-hour workshop as part of the Hack-in-the-Box (HITB) CyberWeek (November 15th, 2020). The focus of this workshop was on analyzing malicious Word and Excel documents: Malicious office documents continue to be an effective tool for threat actors to compromise their victims and gain access to an organization’s network. While these documents…

In this video we’ll take a look at a couple of different structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting structures using both the listing view (disassembly) and the decompiler, identify member usage, overall size and element size. We’ll also discuss the…

In this video we’ll take a look at several different arrays in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify array usage, overall size and element size. I’ll also discuss some inconsistencies…