Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the Emotet trojan. This is a deviation from normal use of obfuscated base64 PowerShell command as well as embedding the DLL into the maldoc instead of retrieving from a compromised host. This video provides analysis of the document using both static and dynamic techniques, as well as a walk-through of the macro code. The original Tweet from AnyRun can be found at: https://twitter.com/anyrun_app/status/1326157565840023553 Analysis of an Emotet document that uses PowerShell from earlier this year can be found…

Read more

Reverse Engineering with Ghidra – Calling Conventions

I’ve posted a short video that takes a look at three prevalent calling conventions: C Declaration, standard call and fast call. I will show you how to compile sample programs from source, load them in Ghidra and analyze the disassembly/decompiler output to observe the differences in the calling conventions. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Calling%20Conventions

Read more

Maldoc Workshop at Hack-in-the-Box CyberWeek (UAE)

I gave a free 4-hour workshop as part of the Hack-in-the-Box (HITB) CyberWeek (November 15th, 2020). The focus of this workshop was on analyzing malicious Word and Excel documents: Malicious office documents continue to be an effective tool for threat actors to compromise their victims and gain access to an organization’s network. While these documents have been around for a while, malware authors continue to find effective ways of abusing functionality to minimize their detection. This year alone we have seen a resurgence of such techniques through the use of Excel 4 Macros and other creative ways to bypass detection….

Read more

Reversing Data Structures with Ghidra: Structures

In this video we’ll take a look at a couple of different structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting structures using both the listing view (disassembly) and the decompiler, identify member usage, overall size and element size. We’ll also discuss the different between using the stack and heap for structure memory as well as explore padding and it’s impact on overall structure size. I’ll also discuss some inconsistencies with Ghidra output. A discussion on reversing arrays can be found at: https://youtu.be/eNxckomOing The source code for the…

Read more

Reversing Data Structures with Ghidra: Arrays

In this video we’ll take a look at several different arrays in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify array usage, overall size and element size. I’ll also discuss some inconsistencies with Ghidra output, how to identify and how to correct. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more