Sharing my learning in Malware Analysis journey. All the articles focus on 0x1 topic so it’s security-in-bits.

Malware Analysis Series

Java Malware Analysis – Qealler/Pyrogenic

Java Malware Analysis – Qealler/Pyrogenic

This series discuss about Pyrogenic/Qealler which is heavily obfuscated Java based Infostealer but the techniques/methods used in the series can be applied to any Java malware. Part 0x1 start with static analysis of first layer of obfuscation, next part 0x2 you will learn unpacking using Java agent and in the last part 0x3 we find similarity between Qealler/Pyrogenic variants based on static code analysis.

Unique Infection Vector – Ataware

Unique Infection vector from Excel 4.0 Macro to Ransomware – Ataware

This series cover infection chain of very interesting ransomware with unique infection vector xls -> Excel 4.0 Macro(XLM) -> mshta -> Dropbox url -> hta -> VBScript -> PowerShell -> Dropbox url -> exe . This series uses Ghidra for reversing PE files and uses Sysmon for dynamic analysis.
Part 0x1 start with basics of analysing steps for hta, VBScript & PowerShell, next part 0x2 you will learn about UAC bypass using CMSTPLUA COM interface using Ghidra and in the last part 0x3 we find analyse the binary from WinMain to Parent PID Spoofing technique. This is one of the best sample from which you can learn different techniques.

Deobfuscation of Macro & PowerShell – Emotet

Deobfuscation of Macro & PowerShell – Emotet

This video series cover the of deobfuscation of Office Macro and PowerShell used in Emotet infection chain Email ->doc -> Macro -> PowerShell -> exe. Part 0x1 will show you process to analyse obfuscated malicious macro embedded in Emotet downloader office document and next part 0x2 will deobfuscate PowerShell extracted from Macro.

Video Tutorials

Tips

Tips

This posts cover the tips/techniques which you can use to speed up your Malware Analysis.

Wireshark filter

Important Wireshark filters

turned_in_not, ,
We will look into some of the Wireshark display filters which can be used in malware analysis. We can use this Wireshark display filter after we capture pcap during dynamic malware analysis. Why we need to do this? Help us…
Read More
Basics 101

Basics 101

This are the basic posts which you must be knowing for Malware Analysis.

Sysinternal strings help

Extract strings

turned_in_not, ,
Extracting strings is important step in malware anlaysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. Why we need to do this? Guess the malware functionality based on the strings.…
Read More
Menu