Sharing my learning in Malware Analysis journey. All the articles focus on 0x1 topic so it’s security-in-bits.


Malware Analysis Series

Java Malware Analysis – Qealler/Pyrogenic

This series discuss about Pyrogenic/Qealler which is heavily obfuscated Java based Infostealer but the techniques/methods used in the series can be applied to any Java malware. Part 0x1 start with static analysis of first layer of obfuscation, next part 0x2 you will learn unpacking using Java agent and in the last part 0x3 we find similarity between Qealler/Pyrogenic variants based on static code analysis.

Unique Infection vector from Excel 4.0 Macro to Ransomware – Ataware

This series cover infection chain of very interesting ransomware with unique infection vector xls -> Excel 4.0 Macro(XLM) -> mshta -> Dropbox url -> hta -> VBScript -> PowerShell -> Dropbox url -> exe . This series uses Ghidra for reversing PE files and uses Sysmon for dynamic analysis.
Part 0x1 start with basics of analysing steps for hta, VBScript & PowerShell, next part 0x2 you will learn about UAC bypass using CMSTPLUA COM interface using Ghidra and in the last part 0x3 we find analyse the binary from WinMain to Parent PID Spoofing technique. This is one of the best sample from which you can learn different techniques.

Deobfuscation of Macro & PowerShell – Emotet

This video series cover the of deobfuscation of Office Macro and PowerShell used in Emotet infection chain Email ->doc -> Macro -> PowerShell -> exe. Part 0x1 will show you process to analyse obfuscated malicious macro embedded in Emotet downloader office document and next part 0x2 will deobfuscate PowerShell extracted from Macro.


This posts cover the tips/techniques which you can use to speed up your Malware Analysis.

Basics 101

This are the basic posts which you must be knowing for Malware Analysis.

Sysinternal strings help

Extract strings

turned_in_not, ,
Extracting strings is an important step in malware analysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. You can download Rokrat (MD5: b441d9a75c60b222e3c9fd50c0d14c5b) from VirusTotal / VirusBay / ANY.RUN. Why do we…
Read More