Malware Analysis

Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI – CVE-2020-1464

Adwind, binwalk, Bytecode Viewer, CVE-2020-1464, file, Glueball, IoCs, JAR, Java, MSI, RAT, Ratty, xxd, Yara, ZIP

This article discusses an interesting tactic actively used by different Java RAT malware authors like Ratty & Adwind to distribute malicious JAR appended to signed MSI files. This technique was discovered by VT Team in Aug 2018[9] but that time it was not used by malware authors to distribute malicious…

Similarity between Qealler/Pyrogenic variants -Part 0x3

Bytecode Viewer, Infostealer, Java, Pyrogenic, Qealler

In this last part, we will compare Old Qealler with the new Qealler/Pyrogenic variant. The previous posts Pyrogenic Infostealer static analysis – Part 0x1 & Unpacking Pyrogenic/Qealler using Java agent -Part 0x2 went through the latest Pyrogenic/Qealler [6] statically and dumping the unpacked code using Java agent. CONTENTS Brief Timeline…

Unpacking Pyrogenic/Qealler using Java agent -Part 0x2

Bytecode Viewer, Infostealer, Java, Java agent, Pyrogenic, Qealler

We will learn how and when we can use Java agent to quickly unpack the Pyrogenic Infostealer. In the earlier post Pyrogenic Infostealer static analysis – Part 0x1 we statically analysed the Pyrogenic/Qealler Infostealer but this requires more time and effort. We will be using the same sample PaymAdviceVend_LLCRep.jar from…

Qealler Infostealer static analysis – Part 0x1

Bytecode Viewer, Infostealer, Java, Pyrogenic, Qealler, T1043, T1503

Qealler is heavily obfuscated Java based Infostealer which is quite active based on ANY.RUN submission. This will be a three part blog series, this post will focus on Qealler/Pyrogenic static analysis, next part 0x2 we learn unpacking using Java agent and in the last part 0x3 we find similarity between…

Parent PID Spoofing (Stage 2) Ataware Ransomware – Part 0x3

Ataware, Ghidra, PE, Ransomware, Strings, Sysmon

Ataware Ransomware Stage 2 uses Parent PID Spoofing technique to change its parent PID to lsass.exe and this article is also referred to in Mitre Attack website [4]. You may download the ATAPIConfiguration.exe file from ANY.RUN (MD5: 04a2e6400b22a3a5e5e277eceaf2ce0c) Please check previous posts, if you are interested in the complete infection…

UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

Ataware, CMSTP, Ghidra, PE, Ransomware, Strings, Sysmon, T1088, T1191, T1218

Ataware Ransomware uses UAC bypass using CMSTPLUA COM interface in ATAPIinit.exe (Stage 1). It was downloaded from Dropbox url when the user opened the malicious Excel and enabled the Macro. For details, please check the previous Excel 4.0 Macro Analysis – Ataware Ransomware Part 1. You may download the ATAPIinit.exe…

Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

Ataware, Deobfuscation, hta, Macro analysis, PowerShell, Ransomware, T1086, T1170, VBScript, xls

This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Let’s start with xls, I was browsing Twitter for an interesting sample,…

Deobfuscate PowerShell using PowerShell Logging

Deobfuscation, Emotet, PowerShell, Qakbot

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it. Why do we need to do this? Easy technique to deobfuscate PowerShell without using any external tool Extract…

Deobfuscate Emotet PowerShell – Part 0x2

Deobfuscation, Downloader, Emotet, PowerShell, Video Tutorial

We will deobfuscate PowerShell and extract CC from the PowerShell cmd extracted from the Emotet downloader macro discussed in the previous article. If you want to learn how to deobfuscate and analyse the malicious macro code, please check this article and video. Video Tutorial Let see how to use this above…

Deobfuscate malicious macro – Part 0x1

Deobfuscation, Doc, Downloader, Emotet, Macro analysis, Video Tutorial

We will concentrate on malicious macro embedded in Emotet downloader office documents and see how to deobfuscate the macro code. In the next post we will deobfuscate the PowerShell executed by Word Doc. Why do we need to do this? Malicious code embedded in macro instead of exploit Clean up…