Malware Analysis

AsyncRAT config decryption using CyberChef – Recipe 2

August 7, 2023

.NET, AsyncRAT, Config, CyberChef, CyberChef Recipe, RAT, Remote Access Tool

In the realm of malware analysis, tools like CyberChef play a pivotal role. One of the challenges that malware analysts often face is decrypting configurations of Remote Access Trojans (RATs) like AsyncRAT. This article provides a step-by-step guide on how to decrypt AsyncRAT configurations using CyberChef. Decrypting AsyncRAT ConfigurationsAsyncRAT is…

AsyncRAT: Config Decryption Techniques and Salt Analysis

August 5, 2023

.NET, AsyncRAT, Config, CyberChef, CyberChef Recipe, RAT, Remote Access Tool

In this article, we dive into the inner workings of AsyncRAT. This Remote Access Trojan (RAT) has seen a staggering 20% surge in its activity during the last quarter, as reported by the Spamhaus report. We’ll explore diverse decryption methods for the AsyncRAT configuration and explore the AES Salts used in…

Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI – CVE-2020-1464

June 28, 2020

Adwind, binwalk, Bytecode Viewer, CVE-2020-1464, file, Glueball, IoCs, JAR, Java, MSI, RAT, Ratty, xxd, Yara, ZIP

This article discusses an interesting tactic actively used by different Java RAT malware authors like Ratty & Adwind to distribute malicious JAR appended to signed MSI files. This technique was discovered by VT Team in Aug 2018[9] but that time it was not used by malware authors to distribute malicious…

Similarity between Qealler/Pyrogenic variants -Part 0x3

February 4, 2020

Bytecode Viewer, Infostealer, Java, Pyrogenic, Qealler

In this last part, we will compare Old Qealler with the new Qealler/Pyrogenic variant. The previous posts Pyrogenic Infostealer static analysis – Part 0x1 & Unpacking Pyrogenic/Qealler using Java agent -Part 0x2 went through the latest Pyrogenic/Qealler [6] statically and dumping the unpacked code using Java agent. CONTENTS Brief Timeline…

Unpacking Pyrogenic/Qealler using Java agent -Part 0x2

January 17, 2020

Bytecode Viewer, Infostealer, Java, Java agent, Pyrogenic, Qealler

We will learn how and when we can use Java agent to quickly unpack the Pyrogenic Infostealer. In the earlier post Pyrogenic Infostealer static analysis – Part 0x1 we statically analysed the Pyrogenic/Qealler Infostealer but this requires more time and effort. We will be using the same sample PaymAdviceVend_LLCRep.jar from…

Qealler Infostealer static analysis – Part 0x1

January 6, 2020

Bytecode Viewer, Infostealer, Java, Pyrogenic, Qealler, T1043, T1503

Qealler is heavily obfuscated Java based Infostealer which is quite active based on ANY.RUN submission. This will be a three part blog series, this post will focus on Qealler/Pyrogenic static analysis, next part 0x2 we learn unpacking using Java agent and in the last part 0x3 we find similarity between…

Parent PID Spoofing (Stage 2) Ataware Ransomware – Part 0x3

May 14, 2019

Ataware, Ghidra, PE, Ransomware, Strings, Sysmon

Ataware Ransomware Stage 2 uses Parent PID Spoofing technique to change its parent PID to lsass.exe and this article is also referred to in Mitre Attack website [4]. You may download the ATAPIConfiguration.exe file from ANY.RUN (MD5: 04a2e6400b22a3a5e5e277eceaf2ce0c) Please check previous posts, if you are interested in the complete infection…

UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

May 7, 2019

Ataware, CMSTP, Ghidra, PE, Ransomware, Strings, Sysmon, T1088, T1191, T1218

Ataware Ransomware uses UAC bypass using CMSTPLUA COM interface in ATAPIinit.exe (Stage 1). It was downloaded from Dropbox url when the user opened the malicious Excel and enabled the Macro. For details, please check the previous Excel 4.0 Macro Analysis – Ataware Ransomware Part 1. You may download the ATAPIinit.exe…

Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

April 30, 2019

Ataware, Deobfuscation, hta, Macro analysis, PowerShell, Ransomware, T1086, T1170, VBScript, xls

This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Let’s start with xls, I was browsing Twitter for an interesting sample,…

Deobfuscate PowerShell using PowerShell Logging

April 20, 2019

Deobfuscation, Emotet, PowerShell, Qakbot

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it. Why do we need to do this? Easy technique to deobfuscate PowerShell without using any external tool Extract…