Malware Analysis

UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

May 7, 2019

Ataware, CMSTP, Ghidra, PE, Ransomware, Strings, Sysmon, T1088, T1191, T1218

Ataware Ransomware uses UAC bypass using CMSTPLUA COM interface in ATAPIinit.exe (Stage 1). It was downloaded from Dropbox url when the user opened the malicious Excel and enabled the Macro. For details, please check the previous Excel 4.0 Macro Analysis – Ataware Ransomware Part 1. You may download the ATAPIinit.exe…

Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

April 30, 2019

Ataware, Deobfuscation, hta, Macro analysis, PowerShell, Ransomware, T1086, T1170, VBScript, xls

This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Let’s start with xls, I was browsing Twitter for an interesting sample,…

Deobfuscate PowerShell using PowerShell Logging

April 20, 2019

Deobfuscation, Emotet, PowerShell, Qakbot

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it. Why do we need to do this? Easy technique to deobfuscate PowerShell without using any external tool Extract…

Deobfuscate Emotet PowerShell – Part 0x2

May 26, 2018

Deobfuscation, Downloader, Emotet, PowerShell, Video Tutorial

We will deobfuscate PowerShell and extract CC from the PowerShell cmd extracted from the Emotet downloader macro discussed in the previous article. If you want to learn how to deobfuscate and analyse the malicious macro code, please check this article and video. Video Tutorial Let see how to use this above…

Deobfuscate malicious macro – Part 0x1

May 20, 2018

Deobfuscation, Doc, Downloader, Emotet, Macro analysis, Video Tutorial

We will concentrate on malicious macro embedded in Emotet downloader office documents and see how to deobfuscate the macro code. In the next post we will deobfuscate the PowerShell executed by Word Doc. Why do we need to do this? Malicious code embedded in macro instead of exploit Clean up…

Extract strings

April 29, 2018

PE, Rokrat, Strings

Extracting strings is an important step in malware analysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. You can download Rokrat (MD5: b441d9a75c60b222e3c9fd50c0d14c5b) from VirusTotal / VirusBay / ANY.RUN. Why do we need to do this? Guess the malware functionality based on…