{ Security-in-bits }
  • Home
  • Malware Analysis
    • Deobfuscation
    • Static analysis
    • Unpacking
    • Video Tutorial
    • Tools
  • Incident Response
  • Subscribe
    • Contact

Top Tweets

Follow @Securityinbits

1/ Interesting technique used by #Ratty sample for distribution of malicious JAR(zip) appended to MSI
So when the OS sees jar ext it executes jre to handle the file, but unique about zip files are read from bottom to top so jar is executed instead of msi file, details below https://t.co/3u7487kUZy pic.twitter.com/jZw9s07X5z

— Securityinbits (@Securityinbits) June 12, 2020

#Avaddon #ransomware uses simple anti-debugging IsDebuggerPresent API to check for debugger.

It uses GetUserDefaultLCID & GetKeyboardLayout API to check for local identifiers that are not Russian(0x419h), Ukrainian(0x422h) etc.
As RaaS programs cannot target victims in the CIS pic.twitter.com/O4dhj9XOVe

— Securityinbits (@Securityinbits) June 9, 2020

One of the way you can use to #Deobfuscate VBScript is to replace the eval with Wscript.Echo and execute using cscript#Malware #MalwareAnalysis pic.twitter.com/GzCdRspfBY

— Securityinbits (@Securityinbits) May 30, 2020

Join the Community






Disclaimer: All the opinions/blog posts are my own and not the views of my employers.

Most Popular

  • Top Tweets

  • Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI

  • UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

  • UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

  • Parent PID Spoofing (Stage 2) Ataware Ransomware – Part 0x3

  • Unpacking Pyrogenic/Qealler using Java agent -Part 0x2

© 2023 Security-in-bits

Twitter
LinkedIn
GitHub
Reddit
YouTube
This website uses cookies to improve your experience. If you continue to use this site, you agree with it.