Discover and read the best of Twitter Threads about #cyberchef
Most recents (15)
🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef
An overview of some advanced CyberChef tricks for decoding malware
[1/12] 🧵
#AsyncRAT #Decoding #CyberChef #Malware
An overview of some advanced CyberChef tricks for decoding malware
[1/12] 🧵
#AsyncRAT #Decoding #CyberChef #Malware
[2/] First, some links if you wish to follow along.
The Malware File: bazaar.abuse.ch/sample/26c9f29…
Links to CyberChef Recipes:
github.com/embee-research…
The Malware File: bazaar.abuse.ch/sample/26c9f29…
Links to CyberChef Recipes:
github.com/embee-research…
[3] Decimal Values:
Some text is converted to decimal to hinder simple text based analysis.
To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal
Some text is converted to decimal to hinder simple text based analysis.
To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal
Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef
[1/13] 👇🧵
#Cyberchef #Decoding #Ursnif #Malware
[1/13] 👇🧵
#Cyberchef #Decoding #Ursnif #Malware
[1.1] A quick summary/TLDR before we get started
- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
[2] First, I downloaded the sample from Malware Bazaar and loaded it into a safe analysis VM.
You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.
Sample: bazaar.abuse.ch/sample/80aad66…
C2: 0/90 VT
Script: 5/59 VT
[1/5] 👇
#Regex #python #cyberchef #malware
Sample: bazaar.abuse.ch/sample/80aad66…
C2: 0/90 VT
Script: 5/59 VT
[1/5] 👇
#Regex #python #cyberchef #malware
[2/5] Note the initial script contains a large amount of junk comments to mask the "real" code.
These can be removed using #cyberchef and a short #regex.
Find and Replace
^(REM|').*\n
These can be removed using #cyberchef and a short #regex.
Find and Replace
^(REM|').*\n
[3/5] There are some long junk numbers scattered throughout the code.
Personally, I decoded with Python and an eval inside of a safe VM.
Personally, I decoded with Python and an eval inside of a safe VM.
(Possible) AsyncRat loader - Interesting regex to decode the obfuscated C2.
Script was found on host with an active #AsyncRat infection.
#malware #regex #decoding
Script was found on host with an active #AsyncRat infection.
#malware #regex #decoding
[1/6] The team at @HuntressLabs are still observing IronPython executables used to load #malware.
In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe
Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).
In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe
Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).
[2/6] The "update.py" is where the malicious action starts.
This is usually a simple python file containing an additional obfuscated script.
Below you can see this decoded via #CyberChef.
This is usually a simple python file containing an additional obfuscated script.
Below you can see this decoded via #CyberChef.
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
#ChromeLoader #malware persists via obfuscated content stored in the registry. Here's how to decode it using #Cyberchef.
1/
1/
2/ First, locate a scheduled task containing content that you suspect to be chromeloader malware. Decode the first stage using "From Base64" and "Remove Null Bytes". This will give you the first stage loader in its #decoded form.
3/ Next, check the location of the next stage in the registry. This should be near the beginning of the code.
A short thread of solid #CyberChef alternatives and complementary tools.... ⏬
Ciphey: a fantastic tool that does automated decryption & decoding. Great documentation, and easy to setup via Docker. github.com/Ciphey/Ciphey
Binary Refinery: I'll admit I haven't played with this as much as I should have. It looks fantastic. Each script doing one job, which can be piped like a command line CyberChef. Credit to @huettenhain github.com/binref/refinery
It's been one of the more eventful weeks in cybersecurity history. In my little corner of the world, it went a little something like this... 1/n
The first #log4j / #log4shell blog from #SURGe @splunk splunk.com/en_us/blog/sec… was published a week ago with @meansec leading from the front and jump-started by @DrShannon2000 and @jsy9981 2/n
Meanwhile, hundreds of Splunkers worked through last weekend to publish our official advisory. If you take one thing from this thread, it should be this! It's updated frequently and includes details about CVE-2021-45046 and more. splunk.com/en_us/blog/bul… 3/n
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6…
Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Taking a scan we can see an AES decrypt function and blob of Base64 - likely what is to be decrypted. Later on we see our IV and Key variables references, also in Base64.
Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5)
What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).
What's covered are the fundamentals of CyberChef up to the more advanced features that make it the indispensable tool for network defenders. Totally unpaid tweet right here: 👇 (3/5)
A small Powershell script leads to a longer #CyberChef recipe.
(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind.
(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind.
(2/6) We're going to convert the obfuscated text into Character Codes.
(3/6) Now, following the script we have to subtract 1 from each of the Character Code values and convert it back again. So we put a 1 next to each value with a Find/Replace...
Would someone use the Olympics to phish? Yes, yes they would.
🆕hxxps://amazingmonkeys.es/tokyo2020comiteeolympic/
🆕hxxps://amazingmonkeys.es/olympiccomitee/
hxxps://154dst.com/comiteeolympic/
hxxps://154dst.com/olympiccomitee/
hxxps://154dst.com/olympicinternationalcomitee/
🆕hxxps://amazingmonkeys.es/tokyo2020comiteeolympic/
🆕hxxps://amazingmonkeys.es/olympiccomitee/
hxxps://154dst.com/comiteeolympic/
hxxps://154dst.com/olympiccomitee/
hxxps://154dst.com/olympicinternationalcomitee/
and
🆕hxxps://amazingmonkeys.es/tokyo2020portal/
🆕hxxps://amazingmonkeys.es/tokyo2020portal/
@Olympics, you might want to check the Referrer in your weblogs to see non-Olympics sites loading stillmed.olympic.org/media/Images/O…
Could help discover phishing sites like these.
Could help discover phishing sites like these.
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
How to tell that the ridiculously overcomplicated VBA macro function you're staring at is maybe just rolling its own Base64: accounting for padding
Decoded @digitalocean server: 178.128.141.18:8080
👨🏼🎓"Classeur1.xlsm" (7/58): virustotal.com/gui/file/70b86…
Uploaded from Tunis, 🇹🇳
[1/3]
Decoded @digitalocean server: 178.128.141.18:8080
👨🏼🎓"Classeur1.xlsm" (7/58): virustotal.com/gui/file/70b86…
Uploaded from Tunis, 🇹🇳
[1/3]
It's reasonable to expect an aspiring detection engineer to explain what's going on here.
CREATE_HEX function: MCAFEE_CERTIFICATION 👀
You should know what |4d 5a| means.
You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2]
CREATE_HEX function: MCAFEE_CERTIFICATION 👀
You should know what |4d 5a| means.
You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2]
This is a good Excel macro for entry-level analysis given its simpler structure.
I've uploaded the file so others can play with it and learn:
🌊@virusbay_io: beta.virusbay.io/sample/browse/…
🏃🏼♂️@anyrun_app: app.any.run/tasks/bfec85ac…
🔎@Malwageddon's IRIS-H: iris-h.services/#/pages/report…
🍻
[3/3]
I've uploaded the file so others can play with it and learn:
🌊@virusbay_io: beta.virusbay.io/sample/browse/…
🏃🏼♂️@anyrun_app: app.any.run/tasks/bfec85ac…
🔎@Malwageddon's IRIS-H: iris-h.services/#/pages/report…
🍻
[3/3]
Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip).
5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.
We could take the next steps of this in a million ways, but this is easy to do in @GCHQ's #CyberChef. First From Base64 & To Hex the Key and IV for the crypto routine and save these in hex.
