Discover and read the best of Twitter Threads about #shellcode
Most recents (3)
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
#apt37 #goldbackdoor #loader active #C2
- SHA256: bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
- C2: hxxps://dallynk.com/wp-sup3
- Encoded Child SHA256: a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
- SHA256: bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
- C2: hxxps://dallynk.com/wp-sup3
- Encoded Child SHA256: a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
- Child Endpoints (possibly google api key): hxxps://dallynk.com/4332.hwp, hxxp://asplinc.com/xe/modules/page/queries/query_read.dsql, hxxp://www.bsef.or.kr/board/upfile/bbsB/166737125620120323174332.hwp
- Endpoints appear to be compromised.
- Endpoints appear to be compromised.
- All 3 endpoints download same SHA256: 5b1536c4ca22bc202543afea51279c78fa6033b393e86f2b97750ddfd4d8b263
- Decoded Child contains embedded 3 encoded (simple xor) modules, #shellcode loader/#infostealer/#keylogger
- Decoded Child contains embedded 3 encoded (simple xor) modules, #shellcode loader/#infostealer/#keylogger
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
