Malware Deobfuscation With DnSpy and CyberChef 👨‍🍳

Let's look at some beginner tips for identifying encrypted data with DnSpy.

We'll then utilise CyberChef to recreate the decryption and obtain the address of the C2 server.

[1/12] 🧵

#malware #cyberchef

[2/] Finding encrypted strings

Config values are often initialised (and decrypted) early in execution. Hence the Entry Point is a great place to begin looking.

(In Dnspy, we can select a loaded file and use "Go To Entry Point")

🔥Lumma Stealer - Manually Unpacking and Extracting C2's 🔥

Let's analyse a Lumma malware sample and manually unpack it with Dnspy and x32dbg.

We'll then leverage Ghidra and x32dbg to locate and decrypt four C2 addresses.

[1/24] 🖊️

#Malwareanalysis #Ghidra





1/ The initial sample can be found on Malware Bazaar

You can download it here if you'd like to follow along

bazaar.abuse.ch/sample/0ee580f…

How to Increase Your Engagement on Cyber-related Twitter Content ✏️

Tips and tricks learnt from writing about #malware on Twitter for 18 months😄

[1/9] 1/ Optimal Post Structure

Statement -> Explanation -> Conclusion

I've found this general flow is the easiest to create and for readers to follow. It follows the 1-2-1 structure by @Nicolascole77

If you don't yet have a post style/structure, this is a great place to start.

🔬Defeating Obfuscated .HTA Scripts to Obtain Cobalt Strike Shellcode 🔬

Let's look at Cyberchef, Manual Deobfuscation, Multi-stage script analysis and finally emulation to obtain a decoded C2.

[1/17]





2/ The analysis begins with obfuscated .hta script obtained from Malware Bazaar.

You can obtain the file here if you want to follow along.

bazaar.abuse.ch/sample/2c683d1…

🥷Defeating Obfuscated Malware 🥷

Today we take a look at a heavily obfuscated visual basic script containing Shellcode.

We'll use Regex, #Cyberchef and a Text Editor to deobfuscate #malware.

[1/18]





[2/] Initial #Malware Analysis

The initial script contains a mix of obfuscated and readable code.

The readable code contains references to Excel and Wscript.

🐉Manual Shellcode Analysis Using Ghidra and x32dbg 🐉

17 tips for getting started with manual shellcode analysis (no relying on emulation to do the hard work 💪).

#Malware #Ghidra





[2/] Obtaining the Sample

If you want to follow along, you can obtain the sample from #Malware Bazaar using the link below.

bazaar.abuse.ch/sample/26f9955…

🔥Malware Analysis with @HuntressLabs 🔥

Watch as we analyse a bloated (1.5GB) Golang file and dynamically extract an Xworm payload.

We'll touch on Procmon, Process Hacker, Entropy Analysis, Debloating, Breakpoints, Debuggers and lots more🤠

[1/14] 🧵

#Malware #Golang





[2/] If you'd like to follow along, the initial file can be downloaded here.

bazaar.abuse.ch/sample/96abd6a…

I've been playing around with Module Stomping for EDR Evasion

This is a cool technique for bypassing detection by overwriting "legitimate" memory regions.

Let's see what it looks like from a #Malware and RE Perspective

@SEKTOR7net

[1/25]





[2/25] The core concept of Module Stomping is to avoid creating a new regions for storing Shellcode, and instead leverage existing sections within a legitimate library.

This can significantly reduce memory artifacts and reduce the likelihood of successful #detection.

Safely investigating a ransomware hosting site using Censys and GrabbrApp 😄

I'll show how to confirm that a "clean" IP was hosting ransomware. You'll also get to see some cool hunting queries and methods for safely downloading malware files.

Thread 👇
[1/12]

#Censys #malware





[2/] I started with some @censysio queries that I've previously published on my site.



The query in this case was looking for #powershell scripts contained in #python based open directories. https://t.co/cMwbV3YGShembee-research.ghost.io/shodan-censys-…

A collection of incredible (non-corporate) malware analysis and reverse engineering blogs that I have personally enjoyed over the years.

All focused on education and knowledge sharing of malware/RE topics.

[1/14] 🧵
(In no particular order)

#malware #education [2/14] @_n1ghtw0lf for incredible reverse engineering writeups. Including detailed examples of advanced tooling and scripting. eg x64dbg , #emulation and dotnet configuration extractors.

n1ght-w0lf.github.io

🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.

By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.

Thread
[1/11] 👇

#Malware #AgentTesla #Ghidra #Debugging [1.1/11]
Link to original sample: bazaar.abuse.ch/sample/7512be2…

Link to Full Blog: embee-research.ghost.io/agenttesla-ful…

🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef

An overview of some advanced CyberChef tricks for decoding malware

[1/12] 🧵

#AsyncRAT #Decoding #CyberChef #Malware [2/] First, some links if you wish to follow along.

The Malware File: bazaar.abuse.ch/sample/26c9f29…

Links to CyberChef Recipes:
github.com/embee-research…

Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef

[1/13] 👇🧵

#Cyberchef #Decoding #Ursnif #Malware [1.1] A quick summary/TLDR before we get started

- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight

Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.

Sample: bazaar.abuse.ch/sample/80aad66…

C2: 0/90 VT
Script: 5/59 VT

[1/5] 👇

#Regex #python #cyberchef #malware [2/5] Note the initial script contains a large amount of junk comments to mask the "real" code.

These can be removed using #cyberchef and a short #regex.

Find and Replace
^(REM|').*\n

(Possible) AsyncRat loader - Interesting regex to decode the obfuscated C2.

Script was found on host with an active #AsyncRat infection.

#malware #regex #decoding [1/6] The team at @HuntressLabs are still observing IronPython executables used to load #malware.

In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe

Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).

Setting up an analysis VM for reverse engineering?

Here are a few good tools (with short demos) that I recommend after running the Mandiant/FLARE script, (which installs 99% of tooling for you) 🔥

TLDR:
Garbageman, SpeakEasy, BlobRunner, Dumpulator

#Malware #RE #Analysis 2/ This is the Flare script from Mandiant. Simply running this script will install the majority of tools that you would ever need.

As a beginner RE or malware analyst, you can work comfortably using only the tools included in this script.

github.com/mandiant/flare…

🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE [2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁

🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.

These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄

[1/9] 🧵

#Malware #RE #Ghidra 2/ The sample I'm using can be found here if you'd like to follow along. It is a cobalt strike DLL often found in Gootloader campaigns.

bazaar.abuse.ch/sample/a2513cc…

#Qakbot Dumpulator Script has now been added to Github! 😀

This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.

1/ (notes and details below)
#malware #qakbot #dumpulator #RE

https://twitter.com/embee_research/status/1575380832965259265

2/ The script *should* work on the samples that I have provided in the readme, however you may need to change some register values to get it to work on different samples.

In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ...

A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13] [2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…

Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.

We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.

A (big) thread ⬇️⬇️
[1/23] [2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.

My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…