Karsten Hahn Profile picture
Malware Analyst at G DATA. Ransomware hunter. he/him 🦔🌈🏳️‍⚧️
Jan 23, 2023 10 tweets 2 min read
Tips to stay safe while working with malware samples.

1. Use different OS on the host machine than your analysis VM
--> most malware will not be able to run there 2. Use a different machine for malware analysis (even if analysis happens in VM) than for your other work or private stuff

3. Make sure the analysis machine is not connected to the company network or your personal network.
Jul 15, 2022 4 tweets 2 min read
How to analyse malicious MSI files

E.g. this Magniber MSI

It consists mostly of zeroes.

1. step: Unpack with 7zip. Among the unpacked files is a x64 DLL named "djrbwtwujn"

But how is this DLL called? Image 2. step: Use Orca.exe on the MSI file. It is part of Windows SDK.

The CustomActions column shows that the exported function "egzsymgucwe" is called from the DLL Image
Sep 4, 2021 12 tweets 2 min read
Entropy is a measure of how much information is in a data input.

When we talk about entropy in files, we usually mean the Shannon entropy. Depending on whether we use bytes or bits as a basis for calculation, the result is a range between 0-8 or 0-1. To understand entropy, imagine your friend writes you a grocery list. In their first message they write:

apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple,apple, ...
Jun 25, 2021 5 tweets 3 min read
New article: Microsoft signed a malicious Netfilter rootkit

Thanks for your contributions @jaydinbas @cyb3rops @cci_forensics
gdatasoftware.com/blog/microsoft… Related first tweet:
Sep 12, 2018 12 tweets 3 min read
Some thoughts about maliciousness of joke malware, educational malware and other "gray" areas. (thread) Malware is any program that does harm to a system or user.
Harm or damage is not limited to things you can count as monetary loss. It can also be sleepless nights, feeling anxious or frightented, having personal data leaked that might or might not be used to harm you later.
Jan 7, 2018 18 tweets 2 min read
Some arbitrary facts about malware detection names and detection rates on VT.
(thread) (1) Detection names usually include information about platform, malware type, family and variant, sometimes also hints about the technology that was used to detect the malware.