Three Awesome Things Have Happened In The Last Few Weeks
1️⃣ - SANS-FOR578 (Cyber Threat Intelligence) has been updated to include one of my blogs on Tracking Malware Infrastructure.
This is particularly significant to me as someone without any technical certifications. Having…
🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.
These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄
[1/9] 🧵
#Malware
#RE
#Ghidra
Reverse Engineering a
#CobaltStrike
#malware
sample and extracting C2's using three different methods.
We'll touch on
#cyberchef
,
#x64dbg
and Speakeasy from fireeye to perform manual analysis and emulation of
#shellcode
.
A (big) thread ⬇️⬇️
[1/23]
A Beginners Guide to Tracking Malware Infrastructure
New post with 11 Examples (Including Cobalt Strike and Qakbot) that you can use to query and track C2’s, Open Directories and More🔥
(Special thanks to
@censysio
🥳)
#threatintel
#malware
Setting up an analysis VM for reverse engineering?
Here are a few good tools (with short demos) that I recommend after running the Mandiant/FLARE script, (which installs 99% of tooling for you) 🔥
TLDR:
Garbageman, SpeakEasy, BlobRunner, Dumpulator
#Malware
#RE
#Analysis
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for
#Yara
rules.
Using
#Ghidra
and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with
#Qakbot
)
[1/20]
#Malware
#RE
Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes.
Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate.
1/
#Malware
#dnspy
#analysis
#RE
#Malware
Downloader retrieving an encoded powershell via DNS records.
+ Quick demo on how to deal with this and extract the final content using
#CyberChef
👇👇
A collection of incredible (non-corporate) malware analysis and reverse engineering blogs that I have personally enjoyed over the years.
All focused on education and knowledge sharing of malware/RE topics.
[1/14] 🧵
(In no particular order)
#malware
#education
When analysing suspicious commands using
#cyberchef
, you can utilise
#regex
to save time copy and pasting between windows.
In this case, combining "From Decimal" with the regex "(\d\d+)+" enabled a quick decoding without needing to change tabs.
🥷Defeating Obfuscated Malware 🥷
Today we take a look at a heavily obfuscated visual basic script containing Shellcode.
We'll use Regex,
#Cyberchef
and a Text Editor to deobfuscate
#malware
.
[1/18]
Malware Deobfuscation With DnSpy and CyberChef 👨🍳
Let's look at some beginner tips for identifying encrypted data with DnSpy.
We'll then utilise CyberChef to recreate the decryption and obtain the address of the C2 server.
[1/12] 🧵
#malware
#cyberchef
Decoding a Cobalt Strike Loader with Cyberchef and Emulation
A short video looking into a common CS loader and methods for extracting C2 addresses from Shellcode 😁
#Malwareanalysis
#Cobaltstrike
Malware Analysis - Cobalt Strike Shellcode Analysis and C2 Extraction
Looking into a Cobalt Strike shellcode loader and extracting C2 addresses. Leveraging debugging (x64dbg) and the Speakeasy Emulator.
#malware
#cobaltstrike
CyberChef Tips - Utilise regex and "list matches" to extract and decode multiple encoded blobs from the same script.
Combine with code beautify and text highlighting to turn an obfuscated script into nice readable content.
#Cyberchef
#Regex
#malware
Advanced CyberChef Techniques for Configuration Extraction - Now in Blog Form 😁
A detailed look into advanced CyberChef operations applied to a config extractor (Flow Control, Registers, Regex, AES and Much Much More). 🔥
#Malwareanalysis
#CyberChef
#Malware
protectors often use unique functions to
#obfuscate
strings. Using powershell, you can dynamically invoke those functions to bypass the obfuscation and dump hidden content. Below is an
#AgentTesla
malware sample de-obfuscated using this technique.
1/
🔥Malware Analysis with
@HuntressLabs
🔥
Watch as we analyse a bloated (1.5GB) Golang file and dynamically extract an Xworm payload.
We'll touch on Procmon, Process Hacker, Entropy Analysis, Debloating, Breakpoints, Debuggers and lots more🤠
[1/14] 🧵
#Malware
#Golang
Safely investigating a ransomware hosting site using Censys and GrabbrApp 😄
I'll show how to confirm that a "clean" IP was hosting ransomware. You'll also get to see some cool hunting queries and methods for safely downloading malware files.
Thread 👇
[1/12]
#Censys
#malware
Let's decode Powershell Malware with Cyberchef 🧑🍳
New video looking into a simple custom obfuscation routine in a StealC loader, and showing some cool CyberChef tricks for manually decoding 😁
#Cyberchef
#malwareanalysis
#powershell
I've been playing around with Module Stomping for EDR Evasion
This is a cool technique for bypassing detection by overwriting "legitimate" memory regions.
Let's see what it looks like from a
#Malware
and RE Perspective
@SEKTOR7net
[1/25]
New Record for My Longest CyberChef Recipe Ever... 😅
A 22 operation configuration extractor in CyberChef. Utilising Regex, AES, Registers and Flow Control to decode as 3 stage malware sample 🕵️♂️
#MalwareAnalysis
#Cyberchef
Malware Unpacking With Memory Dumps - Intermediate Methods
Utilising Pe-Sieve, Process Hacker, Pe-bear and Hxd to identify, perform and correct memory dumps leading to unpacked malware.
#malware
#Dnspy
🟥
#BruteRatel
: Static detection via API hashes
Very similar to the Havoc C2 Detector. Looks for API hashes used to resolve ntdll functions.
8/8 Files successfully detected (on disk)
1/ 🧵🧵 ⏬
#Ghidra
#Malware
#Yara
Quick trick to analyse
#obfuscated
.NET
#malware
.
Assembly name -> right click -> go to entry point.
Set a breakpoint, then step over/into functions and watch values appear in the local window.
You'll quickly obtain plaintext values without de-obfuscating any code.
Beginner Workflows In Ghidra - Analysing Cobalt Strike
New video looking into basic workflows with Ghidra and Cobalt Strike. Showing how to locate and build context on strings, entropy and imports within malicious code 😁
#malware
#malwareanalysis
Uncovering 169 Phishing Domains With DNS Pivoting 🔥
Leveraging my new favourite DNS tool to pivot from an initial IOC to 169 domains impersonating popular fashion brands.
[1/14] 🧵
#phishing
#threatintel
#malware
Decoding a Cobalt Strike Loader hidden inside a .hta file.
An overview of identifying and extracting shellcode with
#CyberChef
, and performing basic validation and C2 Discovery using the SpeakEasy emulator.
#malware
#cobaltstrike
🔥Lumma Stealer - Manually Unpacking and Extracting C2's 🔥
Let's analyse a Lumma malware sample and manually unpack it with Dnspy and x32dbg.
We'll then leverage Ghidra and x32dbg to locate and decrypt four C2 addresses.
[1/24] 🖊️
#Malwareanalysis
#Ghidra
🔥Free Ghidra Content for Beginners 🔥
A series of 7 free tutorials demonstrating the most common Ghidra workflows.
These are the most common and approachable workflows that you can use day-to-day to begin analysing malware with Ghidra.
[1/8] 🧵
#malware
#ghidra
Uncovering Malicious Infrastructure With DNS Pivoting
New blog experimenting with DNS and Domain pivoting to uncover malicious infrastructure🔥
#malware
#threatintel
🐀 AsyncRAT 🐀
Using Powershell to Directly Invoke Decryption Code, Bypass Anti-Debug and extract C2 information.
A thread below on how to implement and use this to your advantage
[1/11] 🧵
#Malware
#RE
#Dnspy
#AsyncRAT
Unpacking Malware With Hardware Breakpoints
Leveraging debugging and Hardware breakpoints to extract Cobalt Strike shellcode.
With Bonus section where we recreate the process using
#Ghidra
,
#Cyberchef
and
#ChatGPT
.
#Malware
If you utilise API hashing in your
#malware
or offensive security tooling. Try rotating your API hashes. This can have a significant impact on
#detection
rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs
#Virustotal
.
Configuring The Ghidra UI for Beginner Malware Analysts
Going over some tips to demystify the Ghidra experience and improve basic malware analysis workflows.
#Malware
#Ghidra
Possible
#Qakbot
👇
Onenote -> Cmd -> powershell -> rundll32 + ??
Notable Changes...
- C:\\users\\public
- Rundll32 renamed to t.exe
- No more ",Wind" export
- Sleep/Delays (Start-Sleep)
- Use of + a second file
[1/2] 🧵 (
#Sigma
Rule and IOC's 👇)
Malware Analysis - Decoding Obfuscated Powershell and .hta Files (Lumma Stealer)
A quick look into .hta malware and Powershell De-obfuscation. Introducing some basics to identify and decrypt AES strings using Cyberchef.
#Malware
#Cyberchef
I recently discovered that has an awesome and extremely affordable (even free) feature for testing and building Yara rules.
This is a great option for aspiring Malware Analysts and Detection Engineers who don't have access to an expensive VT Hunting…
🧊 IcedID Detection With Yara 🧊
1⃣ IcedID has a unique decryption routine present in unpacked payloads.
2⃣ Converting this routine into a
#Yara
rule can be used to detect
#IcedID
running in memory.
#malware
#re
#detection
One of the most interesting malware loaders i've ever encountered. Would recommend the read if you're into
#malware
analysis.
(6 stages of malware fun 🔥)
Havoc C2: Static detection via ntdll hashes
Currently working on 6/6 Demon payloads generated via the Havoc framework 👀
Yara rule included in link.
1/ More notes below regarding Havoc and API Hashing
#Malware
#RE
#Ghidra
#detection
#yara
I've always found it difficult to find good Reverse Engineering content that utilises Ghidra instead of IDA Pro. For anyone else in the same boat,
@AGDCservices
has some great Ghidra tutorials on his youtube channel.
#Malware
#RE
#Ghidra
Unpacking .NET Malware Using Process Hacker and Dnspy.
An easy method to obtain unpacked .NET samples by leveraging Process Hacker to identify suspicious modules, and Dnspy to save them from memory.
#Malware
#Dnspy
🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.
By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.
Thread
[1/11] 👇
#Malware
#AgentTesla
#Ghidra
#Debugging
5 Resources that I use to find IOC's For Intel Hunting. 🔬
When I build malware c2 queries with
@censysio
and
@shodanhq
, these are the first 5 resources that I go to.
I recently wrote a static decoder for encrypted
#IcedID
files using Ghidra and Python😀
You can find it on Github, along with some sample files to play around with.
1/ More notes below👇
#Malware
#RE
#reversing
#ghidra
A quick demo of how to identify "real" exported functions from a
#obfuscated
#IcedID
dll file.
I'll also briefly touch on some
#Ghidra
tips, and how to extract
#shellcode
using a debugger.
A moderate sized thread😃
[1/13]
Decoding a MultiStage (Gu)Loader with Cyberchef
Diving into a super cool loader sample and demonstrating advanced Cyberchef and Regex trickery 😋
#malwareanalysis
#guloader
#Cyberchef
🐉Manual Shellcode Analysis Using Ghidra and x32dbg 🐉
17 tips for getting started with manual shellcode analysis (no relying on emulation to do the hard work 💪).
#Malware
#Ghidra
🚨 Emotet 🚨 - Resolving Hidden Imports
1⃣ The new wave of
#Emotet
uses API hashing to disguise and hide imported functionality.
2⃣ I wrote a script to perform lookups of those API hashes (link below).
1/🧵
#Malware
#RE
#Ghidra
Identifying Pivot Points In Malware Infrastructure using
@censysio
A short thread demonstrating four methods for identifying (16 total) C2 panels using a single IP extracted during malware analysis.
[1/]
#Malware
#c2
#AgentTesla
#malware
uses encrypted resources to store payloads. You can decode them by manually generating the DES key and decrypting using
#cyberchef
🕵️
Save resource -> generate md5 -> Trim md5 key to 8 bytes -> Load file into cyberchef -> DES Decrypt = Decoded 2nd Stage 🤠
🔥Malware Analysis Tips - String Decryption in .NET (RedLine)🔥
If the same function is used repeatedly to decrypt strings, you can utilise regex and powershell to extract strings and decrypt them in bulk.
#RedlineStealer
#malware
#Dnspy
#Cyberchef
Manual Shellcode Analysis - Locating and Resolving Function Calls With Ghidra and x32dbg
Experimenting with a new style of (paid) post where I go in-depth on
#Ghidra
manual analysis. Showing approachable and repeatable workflows for analyzing malware.
Ghidra Basics - Identifying, Decrypting and Fixing Encrypted Strings
Using Ghidra Cross Referencing and x32dbg to identify and fix obfuscated
#malware
strings.
One of 4 new (paid) and in-depth posts covering common
#Ghidra
workflows.
[1/10] 🧵
Malware Analysis - Powershell Decoding and .NET C2 Extraction (Quasar RAT)
A quick look into decoding simple Powershell scripts and extracting C2's from Quasar rat.
#Malware
#powershell
Introduction to DotNet Configuration Extraction - RevengeRAT
A quick blog to explain to how to use dnlib and
#python
to extract configuration values from dotnet
#malware
.
Decoding a suspected
#AsyncRAT
loader.
A high-level overview of my thought process using
#CyberChef
.
1⃣ Identify the primary encoding (Decimal in this case)
2⃣ Simplify and remove junk around encoding ( char[] etc) Noting that there are regex and non-regex options for doing…
Advanced Threat Intel Queries - Catching 83 Qakbot Servers With Regex,
@censysio
and TLS Certificates
This (Free) writeup includes a detailed walkthrough, IOC's and links to all queries used.
#Malware
#ThreatIntel
New blog looking at dealing with Encrypted strings in Ghidra.
Leveraging debuggers to semi-automate string decryption and fix up an obfuscated Ghidra file 🤓
#Malware
#ghidra
I’ve created an index for all of my past educational twitter threads 🤓
43 educational threads have been added so far
Check it out if you’re interested in topics like
#Ghidra
, developing
#Yara
rules and deobfuscation using
#CyberChef
.
Link Below 📖
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for
#Yara
rules.
Using
#Ghidra
and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with
#Qakbot
)
[1/20]
#Malware
#RE
Building on my previous C2 extraction from Amadey Bot, I recently experimented with finding more Amadey infrastructure using Shodan.
Here I detail my process for obtaining 12 total C2's by leveraging html hashes and ssl certs from the original ip.
Defeating API Hashing Using x32dbg and Conditional Breakpoints.
By setting simple log conditions on functions related to API hashing, you can quickly print out decoded hash values without needing to identify or reverse the hashing algorithm.
[1/11]
#Malware
Ghidra Tutorial - Using Entropy To Identify Decryption Functions.
Using
#Ghidra
to hone in on areas of high entropy, utilising cross references to find decryption functions, and using
#ChatGPT
to suggest possible encryption algorithms.
#malware
DCRAT - String Decoder For Loading PE File into Memory
- A large number of fake base64 strings are initialized.
- First character from each string is added to an new buffer
- Second character from each string is added to the new buffer
- .. And so on
- Resulting buffer is…
Catching ~50 BianLian C2's With Regex Signatures, TLS Certificates and
@censysio
(Demonstrating some cool methods for catching C2's without relying on ASN's or Port Patterns)
[1/11] 🧵
#Malware
#ThreatIntel
🐍Identifying Malware Infrastructure - Vultur Banking Trojan🐍
Today we'll show how you can use public reports and free dns tools to identify malicious domains.
We'll find 13 new domains, many of which are undetected on VT.
#ThreatIntel
#malware
#Malware
Tip - If you encounter terms like compression or decompress in obfuscated code, Try using the
#cyberchef
"gunzip" feature.
This obfuscation is simple, but is surprisingly common.
Encoded text -> From Base64 -> Gunzip -> decoded binary
🖥️Query techniques to identify potential malware Infrastructure 🖥️
A quick demo showing ways to use
@censysio
and ThreatFox to build simple queries and find suspicous servers for further investigation.
[1/14] 🧵
#Qakbot
Dumpulator Script has now been added to Github! 😀
This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.
1/ (notes and details below)
#malware
#qakbot
#dumpulator
#RE
#Dumpulator
script to extract decrypted strings from recent
#Qakbot
payloads.
This works by brute forcing index values to the Qakbot string decryption function.
Hoping to put out a detailed blog soon.
#RE
#malware
Python Script to Extract Encrypted Stack Strings From Pikabot
This script uses Capstone to locate encrypted stack strings, combined with Dumpulator to emulate and read the decoded values.
Blog post with walkthrough coming soon :)
#Malware
#Pikabot
Combining Pivot Points to Identify Malware Infrastructure with
@censysio
We'll use a single smokeloader IP (running default services) to locate 11 total servers with C2's for Redline, Amadey and
#CobaltStrike
.
#Malware
#c2
#ThreatIntel
Cyberchef Tips! - Decoding a Malware Loader using Advanced Cyberchef Tactics.
We'll cover!
- Using regex to identify obfuscated values
- Subsections for isolating obfuscated data
- for visualizing regex queries
- + More 😄
Possible NightHawk samples on Virustotal
fc4106f71cdcdf6d6fab5441a6c6d7fb
8defdaba9b1fc949b429c40c0723030d
15c3fe7a3022ede934113c335b9d20bb
5b0028dd161208c993965a33138e282b
The last one named "nh_dll2.dll" has been removed on VT.
Investigating a PrivateLoader C2 with
@censysio
An introductory guide to building and refining queries with limited malicious services available.
(This time diving more into the thought process behind query building)
#Malware
#threatintel
Potential Sliver C2's (239 C2's)
Simple query - based on "operators" and "multiplayer" certificate values related to Sliver Team Servers.
Gist - 43 IP's with 0 VT
Gist - All 239 IP's
#Malware
#Sliver