[Mal Series #27] NSIS Packed Electron AppMalware analysis on NSIS packed electron application.Feb 5Feb 5
[Misc Series #6] Windbg Remote DebuggingHow to debug user-mode code with Windbg using remote debugging.Sep 15, 2024Sep 15, 2024
[Misc Series #5] How Windows CMD and PowerShell Execute a File?This blog will note down some mechanism that Windows implemented to select an application to open a file.May 22, 2024May 22, 2024
[Misc Series #4] Forensics on EDRSilencer EventsHere are some of the indicators that we can go for if the EDR telemetry data flow has been “blocked” due to any security events.Jan 4, 2024Jan 4, 2024
[Mal Series #26] Quick Analysis on Maldoc in PDFQuick analysis on maldoc in PDF from JPCert blog. Some interesting artifcats were found in this case also.Sep 1, 2023Sep 1, 2023
[Mal Series #25] The spawn of conhost.exePersonal findings on conhost.exe 0xffffffff -ForceV1May 30, 2023May 30, 2023
[Misc Series #3] Vuln ProcExp 16.32Analysis on how does the vulnerable version of ProcExp driver terminate a process.May 11, 2023May 11, 2023
[Misc Series #2] Debug trick with Image File Execution Options (IFEO)Debug file once it launched with Image File Execution Options (IFEO)Jan 13, 2023Jan 13, 2023
[RedDev #5] Rundll32 COM Hijack executor in C++Simple explanation on how does the COM executed via rundll32 with switch -sta / -localserverDec 20, 2022Dec 20, 2022
[Vuln Series #1] CLFS Vulnerability AnalysisThe sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug.Nov 10, 2022Nov 10, 2022
[Mal Series #23] Malware Loader — BumblebeeSome of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional…Jun 4, 2022Jun 4, 2022
[CTF Series #12] Mini Linux Forensics — MUS22Digital forensic challenge by cyberdefenders.orgMay 16, 2022May 16, 2022
[Mal Series #22] Weird Embedded PDF filePDF file embedded with a “VelvetSweatshop” encrypted excel file which contains contains payload that using CVE-20170199 to download its…Mar 24, 2022Mar 24, 2022
[RedDev Series #4] Experimenting SysWhisper2 with LLVM ObfuscatorSome notes on setting up both LLVM obfuscator and SysWhisper2 in Visual Studio 2019.Feb 5, 2022Feb 5, 2022
[Mal Series #21] BazarLoaderHere is the bazarloader DLL sample extracted from a MFC parent file.Dec 4, 2021Dec 4, 2021
[CTF Series #11] C# P/Invoke + Reflective loadThis CTF challenge is inspired by some red teaming C# scripts and malware (e.g. Agent Tesla)Nov 6, 2021Nov 6, 2021
[Mal Series #20] Android libarm_protect packerJust came across with some android malware that packed with libarm_protect packer.Nov 2, 2021Nov 2, 2021
[RedDev Series #3] Spawn Process From WMI In C++COM object provides another options to create a new process besides using common Windows APIs such as CreateProcess or ShellExecute.Oct 16, 2021Oct 16, 2021
[Mal Series#19] Trickbot shellcode analysisTrickbot shellcode v1106, 2021 analysis.Aug 10, 2021Aug 10, 2021