This is one of the binary that I had created for this year University CTF competition. This challenge is inspired by some red teaming C# script and malware (e.g. Agent Tesla)

Challenge name: ParentSharp

General binary description: Little obfuscated C# Binary with reflective load and P/Invoke methods with annoying runtime…

Just came across with some android malware that packed with libarm_protect packer.

Here is the manifest of the packed android application.

You can see from the <application> tag, the app will starts with class called arm.StubApp

AndoridManifest.xml of the app

The StubApp seems like works as a payload unpacker that…

Hey guys! Just released a tool named ✨ pydotNetCLI ✨ that make my life easier when extract the resource file from dotNet malware samples as we know dotNet resource file stored inside dotNet CLI header which is not from the .rsrc section of the PE file. In this initial version, I will just focusing on the resource extraction and hopefully will add more header information or functions if time allows.

The initial intention of this tool just to improve my understanding on the dotNet CLI header structure, but it ends up as a resource extractor 🤣.

Screenshot

Output from pydotNetCLI 😉

Will make a explanation on how I parse it in the next blog post!

Next blog post over HERE!!

Link to the GitHub

https://github.com/ghoulgy/pydotNetCLI

Most of the Android Malware will request for Android’s Accessibility Services (AAS) before it execute any malicious activities.

Good read regarding to AAS -> HERE

App Source

https://twitter.com/ThreatFabric/status/1346807891152560131

Initial Phase, Gate to Open the AAS

Usually it can be find in the app’s “entry point” since it is the gate for the malicious play 👹 👺

Action & Category to look for:

<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store