COM object provides another options to create a new process besides using common Windows APIs such as CreateProcess or ShellExecute.
For threat actor, the good way of this kind of process creation is that the wmiprvse.exe will break the process chain from its parent process as it is initiated from…
As promised in the previous blog, I will share my understanding on the dotNet header and how to parse it.
dotNet CLI header is found in .text section of the PE file. We only need to focused on this section to make things work ✌.
Hey guys! Just released a tool named ✨ pydotNetCLI ✨ that make my life easier when extract the resource file from dotNet malware samples as we know dotNet resource file stored inside dotNet CLI header which is not from the .rsrc section of the PE file. In this initial version, I will just focusing on the resource extraction and hopefully will add more header information or functions if time allows.
The initial intention of this tool just to improve my understanding on the dotNet CLI header structure, but it ends up as a resource extractor 🤣.
Screenshot
Will make a explanation on how I parse it in the next blog post!
Next blog post over HERE!!
Link to the GitHub
What is the capability of icalcs 🤔 and how does the malware 😈 abuse it during their operation.
Based on ss64.com, it is capable of:
Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders. …
Using Qiling to automate WinApi hash finding tasks and also did a lazy quick win against stack string obfuscation.
Before working on that, make sure download the requirement dlls and registries into your work folder (e.g. ~/qiling/examples/rootfs/x86_windows)
You can get the collector script 📜 here :
https://github.com/qilingframework/qiling/tree/master/examples/scripts
Basically, in order…
Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as SeDebugPrivilege. Therefore, in this story, it…
Most of the Android Malware will request for Android’s Accessibility Services (AAS) before it execute any malicious activities.
Good read regarding to AAS -> HERE
App Source
https://twitter.com/ThreatFabric/status/1346807891152560131
Initial Phase, Gate to Open the AAS
Usually it can be find in the app’s “entry point” since it is the gate for the malicious play 👹 👺
Action & Category to look for:
<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>…
Most of the C# malware will load the decrypted loader module in memory to avoid signature based detection. The In-Memory file loader can be done by using [System.Reflection] Assembly Class which will load the file (.dll etc.) bytes into it and invoke/call any function that found inside the loaded file.
Here is my analysis of the Darkside ransomware.
Will attach more screenshot regarding of my analysis this time 😏
Didn’t connect to the C2 during the analysis
Dynamically Resolve Windows API
Elevate Privilege (If running in Non-Admin privilege)
Utilizing COM bypass UAC privilege (When Access Token Method Failed)
Elevation:Administrator!new:%sGet access token from admin process (e.g. Explorer.exe)
GhouLSec
Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec
