Open in app

Sign In

Write

Sign In

GhouLSec
GhouLSec

153 Followers

Home

About

May 30

[Mal Series #25] The spawn of conhost.exe

When I was playing with some red teaming toolkit, found out conhost.exe 0xffffffff -ForceV1 process is quite interesting. Therefore, this blog will explain why this happened based on my understanding. Based on the Mandiant blog, conhost.exe is related with windows console host which is responsible in handling console input thread…

Cybersecurity

3 min read

Cybersecurity

3 min read


May 11

[Misc Series #3] Vuln ProcExp 16.32

There is a blog on CheckPoint Research and Sophos mentioned about this vulnerable driver has been abused in various incident to terminate protected process especially anti-malware related process. Here is the short note on the how does the driver able to terminate any process. …

Cybersecurity

4 min read

[Misc Series #3] Vuln ProcExp 16.32
[Misc Series #3] Vuln ProcExp 16.32
Cybersecurity

4 min read


Mar 5

[Mal Series #24] Qakbot BB12 DLL Analysis 2023

There is already a comprehensive analysis on Qakbot already from VinCSS Blog (2021) and Elastic Security Labs (2022), Kudos to them!! It seems like there is not much changes since 2021 and 2022 in terms of Its core function. …

Malware Analysis

18 min read

[Mal Series #24] Qakbot BB12 DLL Analysis 2023
[Mal Series #24] Qakbot BB12 DLL Analysis 2023
Malware Analysis

18 min read


Jan 13

[Misc Series #2] Debug trick with Image File Execution Options (IFEO)

Sometimes we want to debug some child process that will contains some parameters from its parent process, especially some windows native process. …

Debugging

2 min read

[Misc Series #2] Debug trick with Image File Execution Options (IFEO)
[Misc Series #2] Debug trick with Image File Execution Options (IFEO)
Debugging

2 min read


Dec 20, 2022

[RedDev #5] Rundll32 COM Hijack executor in C++

Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so. Investigation During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine…

Cybersecurity

6 min read

[RedDev #5] Rundll32 COM Hijack executor in C++
[RedDev #5] Rundll32 COM Hijack executor in C++
Cybersecurity

6 min read


Nov 10, 2022

[Vuln Series #1] CLFS Vulnerability Analysis

The sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug. The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode …

Exploitation

6 min read

[Vuln Series #1] CLFS Vulnerability Analysis
[Vuln Series #1] CLFS Vulnerability Analysis
Exploitation

6 min read


Jun 4, 2022

[Mal Series #23] Malware Loader — Bumblebee

Some of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional anti-debug checks and obfuscation. Sample here from abuse.ch Overall here are the Bumblebee’s general behavior that I’m able to find. Anti-debug using al-khaser library Decode c2 using RC4 …

Cybersecurity

4 min read

[Mal Series #23] Malware Loader — Bumblebee
[Mal Series #23] Malware Loader — Bumblebee
Cybersecurity

4 min read


May 16, 2022

[CTF Series #12] Mini Linux Forensics — MUS22

Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for…

Linux

4 min read

[CTF Series #12] Mini Linux Forensics — MUS22
[CTF Series #12] Mini Linux Forensics — MUS22
Linux

4 min read


Mar 24, 2022

[Mal Series #22] Weird Embedded PDF file

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of…

Cybersecurity

4 min read

[Mal Series #22] Weird Embedded PDF file
[Mal Series #22] Weird Embedded PDF file
Cybersecurity

4 min read


Feb 5, 2022

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. …

Malware Analysis

4 min read

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator
[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator
Malware Analysis

4 min read

GhouLSec

GhouLSec

153 Followers

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Following
  • Shlomi Boutnaru

    Shlomi Boutnaru

  • @cryptax

    @cryptax

  • Anton Chuvakin

    Anton Chuvakin

  • SOCFortress

    SOCFortress

  • Numen Cyber Labs

    Numen Cyber Labs

See all (72)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams