Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so. Investigation During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine…

The sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug. The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode and enable write permission on kernel memory address…

Some of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional anti-debug checks and obfuscation. Sample here from abuse.ch Overall here are the Bumblebee’s general behavior that I’m able to find. Anti-debug using al-khaser library Decode c2 using RC4 …

Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for…

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of…

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. …

Here is the bazarloader DLL sample extracted from a MFC parent file. The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’. e.g. Inside ZwRaiseHardError , you can see those additional mathematical operation is meaningless…

This is one of the binary that I had created for this year University CTF competition. This challenge is inspired by some red teaming C# script and malware (e.g. Agent Tesla) Challenge name: ParentSharp General binary description: Little obfuscated C# Binary with reflective load and P/Invoke methods with annoying runtime…

Just came across with some android malware that packed with libarm_protect packer. Here is the manifest of the packed android application. You can see from the <application> tag, the app will starts with class called arm.StubApp The StubApp seems like works as a payload unpacker that…