Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for…

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of…

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. …

Here is the bazarloader DLL sample extracted from a MFC parent file. The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’. e.g. Inside ZwRaiseHardError , you can see those additional mathematical operation is meaningless…

This is one of the binary that I had created for this year University CTF competition. This challenge is inspired by some red teaming C# script and malware (e.g. Agent Tesla) Challenge name: ParentSharp General binary description: Little obfuscated C# Binary with reflective load and P/Invoke methods with annoying runtime…

Just came across with some android malware that packed with libarm_protect packer. Here is the manifest of the packed android application. You can see from the <application> tag, the app will starts with class called arm.StubApp The StubApp seems like works as a payload unpacker that…

COM object provides another options to create a new process besides using common Windows APIs such as CreateProcess or ShellExecute. For threat actor, the good way of this kind of process creation is that the wmiprvse.exe will break the process chain from its parent process as it is initiated from…

Trickbot loader using Heaven’s gate technique to inject its final payload into a 64 bit process wermgr.exe. It is difficult to analyze it, but i will try my best ✌. Version: 1106 I’m created annotation script for both IDA pro and Ghidra to make my life easier 😌, you can…

As promised in the previous blog, I will share my understanding on the dotNet header and how to parse it. dotNet CLI header is found in .text section of the PE file. We only need to focused on this section to make things work ✌. Thanks for the help of…