May 30[Mal Series #25] The spawn of conhost.exeWhen I was playing with some red teaming toolkit, found out conhost.exe 0xffffffff -ForceV1 process is quite interesting. Therefore, this blog will explain why this happened based on my understanding. Based on the Mandiant blog, conhost.exe is related with windows console host which is responsible in handling console input thread…Cybersecurity3 min readCybersecurity3 min read
May 11[Misc Series #3] Vuln ProcExp 16.32There is a blog on CheckPoint Research and Sophos mentioned about this vulnerable driver has been abused in various incident to terminate protected process especially anti-malware related process. Here is the short note on the how does the driver able to terminate any process. …Cybersecurity4 min readCybersecurity4 min read
Mar 5[Mal Series #24] Qakbot BB12 DLL Analysis 2023There is already a comprehensive analysis on Qakbot already from VinCSS Blog (2021) and Elastic Security Labs (2022), Kudos to them!! It seems like there is not much changes since 2021 and 2022 in terms of Its core function. …Malware Analysis18 min readMalware Analysis18 min read
Jan 13[Misc Series #2] Debug trick with Image File Execution Options (IFEO)Sometimes we want to debug some child process that will contains some parameters from its parent process, especially some windows native process. …Debugging2 min readDebugging2 min read
Dec 20, 2022[RedDev #5] Rundll32 COM Hijack executor in C++Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so. Investigation During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine…Cybersecurity6 min readCybersecurity6 min read
Nov 10, 2022[Vuln Series #1] CLFS Vulnerability AnalysisThe sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug. The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode …Exploitation6 min readExploitation6 min read
Jun 4, 2022[Mal Series #23] Malware Loader — BumblebeeSome of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional anti-debug checks and obfuscation. Sample here from abuse.ch Overall here are the Bumblebee’s general behavior that I’m able to find. Anti-debug using al-khaser library Decode c2 using RC4 …Cybersecurity4 min readCybersecurity4 min read
May 16, 2022[CTF Series #12] Mini Linux Forensics — MUS22Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for…Linux4 min readLinux4 min read
Mar 24, 2022[Mal Series #22] Weird Embedded PDF filePDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of…Cybersecurity4 min readCybersecurity4 min read
Feb 5, 2022[RedDev Series #4] Experimenting SysWhisper2 with LLVM ObfuscatorI will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. …Malware Analysis4 min readMalware Analysis4 min read
![[Misc Series #3] Vuln ProcExp 16.32](https://miro.medium.com/v2/resize:fill:224:224/1*jw1mMNVL88-yr7Y1JFz1Ew.png)
![[Misc Series #3] Vuln ProcExp 16.32](https://miro.medium.com/v2/resize:fill:160:112/1*jw1mMNVL88-yr7Y1JFz1Ew.png)
![[Mal Series #24] Qakbot BB12 DLL Analysis 2023](https://miro.medium.com/v2/resize:fill:224:224/1*R8MAZL5YZPhFlM_YAOILCA.png)
![[Mal Series #24] Qakbot BB12 DLL Analysis 2023](https://miro.medium.com/v2/resize:fill:160:112/1*R8MAZL5YZPhFlM_YAOILCA.png)
![[Misc Series #2] Debug trick with Image File Execution Options (IFEO)](https://miro.medium.com/v2/resize:fill:224:224/1*aXNQKgpDnd9etzxv5-4jUQ.png)
![[Misc Series #2] Debug trick with Image File Execution Options (IFEO)](https://miro.medium.com/v2/resize:fill:160:112/1*aXNQKgpDnd9etzxv5-4jUQ.png)
![[RedDev #5] Rundll32 COM Hijack executor in C++](https://miro.medium.com/v2/resize:fill:224:224/1*flHkJ3HPdexAMjRdlUe5mg.png)
![[RedDev #5] Rundll32 COM Hijack executor in C++](https://miro.medium.com/v2/resize:fill:160:112/1*flHkJ3HPdexAMjRdlUe5mg.png)
![[Vuln Series #1] CLFS Vulnerability Analysis](https://miro.medium.com/v2/resize:fill:224:224/1*VzlzNSnU6ztOP70hSc5bfA.png)
![[Vuln Series #1] CLFS Vulnerability Analysis](https://miro.medium.com/v2/resize:fill:160:112/1*VzlzNSnU6ztOP70hSc5bfA.png)
![[Mal Series #23] Malware Loader — Bumblebee](https://miro.medium.com/v2/resize:fill:224:224/1*0puGOKv9pBeNBpOmoKjHng.png)
![[Mal Series #23] Malware Loader — Bumblebee](https://miro.medium.com/v2/resize:fill:160:112/1*0puGOKv9pBeNBpOmoKjHng.png)
![[CTF Series #12] Mini Linux Forensics — MUS22](https://miro.medium.com/v2/resize:fill:224:224/1*Ext2Rcx1OpWpKDT2Zwn4Iw.png)
![[CTF Series #12] Mini Linux Forensics — MUS22](https://miro.medium.com/v2/resize:fill:160:112/1*Ext2Rcx1OpWpKDT2Zwn4Iw.png)
![[Mal Series #22] Weird Embedded PDF file](https://miro.medium.com/v2/resize:fill:224:224/1*M_a1PXXy6OEMSU1kQa-gRA.png)
![[Mal Series #22] Weird Embedded PDF file](https://miro.medium.com/v2/resize:fill:160:112/1*M_a1PXXy6OEMSU1kQa-gRA.png)
![[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator](https://miro.medium.com/v2/resize:fill:224:224/1*4k4ox2BiIgmyie4g_nlVdg.png)
![[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator](https://miro.medium.com/v2/resize:fill:160:112/1*4k4ox2BiIgmyie4g_nlVdg.png)
