archive
Category: Malware Reverse Engineering

2016/02/23

Office and OLE File Forensic Analysis Primer – 4

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: 1 Comment

Office and OLE File Forensic Analysis Primer – 4 This is a continuation of the Office and OLE File Forensic Analysis Primer. This post will cover the third scenario which is an office DOCX file with a malicious macro. Scenario 3 (DOCX): MD5: e8377c5bc65819f51fae7b6d801d08f7 Open the file with a hex editor. Note the difference not[…]

2015/09/01

Network Forensics – Round 5: Ms. Moneymany’s Mysterious Malware

:Network Forensics – Round 5: Ms. Moneymany’s Mysterious Malware: The puzzle: It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled[…]

2015/06/16

Office and OLE File Forensic Analysis Primer – 3

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis Primer – 3 This is a continuation of the Office and OLE File Forensic Analysis Primer. http://malwerewolf.com/2015/06/office-ole-file-forensic-analysis-primer-2/ This post will cover the second scenario which is an office XLS file with a malicious macro. Scenario 2 (XLS): MD5: a29094974ba5eda35d3440f95531277d Open the file with a hex editor. There appears to[…]

2015/06/02

Office and OLE File Forensic Analysis Primer – 2

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis Primer – 2 This is a continuation of the Office and OLE File Forensic Analysis Primer. https://malwerewolf.com/2015/05/office-ole-file-forensic-analysis-primer-1/ This post will cover the first scenario which is an office DOC file with a malicious macro. Scenario 1 DOC File: MD5: f08f126df999f74c52252aeddad5a9e5 Check out the DOC in a hex editor (Keeping[…]

2015/05/19

Office and OLE File Forensic Analysis Primer – 1

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis Primer Warning! Actual malware will be executed following these instructions, use caution and a sandbox with NO INTERNET. This is the Office and OLE File Forensic Analysis Primer. It’s intended to get from: “How do I analyze an office file?” To “Hey I can tell the difference between a[…]

2014/10/13

Deobfuscating JavaScript and Shellcode: Debugging + Dedicated Tools – Part 2/2

Welcome to Part II of a two-part series on JavaScript and shellcode deobfuscation! In our first video, we explored a few different methods to deobfuscate JavaScript. The first session resulted in a deobfuscated HTML page complete with malicious JavaScript. In this session, I cover how the malicious JavaScript works. Additionally, I debug the shellcode that[…]

2014/08/05

Deobfuscating JavaScript and Shellcode: Debugging + Dedicated Tools – Part 1/2

Welcome to Part I of a two-part series on JavaScript and shellcode deobfuscation! In this first video, I explore a few different methods using which one can deobfuscate JavaScript. I cover using a browser-based debugger along with various Windows and Linux tools to decode scripts. We explore deobfuscating JavaScript in a real-world environment using readily-available[…]

2014/07/21

autobreak-api PyCommand – Automatic Breakpoint Lovin’!

Autobreak-api is an Immunity Debugger PyCommand (Python script) that parses a Windows Portable Executable (PE) to automatically set breakpoints on all imported functions. My goal in writing this script was to ease malware analysis by providing a method to triage specimens quickly. For more information, please see the README.md on GitHub. The script along with[…]

2013/09/25

XOR Script (Skips NULL bytes “00”)

by InterDimensional_Shambler
Categories: Analysis, Coding, Malware Reverse Engineering, Python
Tags: , ,
Comments: Leave a Comment

[Description of XOR Script] Updated January 2014 Hello! I’ve made a script (in python) that can take an XORed (file or string) and will XOR it with a user-defined XOR Key (single-byte or multi-byte). The reason for this is because there is XORed malware out there that is scripted to apply an XOR in various[…]


Today is Wednesday
2017/08/23