Malware Development

  • Malware Launching - Packing

    Malware Launching - Packing

    1. Context

    When I first started in malware development, the question I always have in the back of my mind is about how malware can be launched since a lot of AV programs are evolving to detect more and more malicious executable nowadays.

    AVs are heavily depedent on the signatures of an executable to...

  • Malware Launching - Process Hollowing

    Malware Launching - Process Hollowing

    1. Context

    This is another malware launching technique that I have been really interested in learning about. The idea about malware launching is that you have an malicious executable, and you want to execute it like a normal process on your machine.

    However, most of the average Windows users are aware of <a...

  • Malware Launching - DLL Injection

    Malware Launching - DLL Injection

    1. Context

    Ever since I started malware development, I’ve always been interested in the concept of malware launching.

    The idea is that malware launcher is an a type of malware that can download/unpack and execute a malware. The goal of the launcher is to set things up so the malicious activity of the...

  • Rust Ransomware (Part 3)

    Rust Ransomware: Part 3

    Traversing Windows Directory and Priviledge Escalation

    1. Traverse and Encrypt

    After having implemented the encrypting algorithm in Part 2, we need to traverse through the victim’s computer’s directories in order to find files to encrypt them.

    Typically, directories and files are a bit complicated to process if you want to traverse through...

  • Rust Ransomware (Part 2)

    Rust Ransomware: Part 2

    Crypto and How Ransomwares encrypt your file

    1. Ransomware and Encryption

    A typical ransomware is just a malicious program that encrypts your files with some method, making them unusable, and hold it for ransom.

    If the victim wants the files back, they have to pay and have the malware author to decrypt the...

  • Rust Ransomware (Part 1)

    Rust Ransomware | Part 1

    Setting up & Implementing Anti-Rerversing techniques in malwares

    Set up

    • To set up this lab, please make sure you have a recent version of Rust installed.
    • Create a folder on your computer and change into that directory from your Command Prompt

Reverse Engineering

  • MountLocker Ransomware

    MountLocker Ransomware


    This is my report for a MountLocker Ransomware v5.0 sample, which is used by XingLocker ransomware group.

    This ransomware uses a hybrid-cryptography scheme of RSA-2048 and ChaCha20 to encrypt files and protect its keys. Unlike other ransomware, MountLocker encrypts all of the ChaCha20 keys with a global ChaCha20 key before encrypting this global key with...

  • Darkside Ransomware

    Darkside Ransomware


    This is my report for one of the latest Windows samples of Darkside Ransomware v1.8.6.2!

    Since there is not a lot of in-depth analysis on Darkside out there, I decided to just write one myself.

    Darkside uses aPLib algorithm to compress its configuration and a hybrid-cryptography scheme of custom RSA-1024 and Salsa20 to encrypt files...

  • Babuk Ransomware v3

    Babuk Ransomware v3


    This is a short report for the latest Babuk ransomware sample. This sample is marked as version 3 based on the run-once mutex string.

    For this new version, the malware author keeps most of the old functionalities the same except for the encryption scheme and the multithreading approach.

    Since I have covered Babuk old...

  • Babuk Ransomware

    Babuk Ransomware


    This is my report for the new Babuk Ransomware that recently appears at the beginning of 2021.

    Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such...

  • Conti Ransomware

    Conti Ransomware v2


    This is my full analysis for the Conti Ransomware version 2. Over the last few months, I have seen quite a few companies getting hit by this ransomware, so it’s been interesting analyzing and figuring how it works.

    As one of the newer ransomware families, Conti utilizes multi-threading features on Windows to encrypt files...

  • RegretLocker



    RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD...

  • Flare-On 7 - Challenge 2

    After unzipping the challenge, we get a single Windows executable. This is the prompt given by the author.

    One of our team members developed a Flare-On challenge but accidentally deleted it. We recovered it using extreme digital forensic techniques but it seems to be corrupted. We would fix it but we are too busy solving today's...
  • Flare-On 7 - Challenge 1

    Rust Ransomware | Challenge 1

    After unzipping the challenge, we get 2 Python files, an EXE file, and some folder containing images used by the game. This prompt is given by the challenge’s author.

    Welcome to the Seventh Flare-On Challenge! This is a simple game. Win it by any means necessary and the victory screen...
  • - Ransomware - Ransomware

    1. Context

    This is the fourth post of my reversing series following the previous posts about

    This time, the challenge is Ransomware. From this name, I guess we will be dealing with encrypted files!

    2. Ransomware

    First, when we unzip the zip file, we get 2 files, file and ransomware.exe.

    Since there...

  • - Replace - Replace

    1. Context

    This is the third post of my reversing series following the previous posts about

    This time, I’ll be working on the next challenge, Replace. I got 0 context from this name, so I actually can’t guess the functionality of this executable before trying static analysis.

    2. Replace

    First, like always,...

  • - Easy Keygen - Easy Keygen

    1. Context

    This is the next post of my reversing series following the previous post about here.

    This time, I’ll be working on the next challenge, Easy Keygen. Like the name implies, this type of challenge is for us to be able to reverse a key generation for a specific value...

  • - Easy Crack - Easy Crack

    1. Context

    I’ve been working at Union Pacific for the network design team, so I have not had much practice with reverse engineering lately.

    Since FLARE-On 2020 from FireEye is coming next weekend, I figure that I should do some reversing this weekend to prepare for it.

    I have picked to...

  • PE Parser

    PE File Parser

    1. Context

    I have been doing a lot of malware analysis recently, but I realize I do not know much about the entire structure of a PE file. It has really been annoying having to look up what each component is and where they are in memory everytime I need them.

    I have already implemented...

  • CSCML2020 CTF Write-up

    CSCML2020 Reverse Engineering Write-up

    1. TimeTravel

    This task’s prompt was about time travelling, so I first assumed that it has to deal with time manipulation inside the executable. alt text

    When I first ran the executable, this is what I get. Seems like we are just going through these dialogs forever, and nothing is...

  • How I "hacked" my way through a CS homework

    How I “hacked” my way through a CS homework

    1. Context

    I’m currently taking a Computer Science course at Georgia Tech called CS 2110 - Computer Organization and Programming. I have taken the exact same course from the ECE department, but since I changed my major, those classes don’t count toward my credit…

    And here we are, grinding...

Network Engineering

  • Open Shortest Path First

    Open Shortest Path First - Routing Protocol

    1. Context

    I’m starting my network engineering internship with Union Pacific soon in a week, and my managers have been asking me to review networking concepts that the company frequently uses.

    One of the important ones is OSPF as, I think, it is our main link state routing protocol within...