Introduction In this blog we will be discussing about Understanding Internals of SmokeLoader using Ghidra
Analysis For readers who want to Follow along can get the sample from MalwareBazaar .The sample was first Seen on September 5th 2023 14:12:29 UTC . The sample is 32bit Exe File You can use the tool of your Choice i will be using Ghidra in this blog. The Sample Consists of 3 Stages. In the next sections we will look at each Stages in Detail
Introduction Hi all, Today we will be analysing .NET AsynRAT using dnSpy.In this blog we will be discussing about static extraction of the Config and we will also look at some of the capabilites of AsyncRAT.
Analysis For readers who want to Follow along can get the sample from MalwareBazaar .The sample was first Seen on 2023-07-04 07:07:39 UTC . The sample is 32bit so you can use dnSpy 32 Bit Version.
Introduction Hi all, Today we will be Analyzing Guloader Shellcode using Ghidra. Our Objective is to Identify some Anti-analysis and Obfuscation techniques used by Guloader and Defeat it using Automation. People who would like to follow along can download the sample from here . The File was was seen on 2023-05-11
Anti-Analysis / Obfuscation API Hashing The Shellcode is using API hashing to hide API’s being called. For Each API Resolving it first resolves LdrLoadDll add 5 to it’s address to avoid any Hooking done by EDR .
Hi all, Today I am writing a blog about Decrypting malware strings using 2 ways. I have posted a tweet about this 2 days ago . The 2 Ways are
Emulating Scripting Emulating For Emulation i used the tool dumpulator by mrexodia. To use the tool we needed to find the decryption function, it’s calling Convetion and the parameters being passed
in this Example the function uses __fastcall calling convention and it has 4 parameters first 2 parameters are in ECX, EDX.
Introduction Hi all, Today we will be Analysing Shellcode to understand how they call windows API’s. shellcode’s are position independent, they do not have IAT to call API’s. They normally walk the PEB(Process Environment Block).To understand theory on how PEB is used to get API’s please read this article We will follow how a malware use this technique to call windows API’s .
Analysis The malware First allocates memory and copies the shellcode from the rsrc section to the allocated memory
Hi all, Today I am writitng this post to let you know how i improved My Ghidra GUI & Ghidra Skills. We will be Discussing the below topics
Customizing Code Browser Key Bindings Ghidra Extensions Ghidra Scripting Customizing Code Browser Ghidra CodeBrowser has many Windows which helps in our analysis. My aim was to reduce switchig between Windows as less as possible. So I found the Windows i used the most and Combined them in the Main CodeBrowser Window.