irfan_eternal
Posts Categories About Me
irfan_eternal
/images/avatar.png
/understanding-internals-of-smokeloader/smokeloader.jpg

Understanding Internals of SmokeLoader

irfan_eternal published on  included in Malware Analysis
Introduction In this blog we will be discussing about Understanding Internals of SmokeLoader using Ghidra Analysis For readers who want to Follow along can get the sample from MalwareBazaar .The sample was first Seen on September 5th 2023 14:12:29 UTC . The sample is 32bit Exe File You can use the tool of your Choice i will be using Ghidra in this blog. The Sample Consists of 3 Stages. In the next sections we will look at each Stages in Detail
Read More
/analysing-.net-asyncrat-using-dnspy/asyncrat.jpg

Analysing .NET AsyncRAT using dnSpy

irfan_eternal published on  included in Malware Analysis
Introduction Hi all, Today we will be analysing .NET AsynRAT using dnSpy.In this blog we will be discussing about static extraction of the Config and we will also look at some of the capabilites of AsyncRAT. Analysis For readers who want to Follow along can get the sample from MalwareBazaar .The sample was first Seen on 2023-07-04 07:07:39 UTC . The sample is 32bit so you can use dnSpy 32 Bit Version.
Read More
/guloader-deobfuscation-using-ghidra/gloader.jpg

Guloader Deobfuscation using Ghidra

irfan_eternal published on  included in Malware Analysis
Introduction Hi all, Today we will be Analyzing Guloader Shellcode using Ghidra. Our Objective is to Identify some Anti-analysis and Obfuscation techniques used by Guloader and Defeat it using Automation. People who would like to follow along can download the sample from here . The File was was seen on 2023-05-11 Anti-Analysis / Obfuscation API Hashing The Shellcode is using API hashing to hide API’s being called. For Each API Resolving it first resolves LdrLoadDll add 5 to it’s address to avoid any Hooking done by EDR .
Read More
/malware-string-decryption-in-2-ways/dumpulator2.jpg

Malware String Decryption in 2 ways

irfan_eternal published on  included in Tool Guide
Hi all, Today I am writing a blog about Decrypting malware strings using 2 ways. I have posted a tweet about this 2 days ago . The 2 Ways are Emulating Scripting Emulating For Emulation i used the tool dumpulator by mrexodia. To use the tool we needed to find the decryption function, it’s calling Convetion and the parameters being passed in this Example the function uses __fastcall calling convention and it has 4 parameters first 2 parameters are in ECX, EDX.
Read More
/analysing-shellcode-to-understand-how-they-call-windows-apis/shellcode.jpg

Analysing Shellcode to understand how they call windows API's

irfan_eternal published on  included in Reverse Engineering
Introduction Hi all, Today we will be Analysing Shellcode to understand how they call windows API’s. shellcode’s are position independent, they do not have IAT to call API’s. They normally walk the PEB(Process Environment Block).To understand theory on how PEB is used to get API’s please read this article We will follow how a malware use this technique to call windows API’s . Analysis The malware First allocates memory and copies the shellcode from the rsrc section to the allocated memory
Read More
/improving-my-ghidra-gui--ghidra-skills/ghidra2.jpg

Improving My Ghidra GUI + Ghidra Skills

irfan_eternal published on  included in Tool Guide
Hi all, Today I am writitng this post to let you know how i improved My Ghidra GUI & Ghidra Skills. We will be Discussing the below topics Customizing Code Browser Key Bindings Ghidra Extensions Ghidra Scripting Customizing Code Browser Ghidra CodeBrowser has many Windows which helps in our analysis. My aim was to reduce switchig between Windows as less as possible. So I found the Windows i used the most and Combined them in the Main CodeBrowser Window.
Read More