Skip to content

Evil Code Analysis

Search
  • Home
  • About
  • Contact
ransomware

.NET CIL For Fun

31 Dec 202231 Dec 2022
This mini blog post sprouted out of my previous post: Leveraging Java Bytecode for Fun & Analysis and from preparation for the talk at BBWIC Foundation - A Tale of Two…
java…

Leveraging Java Bytecode for Fun & Analysis

14 Jan 202231 Dec 2022
Summary An approach similar to modifying assembly code to direct control flow can be used to de-obfuscate and reverse-engineer Java malware or any compiled Java classes for that matter. In…
reverse engineering…

Potential Anti-analysis with XLM NOW() Function- IcedID Delivery

2 Apr 20213 Apr 2021
TL;DR - XLM sample for IcedID delivery is using the NOW() macro function and non-volatility to possibly make the analysis difficult. While looking for the latest trends on MalwareBazaar yesterday,…
Trojan

AsyncRAT delivery technique: 10 minute analysis

1 Mar 20212 Mar 2021
Lately, I have been looking at MalwareBazaar for some samples in order to do analysis. I noticed that the samples are conveniently tagged and can be used to see some…
exploit-dev…

Backdooring NSIS based installer: A Cautionary Tale

1 Jan 20203 Jan 2020
Understandably, this post does not follow the theme of malware analysis of this blog. However, it would be fair to add some range to the topics here. This post came…
macros…

TA505 campaign: Macro Analysis

10 Nov 201912 Nov 2019
Starting September we have seen a rise in campaigns from TA505 threat actor. They send emails in bulk with spoofed messages regarding hosted files on (spoofed) cloud share services. The…
emotet…

API address resolution (Emotet)

2 Oct 201923 Dec 2019
Since the Emotet campaign has been back again for the past 2 weeks I got my hands on one of the samples (3e269b0ba5c550cd0636355f2b8da977dac2dc4ad42bcf8b917322006ccf4745) that someone tweeted and started to dissect.…
ransomware…

Reversing: Locky Osiris (Part II)

12 Mar 201714 Mar 2017
For this post I would be using IDA Pro and OllyDbg. While jumping back and forth between these tools I will follow the naming convention of IDA Pro more often than OllyDbg.…
ransomware…

Reversing: Locky Osiris (Part I)

8 Feb 201710 Feb 2017
I was hoping for this to be my last post about Osiris, but since the DLL (shtefans1.spe) is packed it would not be possible for me to cover reverse engineering in one…
macros…

Macros: Locky Osiris

28 Jan 20179 Feb 2017
In this post we will go through the macro code for the excel file that was used to bait users into downloading and dropping the malware payload. The macros (ThisWB, Module1) that we…

Posts navigation

Older posts

Note

The ideas and views expressed in this blog are mine only and not my employer's. The analyses posted in this blog are results of my hobby and in no way work-related.

Archives

  • December 2022
  • January 2022
  • April 2021
  • March 2021
  • January 2020
  • November 2019
  • October 2019
  • March 2017
  • February 2017
  • January 2017
Website Powered by WordPress.com.
  • Follow Following
    • Evil Code Analysis
    • Already have a WordPress.com account? Log in now.
    • Evil Code Analysis
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...