macros… TA505 campaign: Macro Analysis 10 Nov 201912 Nov 2019 Starting September we have seen a rise in campaigns from TA505 threat actor. They send emails in bulk with spoofed messages regarding hosted files on (spoofed) cloud share services. The…
emotet… API address resolution (Emotet) 2 Oct 20192 Oct 2019 Since the Emotet campaign has been back again for the past 2 weeks I got my hands on one of the samples (3e269b0ba5c550cd0636355f2b8da977dac2dc4ad42bcf8b917322006ccf4745) that someone tweeted and started to dissect.…
ransomware… Reversing: Locky Osiris (Part II) 12 Mar 201714 Mar 2017 For this post I would be using IDA Pro and OllyDbg. While jumping back and forth between these tools I will follow the naming convention of IDA Pro more often than OllyDbg.…
ransomware… Reversing: Locky Osiris (Part I) 8 Feb 201710 Feb 2017 I was hoping for this to be my last post about Osiris, but since the DLL (shtefans1.spe) is packed it would not be possible for me to cover reverse engineering in one…
macros… Macros: Locky Osiris 28 Jan 20179 Feb 2017 In this post we will go through the macro code for the excel file that was used to bait users into downloading and dropping the malware payload. The macros (ThisWB, Module1) that we…
ransomware… Static Analysis: Locky Osiris 22 Jan 20179 Feb 2017 This post is a continuation of the previous blog post about recent Locky variant. Now let's use OfficeMalScanner to confirm the existence of bin files. As we can see, there is…
ransomware Locky Osiris 13 Jan 20179 Feb 2017 There was a recent Locky resurgence with Osiris variant past December. However, it's too late to post this analysis for others to be benefitted by it, it would still be…