All Posts

Tiny R2 Emulation

Synopsis Today’s article reviews how to use Radare2 to make the malware deobfuscate itself. Radare2 or R2 simplifies the process through archaic VIM like commands. One caveat though, R2 emulates slowly. It can’t brute force anything of significance quickly; but, when used correctly, R2’s emulation reduces analysis time. Sample Understanding what the malware does is important before diving into any emulation. This Tinyloader sample, found on VirusShare, serves as today’s specimen.

Pin to Unpin SystemDefaultUILanguage

Synopsis Ok, enough with the pun. Here, we’ll tackle a custom challenge to control execution flow. The idea behind this is to instrument environment dependent malware samples so they can be modified on the fly without needing to manually patch the binary. Intel’s PIN1, a dynamic binary instrumentation (DBI) tool, enables us to scale a custom solution for automated sandbox runs. Back Story Malware sometimes checks to see if the machine it is running on is its intended target.

Flare-On 2017: Challenge 3

Synopsis To get the flag of course ;-). Slightly more serious, this post presents one way to solve 2017’s third Flare-On challenge. The solution will make extensive use of python to statically extract the flag. Setup We start by opening the file in IDA and jumping to the entry point. The entry point simply calls sub_401008. Screen Shot 1: Entry Point Following this lead, open the function and take a look around.

Basic Document Analysis By Example: Sample 1

Synopsis The article has three sub-goals around the primary goal of document analysis. First is to trace through a PDF and extract the docm file the PDF drops. The second sub-goal is to inspect the docm file using freely available tools. The final sub-goal is to generate yara rules to flag sample identifying strings in Object Linking and Embedding (OLE) steams that we can apply to other samples. Disclaimer: I do my best to analyze in a vacuum.

Cheatsheet - Resolving Windows API Calls

Synopsis Recently came across a sample which obfuscated Windows API calls making static analysis challenging. I know; obfuscated Windows functions is nothing new. This article’s goal is to outline a method that may or may not work to assist with de-obfuscation. It all hinges on how the obfuscation is implemented. Steps The steps outlined in this article strive to focus on methodology versus analyzing a particular sample; however, we’ll be using an example as well so the delineation might get a little blurry.

Virus Share: Random Sample #1 - Part Four: Extraction

Synopsis Today we are picking up where we left off in part three. The goal here is to extract the PE file that’s injected into iexplorer.exe’s address space. Unlike the prior article, this post will be light on static analysis as its main goal is to help us transition to reversing the injected binary. Follow along note: We’ll be using the sample dumped after step 8 (part one) for IDA.

Virus Share: Random Sample #1 - Part Three: Injection

Synopsis Continuation of our analysis of Virus Share: Random Sample #1 - Part Two. We start with inspecting the function placed at the start of ZwWriteVirtualMemory to learn it’s objective. Follow along note: We’ll be using the sample dumped after step 8 (part one) for IDA. When running the sample in x64dbg, the dumped sample is taken just prior to step 8. Exercise caution (i.e. run in an isolated VM) as this is a live malware sample.

Cheatsheet - Get Exported Function Address by Function Name

First in possibly a series of quick reviews of common activities seen or used in malware analysis. Most of these will probably have been documented else where online; however, recording them here for my own edification. Synopsis This cheatsheet will make use of x64Dbg to walk a PE file in memory to acquire the address of a function based upon its name. The goal is to be familiar with how malware can do the same thing.

Virus Share: Random Sample #1 - Part Two: API Hook Analysis

Synopsis Here we will continue our analysis of the unpacked sample from Virus Share: Random Sample #1 - Part One Follow along note: We’ll be using the sample dumped after step 8 (part one) for IDA. When running the sample in x64dbg, the dumped sample is taken just prior to step 8. Exercise caution (i.e. run in an isolated VM) as this is a live malware sample. I’m not responsible for any damage.

Virus Share: Random Sample #1 - Part One: Unpacking

Synopsis First in a series where we take a pseudo random sample from Virus Share to analyze. Sample SHA256: 0b74eb0e41ecf4cde71aea773746b3c57e42ffcec4eadc69c4c8038133bf43af Please exercise caution as this is a live malware sample. Analysis Upon examining the html file from Virus Share, we find a vbscript dropper script at the bottom of the file. Upon first glance it appears to be commented out using <!-- and -->; however, comments in vbscript start with '.