Custom Tools, Reverse Engineering, and Threat Research

Z3 Solver Simplifying String Decryption

Sun, 08 Jan 2023 00:00:00 +0000

Self Improving IDAPro

Sun, 11 Dec 2022 00:00:00 +0000

YARA - Following FALLCHILL's E8 Call

Sun, 31 Jul 2022 00:00:00 +0000

Summary This article covers how to follow a near relative call instruction, 0xE8 in YARA. TL;DR Calculation: Address of the instruction following the call instruction + the int32 value passed to the 0xE8 opcode == Function Start Address Near Relative Call - Explained The 0xE8 instruction on c9x is defined as: Call near, relative, displacement relative to next instruction . This means that the address passed to the call instruction is added to the next instruction address in order to calculate the location of the function being called.

Day 7 of 100 Discontiguous Days of YARA

Thu, 13 Jan 2022 00:00:00 +0000

Summary Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far. I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned. Day 7 This is the second of at least a 3 (maybe 4) part series targeting SFX 4.x files. Yes, I’m absolutely stretching my #100DaysOfYARA content.

Day 6 of 100 Discontiguous Days of YARA

Mon, 10 Jan 2022 00:00:00 +0000

ImHex Pattern and YARA Functionality

Sat, 08 Jan 2022 00:00:00 +0000

Summary This article covers: Installing and setting up ImHex Using the pattern editor YARA integration Installation I prefer to install ImHex by source. There are also nightlies that can be downloaded. I recommend trying those first before trying the compiling guide below, as it should be simpler. ImHex works on Windows, Linux, and MacOS. ImHex installation steps on a Ubuntu 21.10 VM are roughly as follows: Build git clone --recurse-submodules https://github.

Day 5 of 100 Discontiguous Days of YARA

Fri, 07 Jan 2022 00:00:00 +0000

Day 4 of 100 Discontiguous Days of YARA

Wed, 05 Jan 2022 00:00:00 +0000

Summary Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far. I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned. Day 4 import "pe" rule pdb_guid{ meta: Author = "xorhex" Description = "Search for a PDB Guid String" PDB_guid = "dcabb77e-c56c-4f3a-90f5-e604e0d01a87" HundredDaysOfYARA = "Day 4" condition: // RSDS Sig uint32(uint32(pe.

Day 3 of 100 Discontiguous Days of YARA

Mon, 03 Jan 2022 00:00:00 +0000

Summary Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far. I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned. Day 3 rule no_mz_sig__no_pe_sig__but_could_be_a_pe_file { meta: author = "xorhex" description = "Identifies PE files whose MZ sig and PE sig are wiped by inspecting the machine type value at the expected offset" warning = "Further tweaking maybe required to lessen the FP rate" HundredDaysOfYARA = "Day 3" condition: uint16be(0) !

Day 2 of 100 Discontiguous Days of YARA

Sun, 02 Jan 2022 00:00:00 +0000

Summary Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far. I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned. Day 2 import "pe" rule pe_created_after_cert_expired { meta: author = "xorhex" description = "Find PE files that were compiled (assuming the timestamp was not modified) after their code signing certificate expired" HundredDaysOfYara = "Day 2" condition: for any s in pe.

Day 1 of 100 Discontiguous Days of YARA

Sat, 01 Jan 2022 00:00:00 +0000

Summary Partaking in Greg’s #100DaysOfYARA, but to be honest it’s more likely to be #100DiscontiguousDaysOfYARA for me - if I make it that far. I doubt that the rules shared these 100 days will contain any truly original ideas, but I’d still like to share what I’ve learned. Day 1 import "pe" import "time" rule cert_expired { meta: author = "xorhex" description = "Find PE files whose code signing certificate is expired as of current date" HundredDaysOfYara = "Day 1" condition: for any s in pe.

Mlget - For all Your Malware Download Needs

Mon, 11 Oct 2021 00:00:00 +0000


Source	Releases
License Type	MIT License
Version At Blog Release	v2.1

RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure

Wed, 02 Jun 2021 00:00:00 +0000


Family	PlugX - RedDelta Variant
Threat Actor	Mustang Panda
Encrypted	1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600
Decryption Key	0x78, 0x61, 0x6c, 0x72, 0x45, 0x5a, 0x6f, 0x78, 0x43, 0x59, 0x73, 0x71, 0x6c, 0x52, 0x6e, 0x77, 0x78, 0x46, 0x63, 0x43, 0x46
Key Length	21
Decrypted	ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160
Config C2	101.36.125.203:965
Config C2	101.36.125.203:110
Config C2	vitedannews.com:965
Config C2	vitedannews.com:110

Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config

Thu, 27 May 2021 00:00:00 +0000


Family	PlugX - Variant: `XXXXXXXX` Config Check
Threat Actor	Mustang Panda / Red Delta
Encrypted	de0f65a421ce8ee4a927f4f9228f29ff12be69ac71edecb18c35cb5101e4c3cf
Decrypted	2bfd100498f70938dedef42116af09af2db77ef1315edcea0ffd62c93015ddf5
XOR Decyption Key	0x4b, 0x73, 0x51, 0x4f, 0x74, 0x6d, 0x49, 0x68, 0x63, 0x43
XOR Decryption Key Length	10

Mustang Panda PlugX - 45.251.240.55 Pivot

Mon, 17 May 2021 00:00:00 +0000


Family	PlugX
Threat Actor	Mustang Panda
Encrypted	589e87d4ac0a2c350e98642ac53f4940fcfec38226c16509da21bb551a8f8a36
Decrypted	dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4

About

Mon, 01 Mar 2021 00:00:00 +0000

This about page will host more as research is posted.

Contact

Mon, 01 Jan 0001 00:00:00 +0000

Mlget README

Mon, 01 Jan 0001 00:00:00 +0000