Posts

Deep Dive Into SectopRat

Image
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird   and JAMESWT  For Their Original Tweets.  Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam  in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File.  In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information.   Here it Gets OS Name and Version:  Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling.  It Collects:        . OS Name and Version       . Graphics Card Name and Vram Size       . CPU Version and Number Of Cores       ...

Intro to Malware Traffic Analysis

Image
Hello World, In this Blog post I will gonna Introduce to Analyzing Malware Pcaps using  Wireshark by going through a challenge from ( CyberDefenders ).  Challenge Link In This Challenge we are given 14 Questions we will go through each question and seeing how to solve it in details.  Intro to Exploit Kits: Before we deep dive and solve this challenge its good to know what really exploit kits are and how do they work. Exploit Kits are Collection of Exploits mostly operates by searching for vulnerable browser-based applications like websites they exploits vulnerabilities in these websites and then deliver malwares and payloads. Questions that should be answered when Analyzing a Exploit Kit PCAP is What is the Infected Website as we said there should be a website that has been infected other questions may be like what is the ip address of the infected machine ?, what is the website that redirects to the exploit kit deliverer etc... This is My First Attempt to analyze an...

DOS Assembly 101

Image
Hello World, Today Will Gonna Explain a lovely topic for me which is assembly and specifically dos assembly. So lets go without further delays. What’s Assembly: So Assembly is just a programming language but its a very very low level one. why its low level well because u mostly dealing with registers, interrupts u are actually dealing with the CPU u are talking to it directly actually there another more low level layer which microcode which is basically a interface between your assembly language / instructions and the hardware. How Assembly Assembles to Machine Code: Well so as we said assembly is just a programming language and programming languages in general are tools to talk to a computer without needing to write machine code , but the computer only understands machine code so we need a way to assemble our assembly code into machine code, that’s what an Assembler its main job in life is take your assembly code convert it to machine code that’s it. But there is actually another step...

Deep Dive Into Ryuk Ransomware

Image
  Hello World, This Will Probably be My First Malware Report Where I will Reverse Ryuk Ransomware. So Before Getting into Technical Analysis and Reverse Engineering I will Provide Some Introduction to Ryuk. So let's First Discuss the CyberKillChain of Ryuk it goes typically like this: 1- An maldoc Contains a malicious macro that will execute PowerShell. 2- The PowerShell Command then Downloads Emotet Banking Trojan. 3- Emotet Then Downloads TrickBot 4- As A Typical Lateral Movement Activity TrickBot Downloads Ryuk 5- Ryuk Then Tries to Encrypt all the Network Hosts However in new samples it uses BazarLoader and Cobalt Strike and it goes like this. Here I analyzed a sample not old its from 2020 but that's because I analyzed this sample before ryuk last attack occured. Who Created It ? So Attribution is Hard However From What I have Read Threat Intel Researches Suggest that it belongs to the Authors of HERMES which is a Ransomware first was detected i...