Deep Dive Into SectopRat

Image
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird   and JAMESWT  For Their Original Tweets.  Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam  in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File.  In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information.   Here it Gets OS Name and Version:  Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling.  It Collects:        . OS Name and Version       . Graphics Card Name and Vram Size       . CPU Version and Number Of Cores       ...

OllyDbg Script CheatSheet

ODbgScript Is a very usefull Plugin. It can automate your work in olly and make it more easier when it comes to unpacking and such stuff its instructions is very similar to asm. I am still learning it and I forget alot so I decided to post a cheat sheet. for it :). 


Variables:

var = For Defining  Variables 

mov = move a value from place to another

$RESULT = Stores the Result of an operation 


Conditional Jumps:


JNE = Jump if not equal

JE  = Jump if Equal 

JMP  = Jump 

JB = Jump if Below

JA = Jump if Above 

CMP = Compare two operands 


Commands:


STI = Execute F7 

run = Execute F9 (run) 

STO = Execute F8 

BC = Clear a Break point 

BP = Set Break Point 

BPHWS = Set Hardware Breakpoint 

BPHWC = Remove Hardware Breakpoint 

msg = Display Message 

find = find an expression at an address 

cmt = put comment 

go = go to address


Other Notes:

ollydbg scripts collections

ollyscriptplugin


Popular posts from this blog

Deep Dive Into SectopRat

Image
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird   and JAMESWT  For Their Original Tweets.  Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam  in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File.  In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information.   Here it Gets OS Name and Version:  Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling.  It Collects:        . OS Name and Version       . Graphics Card Name and Vram Size       . CPU Version and Number Of Cores       ...
Read more

Deep Dive Into HERMES Ransomware

Image
Quick Overview: HERMES is a Ransomware which spreads by spear-phising emails. It was first detected on October 2017. Its attributed to the  Lazurus APT group  it has high connections to Ryuk Ransomware and its believed that they are written by the same author. Among most Ransomwares, it's common that it encrypts the files using AES and Encrypts the AES Random Key using RSA , in the upcoming parts we will include some more insights into it. In Depth-Reversing: . HERMES Drops A Copy From its Self under Name "svchosta.exe" in the Temp Folder And it executes using this command Inhibit System Recovery: . Similarly like most ransomwares it deletes shadow copies to acheive this it drops a batch file similar to the Ryuk one , which strengthens it's similarity to Ryuk And it executes using this command Unpacking and API Resolving: HERMES allocates a section in memory for the unpacked PE file , this technique can be defined as  Self Injection  . This image explains it very wel...
Read more

Intro to Malware Traffic Analysis

Image
Hello World, In this Blog post I will gonna Introduce to Analyzing Malware Pcaps using  Wireshark by going through a challenge from ( CyberDefenders ).  Challenge Link In This Challenge we are given 14 Questions we will go through each question and seeing how to solve it in details.  Intro to Exploit Kits: Before we deep dive and solve this challenge its good to know what really exploit kits are and how do they work. Exploit Kits are Collection of Exploits mostly operates by searching for vulnerable browser-based applications like websites they exploits vulnerabilities in these websites and then deliver malwares and payloads. Questions that should be answered when Analyzing a Exploit Kit PCAP is What is the Infected Website as we said there should be a website that has been infected other questions may be like what is the ip address of the infected machine ?, what is the website that redirects to the exploit kit deliverer etc... This is My First Attempt to analyze an...
Read more