Skip to main content

Posts

Showing posts from 2020

Decode FIN6 Cobalt Strike stagers

This post explains about decoding FIN6 cobalt strike stagers using cyberchef and scdbg. Attackers leverage pastebin to host cobalt strike stagers or malicious droppers and few of them are still active on pastebin though the final c2 or  domains are not active. Below is one of those pastebin httpstagers hxxps://pastebin[.]com/raw/HPpvY00Q.
One of my previous posts Decoding Metasploit and CobaltStrike shells explains how to use CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2. Here scdbg command line version for linux is used to emulate the shellcode 
References: CyberChefScdbgCobalt Strike stagers used by FIN6 Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware

Dridex shellcode analysis using scdbg

This post explains how to use scdbg to analyse one type of shellcode generated by Metasploit framework or CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike). 
The previous post Decoding Metasploit and CobaltStrike shells explains how to leverage CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2 or an adversary
scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the windows APIs the shellcode attempts to call 

Finally, there are other ways to analyse shellcode in various platforms. This is just an explanatory post to leverage a gui bas…