Malware Research

28 Sep 2024 20:57

Blog post alert!

This one is about portable executable process injection (T1055.002) as implemented in BugSleep backdoor loader (attributed to MuddyWater). This is an old technique, but I go over why the implementation in the loader is buggy and easily blocked by EDRs.

I think people getting into malware analysis can use this information to learn not only the process injection technique, but also how not to take malware code at face value and to keep an eye out for bugs.

Blog link: https://nikhilh-20.github.io/blog/inject_bugsleep/

Malware Research

28 Sep 2024 13:18

You can check this fork. It features additional commits that you also might want to examine if you don't trust changes by others than the original author.
https://github.com/digitalsleuth/UnAutoIt

However, if you want to rebuild the binaries yourself, you'll realize the libautoit package is needed. Also, you might have to edit go.mod and some other files. I found a surviving fork with version 1.2.8, dated May 25, 2021.
https://github.com/CrackerCat/libautoit

I used this tool sometime ago and I faced a few bugs. For example, the dump directory is created with wrong permissions on Linux, and the option to set the chunk length to split long literal strings is called "strlit-max" in the help and "max-strsz" in the parser.

Malware Research

28 Sep 2024 11:46

hint: search Github (log in to Github and search the codes), Google, Bing

Malware Research

28 Sep 2024 10:11

User Dhiraj has 1/3 warnings; be careful!
Reason:
add context to links

Malware Research

28 Sep 2024 00:49

ah thank you, this is the actual sample i was referring to, if this helps

Malware Research

27 Sep 2024 22:11

sorry was that response for me?

Malware Research

27 Sep 2024 20:26

https://x.com/RandomDhiraj/status/1839717748970021027

Malware Research

27 Sep 2024 17:33

https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/

might still be there, but you likely will need to tinker around till you get it (example in the above link)

Malware Research

27 Sep 2024 17:14

Checked the .data section, couldnt really find something

Malware Research

27 Sep 2024 17:12

Guys is it necessary that the config in a cobalt strike beacon is present on the .data section?

Malware Research

26 Sep 2024 17:54

Hello @httpredsec, welcome to the Malware Research group! Please read the pinned message before you post!

Malware Research

25 Sep 2024 23:36

This is what I was looking for:

https://github.com/Malandrone/PowerDecode/

Malware Research

25 Sep 2024 11:23

Can I send another one

Malware Research

25 Sep 2024 10:31

Oh... interesting internals, will have a look. thanks

Malware Research

24 Sep 2024 19:16

I know and honestly it's unusable. It would be a perfect substitute, but really... we tired many times with different hw setups and it's too buggy to be used in practice.

Moreover, it is shipped with few evasive mitigations... so... long live cape :)

Malware Research

28 Sep 2024 17:07

I'm trying to install the CAPEv2 sandbox, but I'm encountering some confusion or lack of understanding regarding some configuration descriptions used in conf/processing.conf, specifically about the on_demand setting. Does anyone know about this setting and the impact of setting it to on or off?

Malware Research

28 Sep 2024 12:07

the hash is different though, you really sure it's the same sample?

Malware Research

28 Sep 2024 10:17

Does anyone have the tool from this GitHub repository: ?I've tried searching for it on the Wayback Machine but couldn't download it. Maybe someone has it. If you do, could I please ask for it? Thank you.

https://github.com/x0r19x91/UnAutoIt/

Malware Research

28 Sep 2024 09:41

Sorry, I only have a free account, so I can't download samples there

Malware Research

28 Sep 2024 00:49

https://koodous.com/apks/6c13658a81921f658f660a0f670eb61e9459d8105c1a72910a6bc8abd7795c65/general-information

Malware Research

27 Sep 2024 20:35

New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: V O I D
User ID: 6809771801
Reason: selling exploits

Malware Research

27 Sep 2024 19:35

hi everyone, "7ff02fb46009fc96c139c48c28fb61904cc3de60482663631272396c6c6c32ec" sample request, thank you in advance

Malware Research

27 Sep 2024 17:15

Any help would be appreciated

Malware Research

27 Sep 2024 17:14

So I found a beacon, and ran some bunch of extractors on the sample turns out they fail on extracting but the detections and memory dump has traces of cobalt strike beacon based artefacts

Malware Research

27 Sep 2024 03:38

Hello @savi_hash, welcome to the Malware Research group! Please read the pinned message before you post!

Malware Research

26 Sep 2024 07:20

Hello @Kanaguthara, welcome to the Malware Research group! Please read the pinned message before you post!

Malware Research

25 Sep 2024 11:31

what do you mean? send another what

Malware Research

25 Sep 2024 10:42

The source code of the driver is not available :(

https://github.com/cert-ee/cuckoo3/issues/6

Malware Research

24 Sep 2024 20:58

Hahaha ok. I am sorry, I don't know what you are doing. I have some interesting ideas and I am looking forward to seeing your work and results. Are you going to share?
Cuckoo3 is picking up speed recently also. They moved away from agent.py to kernel driver, maybe you can use and contribute there

Malware Research

24 Sep 2024 18:26

Do you know drakvuf? Have a quick look and see if it could better fit your needs