9618
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
Hello Profound, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
No worries about it. I spend some of my free time on doing such things for my satisfying my own curiosity, because that would be useful for my work 😄
I'm also not an expert. I simply try to replicate the various blogs findings by following their steps
https://dosxuz.gitlab.io/post/tim_1/
You might be encountering something like this, and I've seen it in some malware, especially loaders and ransomware
I can't spend too much time analyzing them, so I typically send them to sandboxes, controlled environment or simply capa and floss things out
I think some other tools mentioned like speakeasy could be useful
I'm not sure if dynamic analysis is suitable for malware logic, that's something probably static analysis may be more suitable, but I may be wrong
If you are looking out for things like when this file is executed, what happens next (aka sandbox-like results), I prefer debugging it, so I can step through it step by step and see what happens
Sometimes if I'm just lazy, I would just floss and capa the file, grab the necessary details and make some educated guesses
The laziest way I've used is to detonate it in an environment with EDR or logging mechanism and get the output
Try to use apimonitor + wireshark + fiddler + hasherzade mal_unpack or speakeasy.
if you don’t want to analyse code u can use this tools that will intercept traffic and hook api calls activity + helps to unpack or extract shell code Maybe it helps.
But it’s better and more efficient analyze code to understand what’s going on there and what’s the logic is in🧑💻
just extraction of IOCs?
I think just the typical networking capture + file system and registry diffing
may want to capture some APIs as well, for searching in EDR logs
Im analysing a malware that contains a .text section marked as writable and executable. I know that some kind of shellcode Will be decoded and executed.
Didnt see any relevant host or network indicators after executing the program. Program Simply start and exit.
This Is in a malware analysis platform and the challenge Is to find the decryption Key.
Well Is there something in between through Simply executing the program and going line by line through the debugger?
Have you any suggestion?
E.g. strategy to identify which One Is the decoding function, or getting an High level idea of what a functions Might be used for?
What do you usually do in a basic Dynamic analysis activity?
Читать полностью…
Are you sure i just joined and i checked there is no download links
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: alex 27
User: Raptus
User ID: 932135205
Reason: spam
I'm still downloading from tria.ge using my researcher account that I created back then
Читать полностью…
Did you do the challenge? Anyway i Guess its Easy, but as i said im a beginner
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: Libra
User: Rushi
User ID: 515277229
Reason: dont spam irrelevant content
You got It.
Cycling over Peb->Ldr entries is what i found in the function i was analysing.
Ok. Sorry if i took your time. Im not so expert and never seen this one so i d like to figure It out of i was losing time or some techniques to obfuscate the binary were used
Thanks for advices. Really good.
For laziest One, yes super good, but i dont have and env like that.
Uuu capa can be interesting, i was forgetting about it. I can see If It can find some capabilities and expand from there.
As this malware Is self modifying loader, with anomalous pe format and almost no WinAPI in the import table probably the only solution Is too go with patient through It using the debugger.
I also found using floss a reference to LordPE in the binary.
I have some suspect that someone use the tool to extract some sections or assemble the loader in non standard way.
Anyway thanks for help.
With basic i used. Sysmon. Tcpview. Wireshark.
But here there are not a lot of host and network indicators.
Goal Is to understand malware Logic for what i got.
Break on common functions which allocate memory and see what they are filled with
Читать полностью…
have you checked your network connections? mb because there are no response it's closes
Читать полностью…
This isnt the clapback you think it is, but you go ahead
Читать полностью…
based on Google search results, seems fairly new. 2022
but as far as information suggests, variants exist
even if decryption exists for previous variants (not that I read of), it's unknown if it exists for current
Does anyone have a reference on beast ransomware decryption?
Читать полностью…
Hello @tathagataya_JB, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
tria.ge used to allow researcher accounts in their early days, not sure if you can do so... you can try
Читать полностью…