~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware

Archives

The Blame Game - About False Flags and overwritten MBRs

Let's start right off with a short introduction: The Malware analyzed here is a so-called MBR (Master Boot Record) Locker. It is targeting (like most of the time) only PCs running Windows. The good news is: in this case there is neither encryption nor deletion happening on the file system so there's a good chance for victims to recover their files. A possible mitigation for suers woulds be running MBRFilter which is developed by...

Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam

Since the current COVID-19 outbreak is getting masively taken advantage of by various cybercriminals I thought it would be a good opportunity to try out Android reverse engineering. Let's dive right in: The following dynamic part of this analysis was done in VirtualBox with the most recent Version of Android-x86. For those playing along at home: The Setup is really simple (as Live Booting is sufficient). Just remember to crank up the Video...

Why would you even bother?! - JavaLocker

Hey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to get back into the analysis/blogging thing. I've been looking for interesting/"innovative" samples that differ from the common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in the most beautiful programming language there is sooner or later: Java. Let's get it over with. This strain...

The Opposite of Fileless Malware - NodeJS Ransomware

This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about Ransom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum here. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of...

Not so nice after all - Afrodita Ransomware

This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and I (@f0wlsec). Thank you for your contributions! @James_inthe_box @malwrhunterteam @Malwageddon 69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections....

"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware

Dot "MZP" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --> sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67 This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to...

Setting up a Malware Exchange for 36C3 with Viper

After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time. To host this project at the MysteryHack Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC...

I literally can't think of a fitting pun - MrDec Ransomware

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Another one for the collection - Mespinoza (Pysa) Ransomware

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

A B C, easy as один, два, три - Lockbit (ABCD) Ransomware

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your...

Quick and painless - Reversing DeathRansom / "Wacatac"

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the

About PINEs and supply chain attacks gone wrong

Sality @ AnyRun | HybridAnalysis | VirusTotal --> sha256 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4 To all Pinebook Users that may be affected by this Malware: It will not pose any threat to the notebook itself. It will however, potentially infect Windows machines that mount the eMMC storage (which is not a common use case). To remove Sality simply run a system upgrade or run this script manually. On the 3rd of November it was first publicly...

Try not to stare - MedusaLocker at a glance

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568 Taking a look at the stringdump that stringsifter produced one of the first things that stood out was this...

Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. "Shade Ransomware creater is stupid fxxxxx.exe" @ Any.Run --> sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis...

Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Gootkit Stage 3 Sample available @ Hybrid Analysis --> 3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37 #gootkit #jasperloader #banker Jshttps://t.co/PsYBIeph19Payloadhttps://t.co/hLThGNJDiKIOCswws.tkgventures.[com -> ont.carolinabeercompany.[com/bolp.cabs/adp.reevesandcompany.[com/rbody320@VK_Intel @malwrhunterteam @James_inthe_box @reecdeep— JAMESWT (@JAMESWT_MHT)...

Return of the Mummy - Welcome back, Emotet

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Emotet Sample #1 @ Hybrid Analysis --> sha256 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5 Emotet Sample #2 @ Hybrid Analysis --> sha256 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975 Emotet brought home a few souveniers from summer trip as well. The image above and below show...

Malicious RATatouille 🐀

Depending on the licensing model and capabilities Remcos is sold for 58$ to 389$ by the company (with the pretty fitting name) Breaking Security. Feature-wise the manfacturer's website lists: Remote Administration, Support, Surveillance, Anti-Theft and Proxy. In most cases the executable is dropped via a boobytrapped Office or XML Document. Of course I will not link to any of their webpages or products since shilling out for cybercriminals would be the last thing I'd do....

Osiris, the god of afterlife...and banking malware?!

I came across this sample after this tweet by @James_inthe_box : Found by @FewAtoms at:borel[.]fr/notices/CanadaPost.zip -> vbs drops:https://naot[.]org/cms/file/fixed111.exeI'd like to say with confidence: I have no idea what this is. https://t.co/z18z17Kau8 pic.twitter.com/68zg3HpkRI— James (@James_inthe_box) August 28, 2019 A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your...

GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be...

TFW Ransomware is only your side hustle...

Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...

Picking Locky 🔓

Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...

Third time's the charm? Analysing WannaCry samples

Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by...

Useful Resources for Reverse Engineering and Malware Analysis

I'll update this list regularly to keep it somewhat relevant, so be sure to bookmark this page if you like the contents so far. Books "Reversing: Secrets of Reverse Engineering" by Eldad Eilam "Reversing: secrets of reverse engineering practical reverse engineering: x86, x64, ARM, Windows kernel, Reversing tools, and obfuscation" by Bruce Dang, Alexandre Gazet and Elias Bachaalany "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" by Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte "Hacker Dissassembling Uncovered" by...

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

Receive Updates

ATOM

"Security is #1 priority"

Key OpenPGP Key