Dans le cadre du challenge Zero2Automated maintenant distribué toutes les 3 semaines, l’objectif était de développer un script permettant d’extraire les adresses IP de tout sample Danabot de la même campagne.
This week, @OverflOw from Zero 2 Automated course gave us a new challenge. The goal this time is to unpack a sample, find and reverse its string decryption routine and produce a script that will write them into our disassembler.
New type of articles on the blog ! This time, @0verfl0w from the Zero2Automated Malware Analysis course gave us biweekly challenges to sharpen our skills in malware analysis and reverse engineering.
The goal is to produce a writeup of the challenge and compare with others to see different perspectives.
In the last article, we analysed STOP ransomware and discovered all its features. We saw that it is dropping VIDAR to steal data on victims computers prior to encrypt them. We will now see how VIDAR works. But first, let take a quick look of the executable that STOP dropped before VIDAR.
During the previous article, we saw the process of unpacking the first stage of the malware. Aside a fairly new anti-debugging technique and process hollowing, this step wasn’t hard. Now that we have successfully unpacked the first stage, let’s jump into it to see its main behaviour.
I will try to be as consice as possible, but trust me, this malware is full of interesting functions.
Back to malware analysis, i recently decided to analyse a completely random sample (as long as it isn’t .NET lol) found on MalwareBazaar, this sample appears to be STOP ransomware.
Welcome to my personal blog talking about Malwares and Reverse Engineering in general. This article is a quick FAQ about this blog.
Après avoir lu beaucoup d’articles concernant les agissements du groupe cyber-criminel Emotet et son malware éponyme, j’ai enfin l’opportunité de l’analyser de mes propres mains, un sample tout frais sorti d’une boîte mail de mon entreprise.