Welcome to GoggleHeadedHacker
11 May 2023
OneNote documents are the latest trend for malware because they do not require macros to run the malware and very few tools can accurately parse the file format. This trend has been seen in distribution of Qakbot and Redline Stealer. While malware laced OneNote files may seem to only benefit criminals, there are a few benefits to the unique file format from a forensics perspective as well. This article will walk through analyzing basic OneNote malware using the pyOneNote tool from DissectMalware.
Intro to Cutter
18 January 2023
The majority of my earlier posts focus on reversing binaries using Radare2/Rizin from the command line. While this is a great option, I have recently switched to using the GUI alternative: Cutter. This post will be an introduction to the tool and how to use it.
BlackGuard Analysis - Deobfuscation Using Dnlib
07 June 2022
.NET binaries are normally easier to reverse engineer than compiled binaries. Just like with Java .jars, they can be decompiled to reveal the underlying source code; however, writing deobfuscators for these binaries is not usually straightforward for newer analysts. This post will walk through writing a string deobfuscator for the Blackguard Infostealer.
Analysis of Log4jShell Attack
23 December 2021
On December 9th, a vulnerability, dubbed Log4jShell, was found in the Java Logging Library Log4j. The vulnerability allows for remote code execution on Java Applications running a vulnerable version of Log4j. After this vulnerability was announced, I created a basic honeypot to research the attacks. This article will provide a technical overview into how the attack works as well as present findings from data collected from my honeypot.
Reverse Engineering Crypto Functions: AES
12 December 2021
The Advanced Encryption Standard (AES) algorithm is a successor to the Data Encryption Standard (DES). With the advancement of technology, the key length and small block size of DES made it less secure. In 1997, NIST announced a competition to come up with a stronger algorithm; thus, AES was born.
Reverse Engineering Crypto Functions: RC4 and Salsa20
25 August 2021
Many malware samples use encryption for Command and Control (C2) communications, encrypting files, string obfuscation, and many other tasks. It can be challenging to know which encryption algorithm you are looking at when analyzing a sample. This post aims to teach newer analysts about common encryption algorithms, how they work, and how you can identify them when reverse engineering.
Sodinokibi Ransomware Analysis
02 May 2021
Back in March, a new version of the Sodinokibi (AKA REvil) Ransomware was released. Sodinokibi is a Ransomware-as-a-Service (RaaS) provider that has been covered in the news quite a bit. With the new version out, I decided to give a technical analysis of how it operates. I got the sample from an overview of the new features that R3MRUM gave in a tweet towards the end of March. The file, whose hash is
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39, can be found on VirusTotal or Any.Run.
Anti-Analysis Techniques Used in Excel 4.0 Macros
24 March 2021
I recently reversed another Excel document with 4.0 Macros that was similar to my previous post on the subject but had some added anti-analysis features that I wanted to share. I recommend reading the previous post to learn more as this article will not be going step-by-step through the analysis process. If you would like to follow along you can find the sample here.
Automatic Gobfuscator Deobfuscation with EKANS Ransomware
17 March 2021
A few months ago I saw an article by Netlab 360 describing the malware BlackRota, specifically the obfuscation method used known as gobuscate. I noticed that a deobfuscator was made for this using Binary Ninja’s API, so I decided to take a crack at developing a plugin for Cutter. To demonstrate the tool I created, I will also give a brief analysis of another malware sample that uses gobfuscate, Ekans.
Malicious Excel 4.0 Macro Analysis
17 December 2020
A while back I gave a brief analysis about an obfuscation technique used in a malicious Excel document on Twitter. This technique utilized Excel 4.0 macros to grab a second stage and had some interesting Anti-Sandbox evasion. In this post I want to give an in-depth analysis on the obfuscation that was used and how to deobfuscate the macros to get the second stage.
HackTheBox University CTF Writeups
10 December 2020
A few weeks ago I participated in the HackTheBox University CTF. All of the challenges were well put together, especially the Reverse Engineering challenges. I decided to put together a writeup for the 3 challenges I managed to complete.
HacktivityCon CTF Mobile Writeup
03 August 2020
Last week was HacktivityCon, running from Wednesday to Friday. While I was not able to find the time to watch the talks, I did manage to participate in the CTF and complete most of the mobile Reverse Engineering challenges.
The Search for the Dark Tower: Using OSINT to Hunt Down Magecart
10 April 2020
This will be a brief tutorial on using Open Source Intelligence (OSINT) to hunt down Magecart infections. I will go over some tools that could be used to pivot off of indicators and find new ones. I will also be giving a brief overview of my new tool, Gunslinger, and how it can be used to hunt for new infections.
Recent Magecart Activity on 60 E-Commerce Sites
12 March 2020
I have recently found a few new domains that are associated with Magecart activity. This article will provide a brief overview of each domain, and will include information about the infected companies.
Tracking Down Magecart Group 12
20 February 2020
This is a continuation on the joint analysis of the opendoorcdn domain with Max Kersten. Thanks to an article by RiskIQ we now know that the Magecart sample we were analyzing was related to Magecart Group 12. RiskIQ also identified two more domains related to the group, toplevelstatic[.]com and storefrontcdn[.]com. After hunting through other OSINT sources, several more domains were also found.
OpendoorCDN Skimmer Analysis Continued
03 February 2020
In my previous article I went over a joint analysis with Max Kersten about an Olympic ticket reseller website that was infected with a Magecart-like credit card skimmer. This article is a continuation of that, since we have more findings to share. This is also a joint analysis with Max Kersten, you can find his blog here. You can read the original post on this here.
Olympic Ticket Reseller Magecart Infection
25 January 2020
I have recently stumbled across a Magecart infection on an olympic ticket reseller site. This article will contain a brief analysis on the Magecart infection as well as my experience disclosing this information to the company. This is a joint analysis with Max Kersten, whose blog you can find here.
TA505 Get2 Analysis
24 November 2019
The TA505 group debuted Get2 and SDBot last month in a new phishing campaign. While there have been some great analyses on the SDBot RAT that is dropped, there have not been many on the Get2 downloader. I wanted to take this opportunity to do my own analysis on it. I will not be going over the macro-enabled word document itself, just the DLL that is dropped. There are also two versions of the dll, x86 and x64. This analysis will focus on the x86 version. If you want to follow along you can get the sample from Hybrid Analysis here.
Robbinhood Malware Analysis with Radare2
01 July 2019
This article will provide an overview of how we can extract function names from Windows GoLang binaries to make reversing easier and to give a brief analysis on the Robbinhood Ransomware that attacked Baltimore recently. GoLang is a programming language designed around multi-threaded applications. The difficulty in reversing GoLang binaries is that all libraries are statically linked which means there will be a large number of functions in the application, most of which are not even used during execution. For example, in a normal Hello World compiled GoLang binary, radare2 detects 1800 functions.
Unpacking NanoCore Sample Using AutoIT
05 May 2019
In this article I want to take a look at a Nanocore sample that I found on HybridAnalysis that is using a compiled AutoIT script as a packing technique. This article will go over how to detect if a sample is using AutoIT and how to analyze it. The hash for this sample is ad9f99ad687a8ae71a40fd589b028ef6194e35c7.
Flare-On 5: FLEGGO Write-up
04 December 2018
This is my second article on the Flare-On 5 CTF. This article will focus on the third challenge in the series, FLEGGO. If you haven’t read my other article detailing the first two challenges you can find it here. Unzipping FLEGGO presents us with 49 Windows Executable files. Running one of these files prompts us for a password, if we get the password wrong the program tells us to go step on a brick. We probably need to figure out the password for all of these files. This seems to be a daunting task, we can start by solving just one and working from there.
Flare-On 5: MineSweeper Write-up
13 October 2018
With the Flare-On 5 challenge over and done I thought it would be a good idea to present my solutions for the challenges I managed to solve. This post will group the first two challenges together since they follow the same “story”, the Minesweeper World Championship is coming soon and you weren’t invited. However, you somehow managed to get your hands on the registration application for the challenge and need to crack the code in order to register. Let’s take a look at this application and see what we are dealing with.
Automating RE Using r2pipe
09 July 2018
In this article we will go over Radare2’s r2pipe and its uses. R2pipe is the API for Radare2 that allows you to automate Radare2 and interact with a session from outside of Radare2. This can be used to simplify certain tasks, emulate a certain section of code, decrypt strings, or even reverse engineer multiple binaries with ease. In this specific example we will revisit a malware sample that I have detailed in a previous article titled Linux Malware Analysis—Why Homebrew Encryption is Bad. We will use r2pipe and Python to automate the process of deobfuscating strings within the binary.
MalwareBytes CrackMe #2 Write-Up
19 May 2018
MalwareBytes recently released their second CrackMe Challenge and I managed to solve it. This article will be my write-up for it so readers can see the techniques that were used in this CrackMe and the steps I went through to reverse engineer the application and get the flag. If you want to follow along you can download the application from the official MalwareBytes post here.
Unpacking Executables - The ESP Trick
02 April 2018
Malware authors use many tricks to try to get past antivirus solutions. They can obfuscate strings or sign the malware as some other software. One of the more effective tricks is to use a packer to compress the malware, making it harder for antivirus software to detect it. As a malware analyst you should know about what packing is and how to unpack an executable. This article will talk about some of the basic packers and a neat trick that works to unpack most of them.
Debugging Using Radare2… and Windows!
26 February 2018
To start off I want to say I am a Linux person. I use it all the time for development. The command-line is amazing and very streamlined for computer-science related tasks. While I feel this way, there are those who do not and would prefer to use a Windows environment instead. So I want to show two things in this article, how to install and use radare2 for Windows, and also how to debug applications using radare2.
Linux Malware Analysis—Why Homebrew Encryption is Bad
02 February 2018
Linux is one of my favorite operating systems, but you seldom see malware for it, so I was pretty interested when Linux Malware was caught by my honeypot. This article will be my analysis of the sample, particularly the decryption function that was used throughout it. It’s a good example of why using your own encryption algorithm isn’t very secure.
11 January 2018
So this is my analysis on the snojan malware. My goal for my articles is to write about different malware samples that I collect in my honeypot. I hate finding a sample and looking up analyses on it only to find that nobody has taken the time to really look at it, so this is my remedy for that.