Snojan Analysis

Jan. 11, 2018

So this is my analysis on the snojan malware. My goal for my articles is to write about different malware samples that I collect in my honeypot. I hate finding a sample and looking up analyses on it only to find that nobody has taken the time to really look at it, so this is my remedy for that....

Reverse Engineering, Radare2, Malware Analysis, Malware

Linux Malware Analysis—Why Homebrew Encryption is Bad

Feb. 2, 2018

Linux is one of my favorite operating systems, but you seldom see malware for it, so I was pretty interested when Linux Malware was caught by my honeypot. This article will be my analysis of the sample, particularly the decryption function that was used throughout it. It’s a good example of why using your own encryption algorithm isn’t very secure....

Reverse Engineering, Radare2, Malware Analysis, Malware, Linux

Automating RE Using r2pipe

July 9, 2018

In this article we will go over Radare2’s r2pipe and its uses. R2pipe is the API for Radare2 that allows you to automate Radare2 and interact with a session from outside of Radare2. This can be used to simplify certain tasks, emulate a certain section of code, decrypt strings, or even reverse engineer multiple binaries with ease. In this specific example we will revisit a malware sample that I have detailed in a previous article titled Linux Malware Analysis—Why Homebrew Encryption is Bad. We will use r2pipe and Python to automate the process of deobfuscating strings within the binary....

Reverse Engineering, Radare2, Hacking, Malware Analysis, Malware, Scripting, Automation, r2pipe

Unpacking NanoCore Sample Using AutoIT

May 5, 2019

In this article I want to take a look at a Nanocore sample that I found on HybridAnalysis that is using a compiled AutoIT script as a packing technique. This article will go over how to detect if a sample is using AutoIT and how to analyze it. The hash for this sample is ad9f99ad687a8ae71a40fd589b028ef6194e35c7....

Reverse Engineering, Malware Analysis, Malware, Unpacking, Scripting, Automation, DotNET, DnSpy, AutoIT

Robbinhood Malware Analysis with Radare2

July 1, 2019

This article will provide an overview of how we can extract function names from Windows GoLang binaries to make reversing easier and to give a brief analysis on the Robbinhood Ransomware that attacked Baltimore recently. GoLang is a programming language designed around multi-threaded applications. The difficulty in reversing GoLang binaries is that all libraries are statically linked which means there will be a large number of functions in the application, most of which are not even used during execution. For example, in a normal Hello World compiled GoLang binary, radare2 detects 1800 functions....

Reverse Engineering, Radare2, Malware Analysis, Malware, Linux, Windows, Scripting, Automation, r2pipe, GoLang


Page 1 of 2
>>